10 tips for CISA exam success [updated 2019]

Claudio Dodt
July 12, 2019 by
Claudio Dodt

It is quite hard to think of a company that does not use any sort of information system as a basis for doing business. In fact, the actual standard for most companies is having several information systems that are business-critical and will probably contain confidential data such as financial information, personally identifiable information or even trade secrets.

To keep this sensitive data secure, organizations need professionals specializing in information systems auditing, with skills to understand aspects such as necessary controls and security features. And that is where the ISACA’s CISA (Certified Information Systems Auditor) plays a key role, since it has become the preferred IS audit certification program by individuals and organizations around the world.

As with any top ISACA certification, the CISA exam is not an easy task and requires adequate preparation. The exam itself has 150 questions from five domains and must be completed in less than four hours. Candidates are also required to provide proof of at least five years of experience in IS audit, control, assurance or security.

While challenging, you can achieve CISA certification with the right preparation and effort. Here are 10 tips to help you prepare for the CISA exam.

1. Remember: The “IS” in IS auditor stands for Information Systems

It is not unusual for candidates to confuse IS auditor with information security auditor. While information security is the central subject of one of the CISA domains (protection of information assets), it represents only 25% of what is covered on the exam. Other domains include: the process of auditing information systems; governance and management of IT; information systems acquisition; development and implementation; information systems operations; and maintenance and service management. So, if you wish to advance your career as an information security professional, the CISM is probably a better choice, another top-level ISACA certification focused on information security management.

2. Learn to think like an IS auditor

As stated before, the CISA certification is mainly intended for information systems auditors. For candidates with a long technical background, but little audit experience, special effort should be taken to maintain an auditor perspective right from the start. On the other hand, auditors with limited technical knowledge must work on getting a proper understanding on the fundamentals of any technical concept over CISA’s five domains. Also, it is important to keep in mind personal experience may be completely useless: It does not matter whether it is an industry standard or best practices adopted by your company, if it is not perfectly aligned with ISACA’s way of thinking, it will be of no use during the exam.

3. Read the ISACA exam candidate information guide

Each year, ISACA updates its candidate guide providing lots of useful information for the exam. The guide can be freely downloaded here. No candidate should take the CISA exam without reading this guide. It reviews topics such as the exam registration process, dates and deadlines, and key candidate details for exam-day administration. It even contains valuable information such as the exam domains, the number of exam questions, its length and the languages available.

4. Use ISACA resources

ISACA’s official publications are great exam-prep resources. I recommend reviewing the CISA Review Manual (CRM), a comprehensive guide specifically created to help prepare CISA candidates for the exam. Currently on its 26th Edition, the CRM is academically sound and revised according to the most current CISA job practice, meaning it represents the most recent, complete, peer-reviewed IS audit, assurance, security and control resource available for the exam.

As for practice questions, consider using the CISA Review Questions, Answers & Explanations Manual or the CISA Review Questions, Answers & Explanations Database. Both consist of 1,000 multiple-choice study questions that, while not actual exam items, can help CISA candidates to get a better understanding of both the type and structure of what will appear on the actual exam. It also provides a detailed explanation of both the correct answer and incorrect options, and provides a fantastic way of knowing what topics need further attention.

It is important to know both the manual and the subscription-based service have the same questions, but the later has an advantage in terms of usability: Since it is available via the web, CISA candidates can access questions anywhere. It also allows for the creation of custom sample exams, with randomly selected questions from any of the exam domains, thus allowing for a concentrated study in particular areas or a generalist approach. It also keeps track of previous scoring history, making it simple to identify strengths and weaknesses based on specific domains or subjects, and lets you focus study efforts accordingly.

5. Leverage free exam-prep resources

As stated before, there is no question that ISACA’s official publications are the best resources for preparing for the exam. Aside from their paid manuals and question databases, ISACA also provides lots of free study material. For starters, the CISA Self-Assessment it a 50-question sample exam, covering the appropriate proportion of each subject matter to match the CISA exam blueprint. Another great free resource is ISACA’s Glossary, as it contains complete definitions for each term used in the CISA domains. ISACA’s Knowledge Center also has a vast collection of free materials such as whitepapers (just be sure to keep the focus on exam topics).

6. Create your own custom study plan

The CISA exam will test you on five domains covering a variety of different subject areas. You must make sure you have enough time to review all domains at least once; this includes not only studying, but also completing mock exams, visiting online forums and spending extra time reviewing areas that need improvement.

