Advice for Taking the CISA Exam (Updated)

Everything you need to know to pass with flying colors.

As risk3sixty continues to grow, more members of our team will be taking the Certified Information Systems Auditors (CISA) exam to be the best security and compliance craftsmen for our clients.

We have provided advice for taking the CISA exam in a previous blog in 2015. The blog you’re reading now will address the relevant items from that blog and updates from our current experiences on preparing and taking the CISA exam. If you are planning to take the CISA exam or curious about why the CISA is important, this blog is for you!

What is in the CISA Exam?

To pass the CISA exam, you would need a scaled score of 450 or higher for each domain area. This represents the minimum standard of knowledge as established by ISACA’s CISA Certification Working Group. ISACA bases scores on the following CISA domain areas:

The exam consists of a fair amount of questions on audit processes like which kind of control is best in what situation (detective VS preventive controls, automated controls, etc.).

In our experience, technical people will have knowledge gaps in Domain 1-3 whereas the business-minded people will have gaps in Domains 4-5. To succeed on the exam, we recommend you have a strategic, high-level understanding of how the functional and technical parts integrate.

Even though this exam is catered to information security auditors, taking the CISA exam is a great opportunity for senior management to understand the purpose and background of IT. The common thread we notice in our compliance projects are the gaps in Vendor Management, Disaster Recovery, and Monitoring.

With CISA knowledge in your company, compliance and audit efforts will be a smoother experience. Most importantly, your company will have a better sense of having strong security controls.

How should I prepare for the CISA Exam?

We recommend studying at least three times a week for at least eight weeks to prepare for this exam. For study preparation for CISA exam in Q4 2019 and Q1 2020, we have used the ISACA Question, Answers, & Explanations (QAE) Database and the 27th edition of the ISACA Review Manual as our study material.

If you decide to take at least eight weeks to study, here is our approach:

  1. During the first week of studying, you should do a self-assessment in the ISACA QAE database to identify knowledge gaps. Use your previous business knowledge to be comfortable with what you know and be able to grow from your gaps!
  2. In the following five weeks, you should perform Selective Study Sessions in the ISACA QAE database for each domain and reference book to review on any gaps. You should tackle at least one domain per week.

None of the questions in the official ISACA test database will be verbatim in the CISA exam. Simply running through the test database and memorizing answers will not help you.

It is much more important you take the test questions and read the explanations ISACA gives you and follow up in their review manual for more details. We recommend taking your time to properly prepare and reflect on each practice question and its meaning.

Also, the ISACA review manual was helpful as a support text for topics we encountered while running through the test database. We strongly suggest you DO NOT read the review manual from front to back as you would a traditional textbook. Skim the book for key concepts and terms.

  1. In the final two weeks, you should take practice exams that have a range of 150 to 1000 questions on all five domains to determine if you are ready for the exam.

From our experience, if you have an MCQ ReadyScore of 80% or more, you will be ready to take the CISA exam. If you don’t feel ready for the exam, you will be able to change the exam date without a fee 48 hours before the exam date.

What is the CISA Test-Taking Experience Like?

This is based on the experience from Kendall Morris who took his CISA exam in December 2019 at the testing environment in Kennesaw, GA at the Cobb County International Airport.

It was a small room with just Kendall, a provided computer with a camera, and one proctor there to set up the exam and camera through which the proctor will monitor you virtually.

You will be asked to empty your pockets and put any personal items in a locker before entering. Additionally, cell phones were not allowed in the exam space and had to be checked at the front desk. There will be no items on the desk except for the provided computer.

The CISA exam can be taken on the computer now instead of writing the choices down on scantrons. The test will consist of 200 multiple-choice questions.

Before taking the exam, you will have to follow the rules of ISACA test-taking. We were warned repeatedly of the zero-tolerance policy for breaking any rules.

During the exam, only one person was allowed to go to the restroom at a time, and a proctor stood outside the door of the restroom while you went.

Once you finish the exam, the computer will notify you of your exam results. If you want more details on how well you do, you will receive an email from ISACA with your score range in each domain area.


Studying for the CISA can be tough, but it’s also a great opportunity to understand the world of information security auditing. Study hard, and we wish you the best of luck on your studying!

If you are a current CISA, please feel free to share any additional tips. Do you have any pressing questions we didn’t address? Share your questions and experiences in the comments.

Share to


Share to

Like our content? Subscribe and stay informed.