The five CISA domains at official weight
The ISACA CISA Exam Content Outline, from the job-practice update effective 1 August 2024, sets the official domain weighting below at 18/18/12/26/26. The question column shows roughly how a full 150-item form distributes items when you apply that weighting. The distribution is deliberately lopsided, so your study time should be too.
- Information Systems Auditing Process: 18% (about 27 questions on a 150-item form).
- Governance and Management of IT: 18% (about 27 questions).
- Information Systems Acquisition, Development and Implementation: 12% (about 18 questions).
- Information Systems Operations and Business Resilience: 26% (about 39 questions).
- Protection of Information Assets: 26% (about 39 questions).
Information Systems Auditing Process (18%)
The process backbone of the exam. It covers risk-based audit planning, IS audit standards and guidelines, the audit charter and independence, evidence collection and reliability, sampling, computer-assisted audit techniques and data analytics, and communicating results. This domain defines the discipline the rest of the exam assumes.
At 18% it is a solid slice. Because everything else rests on sound audit process, learn the standards, independence rules, and evidence concepts thoroughly, even though it is not one of the two heaviest domains.
Governance and Management of IT (18%)
The management-side reasoning many candidates underestimate. It covers IT governance frameworks, strategy alignment, policies and standards, enterprise and IT risk management, organizational structure and segregation of duties, performance measurement, and third-party governance.
At 18% it matches the auditing-process domain in weight. Candidates from a technical background often shortchange it, which is a mistake: governance and segregation-of-duties reasoning show up constantly in best-answer questions.
Information Systems Acquisition, Development and Implementation (12%)
The smallest domain by weight. It covers the business case and feasibility, project governance, SDLC and Agile controls, testing strategies, data conversion and migration, go-live readiness, post-implementation review, and change and release management.
At 12% it is the one domain where you can safely spend less time. Learn the controls that apply at each stage of a project and how an auditor evaluates them, and do not over-invest beyond that.
Information Systems Operations and Business Resilience (26%)
One of the two heaviest domains. It covers IT service and operations management, incident and problem management, backup and restoration, business impact analysis, business continuity, and disaster recovery with RTO and RPO. This is where a large share of candidate points are won or lost.
At 26% it is more than a quarter of the exam. Prioritize business continuity and disaster-recovery reasoning, especially the RTO and RPO concepts, and practice ranking operational controls on the axis the question names.
Protection of Information Assets (26%)
The other heaviest domain. It covers information security governance, logical access and identity management, authentication and privileged access, encryption and key management, data classification and privacy, security monitoring, and emerging-tech risk across cloud, AI, and IoT.
At 26% it is the second half of the exam-defining pair. Focus on logical access, privileged access, and monitoring, and always frame the answer from the auditor perspective: the strongest control is usually the one that provides ongoing, accountable assurance.
How the weighting should shape your study plan
Study in weight order and lead with the two 26% domains, Operations and Business Resilience and Protection of Information Assets. Together they are more than half the exam, so they earn the most points per hour. The two 18% domains are the next tier, and Acquisition, Development and Implementation at 12% is where you can spend the least time.
Throughout, answer as an auditor. CISA questions use qualifiers such as BEST, FIRST, and MOST, and they reward the option that provides the most complete, most reliable assurance in context, not the most aggressive technical fix. Never let the auditor be the one who fixes the control.
The fastest way to turn this map into a personal plan is a timed diagnostic that reports your standing per domain against the official weights, so you know which of the heavy domains to attack first.