CISA Exam Syllabus: The 5 Domains

The first thing you need to know about the CISA exam is the five domains. This refers to
the way the exam content has been organized or split into five different sections. The
percentages of material in the exam covered by each section has recently changed with
2019 updates. I will highlight those changes a bit better below, but for now, here are the
five domains.

1. Information System Auditing Process (21 percent)

2. Governance and Management of IT (17 percent)

3. Information Systems, Acquisition, Development and Implementation (12 percent)

4. Information Systems Operations and Business Resilience (23 percent)

5. Protection of Information Assets (27 percent)

There used to be six domains but this was changed in an update back in 2011 and the
material that was in that sixth domain was put into the other domains (mainly 4 and 5).
Each domain is jam-packed with information (especially the last two). Therefore, it’s
important to break them down even further to better understand what’s inside.

Most study guides and materials will take you in-depth into the subdomains, or
categories, of each domain. Next, let’s take a deeper look into what each of these
categories means so that you might get a greater understanding of what will be covered
by the exam.

1. The Process of Auditing Information Systems

In this section, I’m going to help you understand all that is in Domain 1. The first domain
covers how IT auditors provide services in accordance with IT audit standards, in order
to assist the organization in protecting and controlling information systems. This section
talks about the audit charter and what it contains, and steps for audit planning.

After that, the tasks include developing and implementing a risk-based IT audit strategy,
planning and conducting the audit, and reporting findings. You will need to know more
 than just how to answer basic questions. Moreover, you will need to show that you know
how to apply these regulations and standards in an actual work setting.

In addition, candidates are expected to know the ISACA IT Audit and Assurance
Standards, Guidelines and Tools and Techniques, Code of Professional Ethics and
other applicable standards. You should memorize S1, S2, S4, S9, and S10. Standards
S12 thru S16 were added to CISA back in 2011, and you should know S12, S13 & S14.

There are seven areas that you need to understand about Domain 1:
1. Management of the IS Audit Function

2. ISACA IT Audi and Assurance Standards and Guidelines

3. Risk Analysis

4. Internal Controls

5. Performing an IS Audit

6. Control Self-Assessment

7. The Evolving IS Audit Process

2. Governance and Management of IT

In this section, I’m going to tell you all about Domain 2. The second domain covers how
IT auditors provide assurance that necessary organizational structure and processes
are in place. It also contains sections from the Business Continuity section that used to
be in the old Domain 6 before they got rid of it.

For example, they need to evaluate the effectiveness of the IT governance structure,
organizational structure, HR management, and policies and standards, in order to
determine whether they support the organization’s strategies and objectives.

You’re going to need to know the definition for corporate governance, what ISO 26000
is, what the OECD Principals of Corporate Governance are, and what IT Governance is
about. In short, ITG is concerned with two issues: What are they and what drives them?
 In addition, you will need to know the five focus areas for ITG, be familiar with the
different frameworks, and to also know audit’s role in ITG, to name a few things. If this
sounds like a lot, that’s because it is. We highly recommend breaking it down by domain
and domain subsections when you study. Only once you are confident you know one
domain completely should you move forward to the next.

There are 13 areas, or subdomains, under Domain 2 that you should know:
1. Corporate Governance

2. IT Governance (ITG)

3. Information Technology Monitoring and Assurance Practices for Board and Senior
Management

4. Information Systems Strategy

5. Maturity and Process Improvement Models

6. IT Investment and Allocation Practices

7. Policies and Procedures

8. Risk Management

9. IS management Practices (and 5 sub-areas under this as well)

10. IS Organizational Structure and Responsibilities

11. Auditing IT Governance Structure and Implementation

12. Business Continuity Planning

13. Auditing Business Continuity

Next, let’s take a look at what is covered in the 3rd domain.

3. IS Acquisition, Development, and Implementation

The third domain covers how IT auditors provide assurance that the practices for the
acquisition, development, testing, and implementation of IS meet the organization’s
 strategies and objectives. There are going to be a lot of topics surrounding project
management and business management/realization in this section.

For example, you’ll need to know the difference between portfolio management and
program management. You’ll need to know the three major forms of organizational
alignment, and you will want to know the roles and responsibilities for project steering,
among other things. There is also an entire section on business application
development, as stated below, and you need to know what the major risks of any
software development project, and at which phase testing begins, for example.

Tasks include evaluating proposed investments in IS acquisition, development,

maintenance, and subsequent retirement, evaluating project management practices and
controls and conducting reviews. Above all, you want to study the areas listed below
until you feel confident in your ability to answer practical questions regarding these
topics in a potential work setting.

There are 14 subdomain areas of Domain 3 that you need to study for:
1. Business Realization

2. Project Management Structure

3. Project Management Practices

4. Business Application Development

5. Business Application Systems

6. Alternative Forms of Software Project Organization

7. Alternative Development Methods

8. Infrastructure Development/ Acquisition Practices

9. Information Systems Maintenance Practices

10. System Development Tools and Productivity Aids

11. Process Improvement Practices

12. Application Controls

13. Auditing Application Controls

14. Auditing Systems Development, Acquisition and Maintenance

Now let’s move on to Domain 4, which has even more important things to cover about
operations, maintenance, and support.

