CISA is organised into five domains, all viewed from an auditor’s perspective: you assess and report on controls, you do not build or run them. The weightings below are ISACA’s official figures; ISACA’s content outline is authoritative.
| # | Domain | Official weight |
|---|---|---|
| 1 | Information Systems Auditing Process | 18% |
| 2 | Governance and Management of IT | 18% |
| 3 | Information Systems Acquisition, Development and Implementation | 12% |
| 4 | Information Systems Operations and Business Resilience | 26% |
| 5 | Protection of Information Assets | 26% |
Domain 1 - Information Systems Auditing Process (18%)
The practice of auditing: risk-based planning, executing against ISACA’s audit standards, gathering sufficient and appropriate evidence, sampling, and reporting findings. Independence and objectivity underpin the whole domain.
Domain 2 - Governance and Management of IT (18%)
Auditing how IT is directed and controlled: governance frameworks, IT strategy and business alignment, policies and structures, roles, and IT-related risk management.
Domain 3 - Information Systems Acquisition, Development and Implementation (12%)
The smallest domain. Auditing how systems are acquired, built and deployed: business cases, project governance, the SDLC and its controls, testing, migration, and the post-implementation review.
Domain 4 - Information Systems Operations and Business Resilience (26%)
Joint-largest. Auditing IT operations (change, problem and incident management, scheduling, backups) and resilience: business continuity and disaster recovery, anchored in the BIA and its RTO/RPO targets.
Domain 5 - Protection of Information Assets (26%)
Joint-largest. Auditing the controls that protect data and systems: logical and physical access, network and endpoint security, encryption and key management, data classification, and incident response.