An in-depth overview of CISA domains for aspiring auditors

Claudio Dodt
January 17, 2024 by
Claudio Dodt

If you want to be an IT auditor, or are one now and don't have a certification, then why not consider the Certified Information Systems Auditor (CISA) credential? This is among the 7 Top Security Certifications You Should Have in 2023 and is one of the key certifications employers look for when considering candidates for IT auditor and assurance positions worldwide. 

The CISA certification program guides professionals through the knowledge needed to be in the profession and proves the presence of skills specific to the audit IS/IT function. IT audit leaders and professionals are assuming an increasingly integrated role regarding technology initiatives in their organizations, and companies are actively looking for professionals who can prove their expertise to cover these key roles. In this article, we'll provide an in-depth overview of the CISA, exploring the significance of this certification and its role in the cybersecurity industry. 

Understanding CISA certification 

The CISA credential signifies expertise in information systems audit, control, assurance and security. Administered by the global association ISACA since 1978, CISA is world-renowned as a certification for IT and cybersecurity audit professionals. 

To earn CISA certification, candidates must pass a comprehensive exam that covers five domains focused on auditing processes, IT governance, systems acquisition, operations, and information asset protection. By meeting experience and skill requirements backed by a code of ethics, CISAs demonstrate proficiency in assessing vulnerabilities, ensuring compliance, and developing remediation strategies. 

According to ISACA, more than 151,000 professionals have obtained their CISA since 1978, and CISAs are employed worldwide across all industry sectors. This certification reflects their ability to identify and mitigate risks, implement controls, and effectively communicate cybersecurity priorities to a wide variety of stakeholders. As technology and security risks accelerate, CISAs play an increasingly important role in organizations by safeguarding systems and data. 

While other certifications focus on specific topics, or more general entry-level knowledge, CISA covers the essential tasks of auditing IT infrastructures with an eye towards policies, regulations and technological shifts.

Here is how the CISA stacks up to other certifications: 







Target Audience


Security+  Foundational cybersecurity knowledge  IT professionals, entry-level cybersecurity specialists  Entry-level
CISA  Information systems auditing, control, and security IT auditors, security professionals, risk managers  Intermediate
CISM  Information security management  Security managers, IT leaders, risk management professionals  Intermediate
CEH  Ethical hacking Penetration testers, security analysts, ethical hackers  Intermediate
CCSP  Cloud security  Cloud security architects, cloud security engineers, cloud security administrators Intermediate
CISSP  Advanced cybersecurity knowledge  Experienced security professionals, security architects, security managers  Advanced
CASP+  Advanced security practitioner IT security professionals, security architects, security engineers  Advanced


Overview of CISA domains 

The CISA certification exam evaluates candidates' competency across five distinct domains that collectively define the expertise required of information system auditors. These five domains reflect key practice areas measured through questions targeting specialized knowledge, skills, and abilities: 

  • Domain 1: Information system auditing process 

  • Domain 2: Governance and management of IT 

  • Domain 3: Information systems acquisition, development, and implementation 

  • Domain 4: Information systems operations and business resilience 

  • Domain 5: Protection of information assets 

Over the years, the domains of the CISA certification have evolved to keep pace with the changing landscape of information technology and cybersecurity. This evolution reflects the shifting priorities and emerging challenges faced by information system auditors in a rapidly advancing digital world. 

Looking ahead, ISACA has announced a planned update to the CISA domains, which is set to take effect in August 2024. With this update, the domains will remain the same, but their weights will be updated to place greater emphasis on audit methodologies and information asset protection. In the next section, we will look at the makeup of the current domains in depth. 

Detailed exploration of each CISA domain 

Now, let's explore each of these domains in-depth to understand their importance, the key topics you need to know, and the essential skills you need to practice to pass the CISA exam. 

Domain 1: Information system auditing process (21% of the exam) 

This domain covers the core principles and methodologies of conducting effective information system audits. It equips you with the skill set to assess risks, evaluate controls, and identify vulnerabilities within an organization's IT infrastructure. Mastering this domain is crucial for ensuring organizational compliance, data security and overall system reliability. 