Without adequate planning, your chance of success will drop. Creating a study plan that fits your personal needs is essential; even a simple to-do list can help a lot. For your custom study plan, you should consider factors such as:

  • How soon do you intend to take the examination? Check the ISACA website to find a time and location that works for you.
  • How much time can you devote to your study efforts? If you are already working, or have other commitments, make sure you can dedicate sufficient time to the basics, such as covering all exam topics, taking practice tests and reviewing exam simulations.
  • How much can you spend on preparation material and training courses? Look for official, certified study materials and training to make sure you have a thorough understanding of each topic covered in the exam. A great option is getting the official candidate guide and reading it early on; this will create a solid basis for further skill development using your choice of training methodology.
  • What training method best suits you? Some people prefer self-learning, while others think there is no substitute for the classroom. Other candidates find online training helps them study on-the-go, at any time. Use your past learning experiences to help you pick the method to help you prepare best.
  • How well acquainted are you already with the exam subjects? Even very experienced professionals, with good knowledge about the certification subjects, can have a hard time during the examination. Your personal experience can save you some studying time, but you should take into consideration factors such as the exam length and question logic. Relying too much on experience alone is a poor strategy that will likely lead to bad results.

7. Get involved in an exam prep course

Deciding to use a self-study-only approach may seem like a bold decision, but it may not be the best strategy. It is important to understand achieving exam success requires in-depth knowledge of several different subjects, even for entry level certs. Even if you have real-world experience, some of it may not apply since the certification body’s view may be quite different from the tasks you are used to doing in the field.

Going through a certification preparation course lets you spend some time with an experienced instructor, with actual knowledge on how to beat the exam. It is an excellent opportunity to get all your questions answered, share experiences and strategies, and even network if it is in-person training. This results in a greater success rate on any certification exam.

8. Join an online community

A simple Google search can find several CISA forums, wikis and personal websites where both candidates and certified professionals share their certification experiences.

As usual, it is important to verify the credibility of any source you are using. For instance, if you are looking for a formal definition of a concept that is covered in the exam, the best approach is using official material, e.g., books, guidelines and other official publications. But, if you are looking for general advice, posting your question to an online forum such as reddit or TechExams can be quite helpful.

Many candidates visit online forums and search for “CISA success.” This can serve as both preparation and motivation for the upcoming exam. If you are feeling confident, searching “CISA failure” posts may also give you some important advice, as learning from the mistakes of others is way less painful than from your own.

A word of advice: Unless you have time to help others, stay away from toxic people and posts. Many unfortunate exam takers go online to vent their frustration and this can be discouraging.

9. Have an exam-day preparation plan

Finally, the big day is about to happen. Your primary focus should be on not exhausting yourself and being at your best during the exam.

A few things to remember:

  • Is your exam kit ready? Check the candidate guide to make sure you have everything you need for the day of your CISA exam. This may sound silly, but some candidates fail to even attend the test for not fulfilling basic requirements like adequate identification. Call your testing center to verify you understand the requirements.
  • Are you calm and well rested? Many candidates fail because of physical and mental exhaustion. Staying up late doing a final round of study may sound tempting, but last-minute reading is usually not a good thing, and may even leave you anxious. If you think it is important to do a final review, do a selective reading instead. Also, do not focus solely on weaknesses. If you have not mastered a specific topic until now, you may prefer to focus on enhancing the areas where you’re good. A great tool for selective reading is using summaries or glossaries, which have lots of important information, some of which you may have missed during your study sessions. As for the physical side, ingesting (even small amounts) of alcoholic beverages is a really bad idea. If your exam is during the morning, having a balanced breakfast and drinking plenty of water is a very helpful way to make sure you are at your best. If it is during the afternoon, eat a light lunch.
  • Did you make the necessary arrangements to be on time at the test site? Candidates may not be admitted to the site if they are late. If you are using public transportation, double check the best routes; if you are driving to the exam site, make sure you know where to park beforehand.

10. Clear your mind

That’s it, exam day has arrived! Take a deep breath and remember that you put in the time and are prepared to succeed.

Here are some last-minute tips:

  • Be aware of time. During the exam, you may reach a high level of concentration I like to call “the zone.” This means a greater focus, which is good for problem solving, but can cause you to lose track of time. What may seem like seconds can be precious minutes; hours tend to pass at a very fast rate, so make sure you have time to go through every question on the exam.
  • Take your time reading the questions. Even with limited time, it is important not to rush. Take your time, pay attention to each question and answer option and make sure you understand what is being asked. Watch for distractors (options that are obviously false) in multiple-choice questions that can be quickly eliminated. It is also important to pay close attention to terms such as MOST, LEAST, NOT, ALL, NEVER and ALWAYS, since they can entirely change a sentence. Remember, questions that ask you to pick the “best answer” may have more than one correct option. You must be able to understand and select the most suitable answer for the given situation.
  • Try to relax. Remember to stretch and relax your muscles during the exam. A relaxed mind can help you solve difficult questions.
  • Remember, there is no reason to panic. Remaining calm will improve your concentration. If you followed your study plan correctly, your results will likely be great; if not, you will have a lot more experience during the next try!


In the end, the CISA certification is a great option for advancing your career. In practical terms, it may just be the competitive edge you need to land a promotion or even a senior IS auditor position. However, as expected, such benefits come at a cost: Only the most dedicated candidates will succeed. Plan ahead, use the aforementioned tips as a basis for your study strategy, but also consider enrolling in official training. Your efforts are sure to pay off.

For more on the CISA certification, view our CISA certification hub.

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.