A realistic 14-week plan at roughly 6 to 8 hours per week. CISA rewards the auditor’s perspective, so for every topic ask how you would assess, verify and report on the control rather than build or operate it. The schedule front-loads the smaller domains and gives the two 26% domains the most time.
| Weeks | Focus | Checkpoint |
|---|---|---|
| 1–2 | Domain 1: Information Systems Auditing Process (18%) | You can scope a risk-based audit and judge whether evidence is sufficient |
| 3–4 | Domain 2: Governance and Management of IT (18%) | You can audit IT strategy and tie it back to business goals |
| 5–6 | Domain 3: IS Acquisition, Development and Implementation (12%) | You can walk the SDLC and name the control at each stage |
| 7–9 | Domain 4: IS Operations and Business Resilience (26%) | You can trace BIA → RTO/RPO → BCP/DRP and say what a tested plan looks like |
| 10–12 | Domain 5: Protection of Information Assets (26%) | You can evaluate access, network and data controls for design and effectiveness |
| 13–14 | Full-length timed reviews + weak-area revision | You consistently choose the auditor’s answer (assess/report, not fix) |
Final-week tips
Build exam stamina with full-length, timed practice at the full 150-question length, and concentrate revision on Domains 4 and 5, which together are over half the exam. For every scenario, justify why the best answer is the one an independent auditor would give. Avoid “real exam questions” sites - they breach ISACA policy and copyright.