Key topics and skills covered: 

  • IS audit standards and frameworks (COBIT, ISACA's Auditing Standards) 

  • Risk assessment methodologies (quantitative, qualitative) 

  • Audit planning, execution, and reporting 

  • Evidence collection, analysis, and communication 

  • Internal controls evaluation and effectiveness testing 

  • IT compliance with relevant regulations (GDPR, CCPA) 

Domain 2: Governance and management of IT (16% of the exam) 

This domain focuses on the strategic aspects of IT governance and its alignment with organizational objectives. You'll gain insights into establishing effective leadership, developing robust policies and procedures and ensuring efficient resource management within the IT department. 

Key topics and skills covered: 

  • IT governance frameworks (COSO, COBIT) 

  • Risk management principles (ERM, BCM) 

  • IT policy and procedure development 

  • IT resource allocation and optimization 

  • Business continuity planning and disaster recovery 

  • Performance measurement and KPIs for IT 

  • IT service management frameworks and best practices 

Domain 3: Information systems acquisition, development, and implementation (18% of the exam) 

This domain equips you with the knowledge and skills to navigate the life cycle of information systems, from selecting vendors and managing projects to implementing and testing new technologies. Mastering this domain ensures secure and efficient systems development that aligns with business needs. 

Key topics and skills covered: 

  • IT procurement strategies and vendor selection 

  • Project management methodologies (Agile, Waterfall) 

  • Secure coding practices and vulnerability management 

  • System development methodologies (SDLC) 

  • IT change management and configuration management 

  • Testing and evaluation of new systems 

Domain 4: Information systems operations and business resilience (20% of the exam) 

This domain focuses on the operational aspects of IT, emphasizing the importance of maintaining service levels, managing incidents, and ensuring business continuity. You'll learn how to implement effective security controls, monitor system performance, and respond to cyber threats efficiently. 

Key topics and skills covered: 

  • IT service management practices (ITIL) 

  • Security operations and incident response 

  • Business continuity planning and disaster recovery 

  • System monitoring and performance analysis 

  • Access control and identity management 

  • Data backup and recovery procedures 

  • Cybersecurity best practices and incident response 

Domain 5: Protection of Information Assets (25% of the exam) 

This domain covers the critical aspects of safeguarding information assets from unauthorized access, use, disclosure, disruption, modification, or destruction. You'll gain expertise in data security, identity management, and encryption technologies to protect sensitive information and comply with relevant regulations. 

Key topics and skills covered: 

  • Data security principles and best practices 

  • Access control mechanisms and identity management 

  • Encryption and data loss prevention technologies 

  • Security incident management and forensics 

  • Privacy and information security laws and regulations 

  • BYOD and cloud security risks and mitigation strategies 

 Comparative analysis of CISA domains 

While certain similarities bind them together, the five CISA domains also offer distinct focuses and depth: 

  • Domain 1 focuses on the procedural aspects of conducting audits, including planning, testing and reporting. 

  • Domain 2 emphasizes the importance of management oversight, risk assessment and compliance with relevant regulations. 

  • Domain 3 covers secure systems development methodologies. 

  • Domain 4 addresses the operational aspects of information system security. 

  • Domain 5 focuses on safeguarding information assets. 

The evolving cyber threat landscape requires constant adaptation, and the CISA domains are no exception. Recent years have seen a greater emphasis on emerging technologies, advanced threats, and data privacy regulations. Cloud security, mobile security, and the Internet of Things (IoT) must now be considered in the CISA domains.

As cyber warfare, ransomware, and data breaches become increasingly sophisticated, the CISA exam will equip auditors with the knowledge to assess and mitigate these complex threats. The growing prominence of data privacy regulations like GDPR and CCPA has also led to a greater focus on data protection and compliance within CISA domains. 

To keep up with the changes in technology and threats, the upcoming August 2024 update to the CISA exam will see some changes in domain weights: 

  • Information System Auditing Process decreases from 21% to 18%. 

  • Governance and Management of IT increases from 17% to 18%. 

  • Information Systems Acquisition, Development, and Implementation stays at 12%. 

  • Information Systems Operations and Business Resilience increases from 23% to 26%. 

  • Protection of Information Assets decreases from 27% to 26%. 

CISA domains and cybersecurity career pathways 

While the CISA certification signals proficiency across information systems audit, control, assurance and security, individual domains correspond with specialized cybersecurity career paths. 

