July 2, 2026
CISA Domain Weighting: Where Domain 5's 26% Actually Comes From
Most CISA study plans allocate time by comfort, not by weight. Candidates spend their first few weeks on the audit-process material that feels familiar and push the technical-sounding domains to the end, where they get the least attention. The exam does not reward that order. The CISA domain weighting is public, it is uneven, and it points clearly at where your study hours should go — which is usually not where they naturally drift.
This article breaks down the current weighting, explains why two domains dominate, and turns the percentages into an actual study allocation. The goal is narrow and practical: by the end, you should be able to look at the split and know roughly how many of your hours each domain deserves.
The five domains and their current weighting
The CISA exam draws its 150 questions from five domains. As of ISACA's current exam content outline, the weighting is:
| Domain | Area | Weight |
|---|---|---|
| 1 | Information Systems Auditing Process | 18% |
| 2 | Governance and Management of IT | 18% |
| 3 | Information Systems Acquisition, Development and Implementation | 12% |
| 4 | Information Systems Operations and Business Resilience | 26% |
| 5 | Protection of Information Assets | 26% |
Two numbers carry the exam. Domains 4 and 5 are weighted at 26% each, which means together they account for 52% — more than half of every question you will see. Domain 3 is the lightest at 12%. Domains 1 and 2 sit in the middle at 18% apiece.
This also answers a question candidates ask directly: which is the most important CISA domain to study. By raw weight, it is a tie — Domains 4 and 5 at 26% each. But importance for you is weight minus your current reliability, and for most candidates that calculation lands on Domain 5: the largest domain that also tends to be the least familiar. There is no single most important domain in the abstract. There is the domain where your gap to the exam's weight is widest, and you find that by testing yourself, not by guessing.
A note on accuracy before you build a plan on these figures: ISACA revises the weighting across syllabus cycles, and the numbers above replaced an earlier split that many third-party sites still publish. The older breakdown put Domain 1 at 21% and Domain 4 at 23%, among other differences. Always confirm the current percentages against ISACA's published content outline for the exam version you are sitting, rather than trusting a blog table — including this one — as a permanent source of truth.
Why Domains 4 and 5 dominate
The reason Operations and Asset Protection carry so much weight is breadth, not difficulty. Each domain covers a wide range of distinct topics, and a wide domain needs more questions to sample it fairly.
Domain 4, Information Systems Operations and Business Resilience, spans day-to-day IT operations, service-level management, incident and problem management, change and configuration management, backup, business continuity planning, and disaster recovery. These are different subjects with different control models, and the exam tests across all of them. A candidate who knows backup procedures cold but has never thought hard about how a change-management process should be controlled is exposed across a quarter of the exam.
Domain 5, Protection of Information Assets, is just as broad: identity and access management, network and endpoint security, encryption and key management, data classification, physical and environmental controls, security awareness, and incident response from the protection angle. The technical-sounding vocabulary convinces many candidates they need engineering depth here, which is the central misread of Domain 5. The questions test audit judgment about whether these controls are adequate, not whether you can configure them. That is where the title of this article points: Domain 5's 26% comes from the sheer number of distinct control areas an IS auditor is expected to evaluate, not from any single hard topic.
The trap in both domains is the same: breadth defeats the deep-dive strategy. A candidate can spend a weekend mastering encryption key management and still be exposed across the rest of Domain 5, because the questions sample widely and no single sub-area is more than a slice of the 26%. Depth in one corner does not insulate you from the breadth of the whole. This is why Domains 4 and 5 reward steady coverage across many control areas over intense focus on a favorite few.
Put together, Operations and Asset Protection are wide, control-heavy, and judgment-driven. That combination is exactly what an IS audit credential is built to test, which is why they anchor the weighting.
The mismatch between study time and domain weight
Here is the pattern that costs candidates points. The typical study-time distribution is almost the inverse of the exam weighting.
Domain 1, the IS audit process, is where auditors feel most at home. The vocabulary is familiar, the concepts map onto work they already do, and progress feels fast. So candidates spend a disproportionate share of early study time there — and Domain 1 is only 18% of the exam. Meanwhile Domain 5 sounds intimidating, so it gets deferred, rushed, or studied as a vocabulary list in the final week. Domain 5 is 26% of the exam.
To make the inversion concrete: it is common to see a candidate spend something like a third of their early study time on Domains 1 and 2 combined — the governance and audit-process material that reads quickly and feels productive — and then arrive at Domains 4 and 5 with only a few rushed sessions left. That schedule spends the most time on 36% of the exam and the least on 52% of it. Reverse the emphasis and the same total hours produce a higher expected score, because the hours land where the questions actually are.
The result is a candidate who is over-prepared on a fifth of the questions and under-prepared on a quarter of them. On a pass/fail exam scored in aggregate, that trade is a losing one. The questions you can now answer in your sleep do not earn extra credit for your fluency, and the questions you skimmed are worth more of the total.
This is not an argument to ignore Domain 1. It is an argument to stop treating comfort as a signal of where study time is well spent. The most useful question early in preparation is not "what do I enjoy reviewing" but "where is the gap between my current reliability and the weight of the domain largest." For most candidates, that gap is widest in Domains 4 and 5.