4. IS Operations, Maintenance, and Support

What is Domain 4 all about? Well, you need to provide assurance that the processes for
information systems operations, maintenance, and support meet the organization’s
strategies and objectives. There are sections on disaster recovery and it’s important to
know what to do in the event of data loss, what is acceptable data loss, and how to
manage these issues, among other things.

Specifically, it includes conducting periodic reviews of IS, and evaluation such as

service level management practices, operations, and end-user procedures, and process
of information systems maintenance. As a result, many will agree that Domain 4 (along
with Domain 5) is the most important in all of the CISA syllabus.

Back in 2011, ISACA reduced the domains from 6 to 5. So, part of the material in the
old Domain 6 is now in Domain 4. This is all the sections about disaster recovery.

There are 6 areas or subdomains of Domain 4 that you need to study:

1. Information Systems Operations

2. Information Systems Hardware

3. IS Architecture and Software

4. IS Network Infrastructure

5. Auditing Infrastructure and Operations

6. Disaster Recovery Planning

 5. Protection of Information Assets
In this section, I’m going to tell you more about the last and 5th domain. The last domain
covers how IT auditors provide assurance that the organization’s security policies,
standards, procedures, and controls ensure the confidentiality, integrity, and availability
of information assets. This is a very important Domain in the CISA syllabus.

Moreover, this includes evaluating the information security policies, standards and
procedures; the design, implementation, and monitoring of various controls, such as
system and logical security controls, data classification processes, and physical access
and environmental controls.

However, the 5th Domain is a make-or-break section for you. It is one of the most
important, if not THE most important section of the entire CISA exam. If you be sure to
know anything, be sure you know this domain.

Finally, Domain 5 has eight subdomain areas for you to study:

1. Importance of Information Security Management

2. Logical Access

3. Network Infrastructure Security

4. Auditing Information Security Management Framework

5. Auditing Network Infrastructure Security

6. Environmental Exposures and Controls

7. Physical Access Exposures and Controls

8. Mobile Computing

Which Domains are More Important than the Others?

Now that you know all about these domains and what is covered in them, which ones
are the most important? Domains 4 and 5 represent more than half of the syllabus! It is
important that you know these two areas very well, and at the same time achieve a
decent score in the other domains.
If we talk about difficulty and importance, you must note that ALL sections are
important. Subsequently, you should study all the domains accurately and completely.
However, if we have to rank them of importance, we can say that Domain 4 and 5 need
the most of your attention.

If you want to understand these domains better, you can get a copy of the CISA Review
Manual and also a copy of the Q&A CD. You can then read through all the questions on
the Q&A CD and be sure you can answer them all correctly. As you go through the
questions, you can reference the Review Manual and what section covers that question.
This is a great way to begin studying or review, and to evaluate where you are and what
sections you need to study more.

However, for most people, this will not be enough on its own to help you pass the CISA
exam. I recommend supplemental study aides. More on that later.

CISA Exam Changes

As mentioned above, there have been some CISA syllabus updates this year that will
be reflected on the exam for candidates taking it June 2019 and beyond. we’re going to
take a quick look at it but if you want to know about the changes in more detail, please
see the linked article below that covers that.

The CISA syllabus is changed every few years to reflect the constantly changing
business environment of IT auditors. It last saw updates in 2016. Now, for 2019, we are
seeing more syllabus changes to reflect the latest industry trends impacting the IT audit
profession. These changes that have happened in 2019 are to better reflect the
changes and standards in the industry.

Changes to the CISA Domains in 2019

Most of the changes we see with CISA 2019 are to the five domains. For instance, they
are the focal point for the syllabus (as we describe above) and the guide for what will be
on the exam. This is designed to help people practice and prepare. Furthermore, the
new CISA syllabus will have changes in these domains, as well as in the percentages of
info covered for each domain. See below for a layout of this.
 While the five domains that comprise the CISA exam will remain similar in 2019, the
exam weighting will change slightly, including a greater emphasis on the protection of
information assets – a growing industry challenge.

The breakdown of percentages for the five domains will be as follows:

1. Information System Auditing Process (21 percent)

2. Governance and Management of IT (17 percent)

3. Information Systems, Acquisition, Development and Implementation (12 percent)

4. Information Systems Operations and Business Resilience (23 percent)

5. Protection of Information Assets (27 percent)

You can see that these are not really big changed. Despite being subtle, it’s still
important enough that you know before you take the exam. It could impact how you are
studying for the CISA exam. Moreover, the percentages are also changing.

Previous Domain Percentages

Therefore, this is what it looked like before the changes to the new CISA syllabus:


o 1: The process of auditing information systems (21%)

o 2: Governance and management of IT (16%)

o 3: Information systems acquisition, development, and implementation (18%)

o 4: Information systems operations, maintenance and support (20%)

o 5: Protection of information assets (25%)

For details on more of the CISA syllabus changes, check out this page. ISACA also puts
out current, updated information regarding the exam on their website if you ever have
questions you cannot find the answers to elsewhere.