  • Domain 1: Information System Auditing Process prepares you for roles such as IT auditor, security auditor and compliance auditor. 

  • Domain 2: Governance and Management of IT paves the way for careers in IT governance, risk management and compliance (GRC). 

  • Domain 3: Information Systems Acquisition, Development, and Implementation prepares you for roles such as security architect, system security engineer and application security specialist. 

  • Domain 4: Information Systems Operations and Business Resilience prepare you for careers in IT operations security, incident response and business continuity planning. 

  • Domain 5: Protection of Information Assets opens doors to careers in data security, information security analyst and cybersecurity engineering. 

As cyber threats continue to become more complex, the need for skilled professionals with a comprehensive knowledge of information systems security will only grow. The CISA domains provide a foundational understanding of security principles and best practices that can be adapted to new technologies and challenges. This foundation will help as you move into new responsibilities and new roles or pursue advanced cybersecurity certifications like CISSP and CASP+. 

Preparing for the CISA Exam: A focus on domains

Earning the CISA credential requires dedicated preparation, and understanding the five CISA domains is the foundation for your success. Here are some tips to help you navigate each: 

Domain 1: Information system auditing process 

  • Focus on mastering audit methodologies, including COBIT and ISACA's IS Auditing Standards. 

  • Practice conducting mock audits using sample exam questions and scenarios. 

  • Sharpen your analytical skills by analyzing real-world case studies. 

Domain 2: Governance and management of IT 

  • Understand various governance frameworks like COSO and COBIT. 

  • Master risk assessment methodologies, including quantitative and qualitative techniques. 

  • Stay up to date with relevant regulations and compliance requirements. 

Domain 3: Information systems acquisition, development, and implementation 

  • Gain a deep understanding of secure systems development methodologies like SDLC. 

  • Familiarize yourself with secure coding practices and vulnerability management. 

  • Understand the importance of change management and configuration management. 

Domain 4: Information systems operations and business resilience 

Domain 5: Protection of information assets 

As ISACA's #1 partner, Infosec offers a comprehensive suite of resources to support your CISA journey. Our live boot camps, led by industry experts, provide in-depth domain-specific training and practice exams to hone your skills and confidence. They also include a 12-month subscription to the ISACA Official Question, Answer & Explanation (QAE) database, giving you access to valuable practice questions and detailed explanations. 

ISACA's official CISA learning path provides a structured and comprehensive approach to preparing for the exam. This includes access to self-paced study modules, interactive exercises, and practice tests aligned with the latest exam content. 

CISA domain: Takeaways 

The journey through the Certified Information Systems Auditor (CISA) domains encapsulates vital aspects of information systems auditing, from the scrutiny of auditing processes to the protection of information assets. Understanding these domains is not just about passing the exam. It's about gaining deep and actionable insights into the mechanisms that safeguard the digital world. 

With technology continually changing and cybersecurity risks increasing, the role of a CISA-certified professional has never been more important. If you're aspiring to join the ranks of these cybersecurity professionals, the CISA certification shows you are dedicated to the role and have the skills to do the job. Your future in cybersecurity is waiting, and becoming CISA-certified is your key to unlocking it. 

References and further reading 

There are several resources available that can provide comprehensive coverage of these topics to help you gain an in-depth understanding of the CISA domains. Here are some recommended resources: 

  • Official resources: Visit the ISACA resources page to find out more about COBIT, frameworks, standards, models and more. Check out the CISA certification hub for more information on the CISA exam. 

  • Books: Books like the CISA Review Manual, now in its 27th edition, or the CISA Certified Information Systems Auditor Study Guide, will guide you through each of the five CISA domains. 

  • Online courses and bootcamps: If you have worked in IT and are ready to earn your CISA, Infosec's ISACA CISA Training Boot Camp will prepare you to pass the exam with five days of live training. If you prefer to train on-demand without a live instructor, Infosec's ISACA CISA Learning Path will let you take a deep dive into every CISA domain. 

  • Online forums and communities: Joining and contributing to online communities dedicated to CISA certification can help you gain insights and clarify your doubts about the exam. Try ISACA's CISA Exam Prep Forum, Infosec's CISA Certification Preparation Forum and the r/CISA subreddit. 

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.