Skip to main content
CISA Exam Prep

CISA Exam Format: 150 Questions, 4 Hours, 5 Domains

By Avinash Bajaj··7 min read

The CISA exam has 150 multiple-choice questions, 4 hours, scaled score 450/800, covers 5 domains. Learn format, timing, and tips from a certified auditor.

Most CISA candidates fail not because they don’t know the material, but because they misunderstand the exam’s structure. I’ve seen it happen again and again—candidates who could recite IT governance frameworks perfectly but couldn’t finish the 150 questions in time. As a CISA-certified IS auditor and founder of PaperLabs, I’ve helped hundreds of professionals navigate this test. Let’s fix the structure blindspot first.

The CISA exam is a 4-hour, 150-question multiple-choice test administered by ISACA. You need a scaled score of 450 out of 800 to pass. The exam covers five domains with specific weightings: Information Systems Auditing Process (21%), Governance and Management of IT (16%), Acquisition, Development, and Implementation (18%), Operations and Business Resilience (20%), and Protection of Information Assets (25%).

Domain Weighting Key Focus
Domain 1: Information Systems Auditing Process 21% Audit planning, risk assessment, evidence collection, reporting
Domain 2: Governance and Management of IT 16% IT governance frameworks, policies, strategy alignment, resource management
Domain 3: Information Systems Acquisition, Development, and Implementation 18% Project management, system development life cycle, testing, post-implementation review
Domain 4: Information Systems Operations and Business Resilience 20% IT operations, incident response, disaster recovery, business continuity
Domain 5: Protection of Information Assets 25% Logical access controls, network security, cryptography, physical security

Time management is the hidden sixth domain. With 150 questions in 240 minutes, you have 1.6 minutes per question on average. But 20% of the questions are long scenario-based, demanding 3-4 minutes of reading and analysis. Many candidates underestimate this and run out of time in the final hour.

If a question takes more than two minutes, flag it and move on. You can return to flagged questions at the end.

Here’s the decision rule that separates passing candidates from those who retake: set a strict 2-minute cap per question. If you’re stuck, mark it and keep moving. You’ll build a buffer for complex scenarios later. The exam software lets you review all flagged questions—use that feature. I’ve seen too many capable auditors get trapped spending 5 minutes on a single question only to guess on the last 20.

In one audit engagement, I was reviewing an organization’s IT operations after a major incident. They had no documented disaster recovery plan, yet their policy manual claimed full COBIT alignment. The CISA exam would ask: which domain is most directly involved? The correct answer is Domain 4: Operations and Business Resilience. But candidates often pick Domain 2: Governance, because they equate policy with governance. The exam tests your ability to apply domain boundaries to real-world situations.

A candidate I mentored kept mixing up these two domains until we built a mental model: Governance sets the rules, Operations keeps the lights on. The exam will give you a scenario where a policy exists but the operational control fails. That’s Operations, not Governance. This mistake cost him weeks of unfocused study. Once he started thinking like an auditor instead of a policy writer, his practice scores climbed.

These tips come from my experience as an auditor and trainer. Understand the IS auditor’s role in each domain. The exam won’t ask you to recite definitions; it will ask what you would do in an auditor’s situation. For Domain 1: Information Systems Auditing Process, know the audit phases—planning, testing, reporting, follow-up. Most questions ask about risk assessment during planning or evidence evaluation. For Domain 5: Protection of Information Assets, logical access controls and encryption are heavily tested. Don’t waste time memorizing every technical detail; master the auditor’s decision points.

Based on candidate feedback and ISACA’s 50-55% pass rate, a focused 3-month plan works best. Month 1: read the official CISA Review Manual and learn domain concepts. Month 2: practice 50-60 questions per domain, reviewing every explanation thoroughly. Month 3: full-length simulations (150 questions timed) twice a week. This builds the mental stamina you’ll need for 4 hours of sustained focus. With over 150,000 certified professionals worldwide, the path is well-trodden—but the exam still demands disciplined preparation.

How many questions are on the CISA exam?

The CISA exam contains 150 multiple-choice questions. These are drawn from a large item pool covering all five domains. 150 questions are scored; a small number of unscored pretest items may be included but are not identified. You must answer all questions within the 4-hour time limit. The exam format ensures broad coverage of the CISA job practice areas, so rely on breadth of understanding over depth in any single topic.

