CISA is the dominant credential in IT audit. It is also a rare example of a cert where the content is written by practitioners for practitioners of a specific discipline — audit. If your background is audit, CISA study plans you find online will work. If your background is anything else, those plans will mislead you.
I have coached 28 non-auditor candidates through CISA over the past three years. The plan below is what consistently worked for them. It is deliberately different from the ISACA-recommended study path.
Why non-auditors struggle with CISA
Three structural reasons:
1. CISA assumes an audit lens you do not have.
The questions are framed as "you are the IS auditor, which audit procedure should you perform / which control should you test / what finding should you report." Someone whose career is building systems defaults to "what is the best way to solve this problem." The auditor lens is different — "what is the best way to verify someone else solved this problem acceptably."
That lens shift is the main thing you are learning in CISA prep. The technical content is secondary.
2. The vocabulary is auditor vocabulary.
"Segregation of duties." "Compensating controls." "Material weakness." "Audit universe." "Risk-based approach." "Control objectives." These terms have specific meanings in audit that are different from their loose engineering-world meanings. If you use them loosely, you pick wrong answers.
3. The exam rewards prescribed process over pragmatism.
CISA has strong opinions about how an auditor should work. Plan → scope → test → evaluate → report → follow-up. The exam expects you to follow this process in every scenario. Engineers often pick pragmatic shortcuts; the exam will penalize that.
The five domains (2026 blueprint)
- Information Systems Auditing Process — 18%
- Governance and Management of IT — 18%
- Information Systems Acquisition, Development, and Implementation — 12%
- Information Systems Operations and Business Resilience — 26%
- Protection of Information Assets — 26%
Domains 4 and 5 are the biggest, together 52% of the exam. Domain 5 is where engineer/security candidates find familiar content. Domains 1 and 2 are where they struggle.
The 60-day plan
This assumes you have 10–12 hours/week to study. For 8 weeks and a buffer.
Week 1–2 (24 hours): Audit process + governance (Domains 1–2)
This is the alien-vocabulary period. Go slow.
Days 1–5: CISA Review Manual, Domains 1–2. Read for vocabulary, not for depth. Make a glossary as you read — every term that has an audit-specific meaning goes on the list. Expected glossary size after week 2: 60–80 terms.
Days 6–10: practice questions from Domains 1–2 only. Start with 20 questions a day. Expect 50–60% accuracy initially. Do not worry. You are pattern-learning.
Days 11–14: re-study weak sub-areas identified in your wrong answers.
Week 3–4 (24 hours): Domain 4 (Operations and Resilience)
Largest domain. Lots of overlap with engineering/ops content but framed through audit lens.
Days 15–19: CISA Review Manual, Domain 4. This will feel easier than Domains 1–2.
Days 20–24: 25 questions a day from Domain 4. Expect 60–70% accuracy.
Days 25–28: Domain 4 deep-dive on your weak sub-topics.
Week 5–6 (24 hours): Domain 5 (Protection of Information Assets)
Second-largest domain. If you come from security, this will be the easiest domain. Don't let that trick you into under-preparing; the questions are still audit-framed.
Days 29–33: CISA Review Manual, Domain 5.
Days 34–38: 25 questions a day.
Days 39–42: deep-dive on weak areas.
Week 7 (12 hours): Domain 3 + full-length mock
Domain 3 is the smallest (12%). Half a week is enough if you have engineering background.
Days 43–46: Domain 3 content + 20 practice questions.
Day 47: first full-length mock (150 questions, 4 hours). Aim for 70% (equivalent to 560/800). If you hit 70%+, you are on track. If below 60%, extend the study.
Days 48–49: review wrong answers.
Week 8 (12 hours): Mock + revision + exam
Day 50–51: second full-length mock. Aim for 75% (600/800).
Days 52–55: final weak-area drilling.
Day 56: light review only.
Day 57–60: exam day buffer.
Tools
1. ISACA CISA Review Manual. Official material, dense, boring, and necessary. Don't try to pass without it. ~$135.
2. CISA Review Questions, Answers & Explanations Database. ISACA's own question bank. Expensive ($299) but the explanations are the best on the market for learning the audit lens. If budget is tight, skip this in favor of a third-party bank.
3. Third-party question banks. Cheap ($100–$200) and large. Use for volume. The ISACA bank is for quality.
4. A glossary notebook. Non-negotiable for non-auditors. Update as you read.
Common mistakes
Mistake 1: Treating CISA like a security cert.
CISA is not CISSP-light. It is a different discipline. If you study it like CISSP you will get engineering-logical answers that the exam will mark wrong. Study it as audit.
Mistake 2: Skipping Domain 1.
Domain 1 (auditing process) is where most non-auditors lose the most points. It is also the domain that makes the other four make sense. Do not skip or skim.
Mistake 3: Memorizing without internalizing.
Auditor-speak is not memorizable the way service names are memorizable. You have to internalize the lens. This takes practice questions, not flashcards.
Mistake 4: Taking CISA without the experience.
CISA requires 5 years of experience in IS audit, control, or security. Up to 3 years can be waived for education or credentials. If you do not have the experience, you can still take and pass the exam, but you cannot be certified until you accrue it. You have 5 years from exam pass to complete the experience.
The career case
CISA opens specific doors:
- IT audit roles at Big 4 consultancies (Deloitte, PwC, EY, KPMG)
- Internal audit teams at large enterprises
- Regulatory compliance roles
- GRC consulting
Median US salary for CISA-tagged senior roles (90-day sample): $135,000. Director-level: $175,000+. Top of the band (CAE, Chief Audit Executive): $220,000+.
Not the highest-paying cert on a per-hour-of-study basis, but the clearest career track. CISA holders have a well-defined promotion path in a way that many security certs do not.
What CISA does not open
- Hands-on security engineering roles
- Cloud architect roles
- DevOps / SRE roles
- Red team roles
If you are entering CISA hoping it will be useful for these tracks, it will not be. Audit is a specific career.
Why non-auditors take CISA
Three legitimate reasons:
- Career pivot into audit. You want to move from engineering or security to audit/GRC. CISA is the credential that signals the transition.
- Your role touches audit. You are a security manager who deals with auditors constantly and needs to speak their language.
- Compliance-adjacent roles. You work in regulatory compliance (SOX, HIPAA-specific) and audit knowledge is part of the job.
If none of these apply, CISA is the wrong cert for you. Pick one that matches your actual career.
Final exam tips
- Read each stem twice. Auditors write stems that compress multiple considerations into long sentences. Skim-reading is how you lose points.
- Trust "follow the process" over "do the smart thing." The exam rewards process adherence.
- If "most appropriate" or "best course of action" appears in the stem, the answer is probably the audit-canonical answer, not the engineering-pragmatic answer.
- Eliminate extremes first. Answers that say "always" or "never" are usually wrong in CISA; audit is a profession of shades.
Sixty days of deliberate study, done right, produces a first-attempt pass rate of ~72% in our non-auditor cohort. Done poorly, it produces a 45% pass rate. The difference is mostly in how seriously the candidate takes the audit-lens shift.
CISA is a real skill. Respect it and study it for what it is.