Can I bring notes to the CISA exam?

No. CISA is a proctored exam. Use this for final revision before exam day only.

CISA Cheat Sheet: Domains, Audit & Control Essentials

A final-revision summary for CISA. Study aid only - no notes are allowed in the proctored exam.

Domain	Official weight
Information Systems Auditing Process	18%
Governance and Management of IT	18%
IS Acquisition, Development and Implementation	12%
IS Operations and Business Resilience	26%
Protection of Information Assets	26%

	CISA	CISM
Seat	Auditor - examines controls from the outside	Manager - runs the security programme from the inside
Verb	Assess, verify, report	Plan, build, operate
If a question tempts you to…	…gather evidence / report a finding	…implement or fix a control

If a CISA option has you fixing or operating a control, it is usually the wrong (CISM-style) answer.

Term	Idea
Independence / objectivity	The auditor must not audit work they performed or own
Sufficient, appropriate evidence	Enough, and relevant + reliable, to support the conclusion
Risk-based auditing	Scope and effort follow where control failure hurts most
Sampling	Statistical vs judgemental selection of items to test
Materiality	Whether a finding is significant enough to matter

Term	Idea
Preventive	Stops an event (e.g., access control)
Detective	Spots an event after it happens (e.g., log review)
Corrective	Fixes or restores after an event
Compensating	Covers a gap when the primary control is impractical

The chain to remember: BIA → RTO/RPO → BCP/DRP - and the auditor checks the plans match the BIA and are actually tested.

Term	Meaning
BIA	Business Impact Analysis
RTO / RPO	Recovery Time / Recovery Point Objective
BCP / DRP	Business Continuity Plan / Disaster Recovery Plan
SoD	Segregation of Duties
Change management	Controlled approval of changes to systems