How long is the CISA exam?

The CISA exam lasts exactly 4 hours (240 minutes). No scheduled breaks are included. You can take unscheduled restroom or water breaks, but the clock doesn’t stop. Manage your time accordingly. I recommend taking one short break after question 75 to reset your focus. The 4-hour window might feel tight, but with practiced pacing you’ll finish with time to review flagged items.

What is the passing score for the CISA exam?

A scaled score of 450 out of 800 is required to pass. ISACA uses a common scale for all its certification exams, but the raw number of correct answers needed varies slightly per exam form. Generally, answering about 65% of questions correctly translates to a scaled 450. Focus on consistent domain mastery rather than chasing a specific number.

What are the CISA exam domains and their weightings?

The exam covers five domains: Domain 1: Information Systems Auditing Process (21%), Domain 2: Governance and Management of IT (16%), Domain 3: Information Systems Acquisition, Development, and Implementation (18%), Domain 4: Information Systems Operations and Business Resilience (20%), and Domain 5: Protection of Information Assets (25%). Weightings reflect the relative importance ISACA assigns to each area in current practice. Prepare proportionately—Domain 5 demands the most study time.

How do I retake the CISA exam if I fail?

If you don’t pass, you must wait 90 days before retaking. Re-registration requires full payment of the exam fee. There’s no limit on the number of attempts, but each attempt costs the same. Use the 90-day interval to review your score report, strengthen weak domains with a structured plan, and take multiple full-length practice exams. Rushing back without addressing gaps often leads to repeated failure.

Is the CISA exam difficult?

Yes, it’s challenging. ISACA reports a pass rate of 50-55%, which means nearly half of candidates do not pass on their first attempt. The difficulty comes from the auditor mindset required—not just technical knowledge. You must apply IS audit standards, assess risk, and select the best evidence in complex scenarios. My practical audit experience tells me that candidates who understand the “why” behind each domain outperform those who only memorize.

How can I prepare effectively for the CISA exam?

Combine three elements: the official CISA Review Manual, a quality question bank, and timed practice exams. Study each domain individually, then mix questions across domains to simulate the real exam. A resource many of my mentees find helpful is a structured question set that mirrors the exam’s interface and timer. Practice flags, returns, and endurance. The CISA exam is a marathon; build the muscle.

What is the difference between CISA and other IT certifications?

CISA is specifically an audit certification. While credentials like CISSP focus on security implementation or architecture, CISA validates your ability to evaluate controls, report findings, and advise management. As a Chartered Accountant and SOX auditor, I’ve seen CISA holders bridge the gap between IT and finance. If your career path includes IT governance, risk, or compliance, CISA is the gold standard.

So if you’ve been worried about whether you know enough IT frameworks, shift your focus to understanding the exam’s structure and pacing. The CISA exam is as much a test of time management as of knowledge. You now have the blueprint—150 questions, 4 hours, 5 domains, one chance to prove your auditor mindset.

Ready to test your CISA exam readiness? Try our free CISA practice test. It mirrors the real exam’s timing and question style. For a complete preparation with domain-wise study plans, join the full CISA course.

Ready to practise CISA questions?

Original scenario-based questions · Full mock exam · AI weak-concept analysis
Built by experienced IS auditors from Big 4s and finance industry

View the CISA Course →
Browse the CISA Glossary →

Related Posts

CISA Exam Near Me: Test Center vs Online Proctoring

Where to take the CISA exam: PSI test centers near you or online proctoring from home. Learn requirements, scheduling, and what to expect on exam day.

Read more →CISA Certification Jobs: Roles, Salaries, and Employers

Discover top CISA certification jobs—IT auditor, GRC analyst, info security manager—with salary ranges, employers, and career impact of CISA.

Read more →How to Get CISA Certification: A Step-by-Step Guide

Step-by-step guide to earning CISA certification: from eligibility and experience requirements to passing the exam and applying. Walkthrough from a certified IS auditor.

Read more →
Avinash Bajaj — Founder of PaperLabs, CISA certified IS auditor

Avinash Bajaj

Founder — Paper Labs Classroom

Chartered Accountant (India) · CISA · SOX Certified · Cyber Security Certified

avinashbajaj145@gmail.com