What each domain actually tests
The weighting tells you how many questions come from each area. It does not tell you what kind of judgment each domain is testing. A one-line view of each:
Domain 1 — Information Systems Auditing Process (18%). The mechanics of auditing: risk-based planning, evidence sufficiency and appropriateness, sampling, and reporting. The judgment being tested is procedural — given this audit situation, what is the appropriate next step, the appropriate evidence, the appropriate report treatment. A typical Domain 1 question hands you an audit scenario and asks what the auditor should do next or whether the evidence gathered is sufficient; the content feels familiar, but the credited answer usually turns on procedure and independence rather than technical knowledge.
Domain 2 — Governance and Management of IT (18%). How IT is directed and controlled: governance frameworks, IT strategy alignment, policies, risk management, and organizational structure. The judgment is about whether the right oversight and accountability structures exist, not about operational execution. Questions here often ask who should own a decision, whether a policy or steering structure is adequate, or how IT objectives trace back to business strategy.
Domain 3 — Information Systems Acquisition, Development and Implementation (12%). The system life cycle: project governance, requirements, development controls, testing, and migration. The judgment centers on whether controls are built into the process that produces and changes systems. Expect questions on whether requirements, testing, and approval controls were adequate before a system went live — the auditor's lens on the development life cycle, not the developer's.
Domain 4 — Information Systems Operations and Business Resilience (26%). Running and protecting the continuity of IT: operations management, incident and change control, and business continuity and disaster recovery. The judgment is whether operational processes are controlled and whether the organization can withstand and recover from disruption. A Domain 4 question might turn on whether a change was properly authorized and tested before release, or whether a recovery plan's priorities actually match the business's tolerance for downtime.
Domain 5 — Protection of Information Assets (26%). Safeguarding confidentiality, integrity, and availability: access management, network and endpoint security, encryption, and physical controls. The judgment, again, is adequacy — is this control appropriate for the risk — not technical implementation. A Domain 5 question may describe a control and ask whether it fits the risk, or which access-management weakness an auditor should flag first: adequacy and prioritization, not configuration.
A pattern runs through all five: the exam consistently tests the auditor's adequacy judgment, not the operator's implementation skill. That distinction matters most in the technical-sounding domains, where it is easiest to slip into answering as an engineer.
How weighting should change your study schedule
Translate the percentages into hours. If you have a fixed study budget — say 150 hours over a few months — a defensible first allocation simply mirrors the weighting, then adjusts for your personal gaps:
- Domains 4 and 5: roughly half your total hours, split evenly, because together they are half the exam and usually your largest reliability gap.
- Domains 1 and 2: a little under a fifth each, with Domain 1 trimmed if you already work in audit and find the material straightforward.
- Domain 3: the smallest share, around an eighth, matching its 12% weight.
Made concrete with a 150-hour budget, that is roughly 39 hours each on Domains 4 and 5, about 27 hours each on Domains 1 and 2, and around 18 hours on Domain 3. Those are starting figures, not a prescription — round them off, then move hours toward whichever high-weight domain tests worst in your first timed mock. The point of anchoring the budget to the weighting is to stop it from quietly collecting in whichever domain feels most pleasant to study.
Then adjust for where you actually stand. A working IT auditor can usually move hours out of Domains 1 and 2 and into 4 and 5 without much risk. A candidate from a non-IT background may need to hold more time in Domains 4 and 5 still, because the gap there is wider. The weighting sets the baseline; your background tilts it. The realistic version of this — how the right plan changes depending on where you are starting from — is covered in the study time allocation by background.
The one allocation to avoid is the default: heavy front-loading on Domain 1 because it feels productive, with Domains 4 and 5 compressed into the final stretch. That is the schedule that matches comfort instead of weight, and it is the one the exam math punishes.
The scoring implication: you don't need to master all five equally
A common misconception is that you must clear a bar in each domain separately. You do not. CISA is scored in aggregate on a scaled range, and the single passing standard is 450 across the whole exam — not a per-domain threshold you have to clear five times. The full mechanics of how the scaled score works are in scaled scoring and aggregate passing; the consequence for study planning is what matters here.
Aggregate scoring means you can trade strength across domains. Being very strong in Domains 4 and 5, where most of the questions live, can carry a merely adequate performance in Domain 3, where few do. Strategic study leans into that: spend disproportionately where the questions are concentrated, and accept "good enough" in the lightest domain rather than chasing mastery everywhere.
One caveat about what ISACA does report. Your score report shows performance by domain, but as broad bands — generally above or below the average, not a precise per-domain score and never a per-question breakdown. That is enough to tell you which domains were weak on a failed attempt, which is genuinely useful for a retake, but it is not a per-domain pass line. Plan around the aggregate, and use the domain bands as diagnostic feedback rather than as targets to clear individually.
If you want the broader picture of how questions, time, and scoring fit together, the exam format overview sets out the full structure that this weighting sits inside.
Independent CISA practice material. Not affiliated with ISACA. CISA, CISM, and CRISC are registered trademarks of ISACA, used here for descriptive reference only.
Practice where the weight actually is
Knowing that Domains 4 and 5 are half the exam is useful for planning. It does not tell you which of those topics actually drain your time and reliability under pressure — that only shows up when you sit a full mix of questions against the clock and see where you slow down and where you guess.
If you want to see which domains drain your time on a full timed mock, our free CISA mock is built for exactly this, with a by-domain breakdown afterward that shows where your minutes and your misses concentrate. The weighting tells you where the questions are. A timed mock tells you where you, specifically, are losing them.
