June 28, 2026
The CISA Exam Format Explained: 150 Questions, 240 Minutes, and the Math Behind the Test
Most candidates research the CISA syllabus in detail before they understand the CISA exam format. They know which domains exist and roughly what each covers, but they sit down for their first timed practice exam without having done the arithmetic on what 150 questions in 240 minutes actually demands. The format is not complicated, but a few of its details quietly shape how you should study, how you should pace yourself, and how much technical depth you actually need.
This is the reference article for the mechanics: how many questions, how long, how the scoring works, how the five domains are weighted, what the questions look like, and how you sit the exam. Each section is short on its own; the point is to give you an accurate baseline before you commit four-plus months to preparation.
What the CISA exam actually looks like
The CISA exam is 150 multiple-choice questions delivered over 240 minutes — four hours — on a computer. Every question has four answer options and exactly one credited answer. There are no essay components, no drag-and-drop items, no simulations. It is 150 single-best-answer questions, start to finish.
There is no penalty for a wrong answer. Your score is based only on the number of questions you answer correctly, which means a blank answer and a wrong answer cost you the same thing: one point. The practical consequence is that you should answer all 150 questions, even if the last few are pure guesses made in the final minute. Leaving a question blank is never the right move.
The exam also lets you move freely. There are no locked sections and no one-way questions: you can flag an item, skip it, and return to it any time before the four hours run out, and you can change any answer as often as you like until you submit. That freedom is what makes a two-pass approach to the exam possible at all — you are not forced to resolve a hard question the moment you first see it.
Scores are reported on a scaled range from 200 to 800, and you need 450 to pass. That scaled number is not a percentage, which trips up a lot of candidates — more on that below. The exam is the same length, format, and passing standard whether you take it remotely or in a test center, and whether you sit it in January or July. Difficulty does not change by date or delivery mode.
The 96-second math and why it's misleading
Divide 240 minutes by 150 questions and you get 96 seconds per question. That number is technically correct and strategically misleading, because it describes an average you will almost never actually experience question by question.
In practice, a prepared candidate answers a large share of questions in 40 to 60 seconds — the ones where you recognize the concept, spot the qualifier, and commit. A middle band of 30 to 40 questions takes two to four minutes each, because they require careful scenario reading or a decision between two defensible options. And a smaller set of genuinely hard questions can eat four to six minutes apiece if you let them. The 96-second average is the result of blending all three, not a budget you spend evenly.
This matters because the hard questions are where the clock collapses. Spend six minutes each on a dozen questions and you have burned 30 minutes you did not have, which is exactly how candidates end up rushing the final 40 questions and giving away points they had the knowledge to keep. The skill the exam quietly rewards is not raw speed — it is recognizing early which questions are about to drain your time and committing to a tentative answer before they do.
That is a behavior you rehearse, not a fact you memorize. The full breakdown, including a two-pass timing structure and the checkpoints that tell you when you have fallen behind, is in the pacing strategy that prevents the question 110 cliff. For this article, the takeaway is narrower: the format gives you enough time only if you spend it unevenly on purpose.
Scaled scoring: what 450 actually means
The 200-to-800 scale is the single most misunderstood part of the CISA exam format. A 450 is not "450 out of 800," and it is not 56% of the questions answered correctly. ISACA uses scaled scoring so that scores are comparable across different versions of the exam, which contain different questions of slightly different difficulty. A raw number of correct answers is converted to the scaled value, and the conversion is not published.
The honest consequence for a candidate is that you cannot reverse-engineer "I need to get X questions right." You aim to be comfortably above the passing standard on practice material rather than targeting a specific raw percentage. If you want the full explanation of why the scale works this way and what it does and does not tell you, how scaled scoring actually works covers it in detail. For the format overview, one fact is enough: 450 is the line, the scale runs 200 to 800, and the number is not a percentage.
The five domains and their weighting
The 150 questions are drawn from five domains, and the domains are not weighted equally. As of ISACA's current exam content outline, the split is:
| Domain | Area | Weight |
|---|---|---|
| 1 | Information Systems Auditing Process | 18% |
| 2 | Governance and Management of IT | 18% |
| 3 | Information Systems Acquisition, Development and Implementation | 12% |
| 4 | Information Systems Operations and Business Resilience | 26% |
| 5 | Protection of Information Assets | 26% |
The detail most candidates miss: Domains 4 and 5 together account for 52% of the exam — just over half the questions come from operations, resilience, and asset protection. Domain 3 is the smallest at 12%. The audit process domain that most auditors find comfortable, Domain 1, is only 18%.
This weighting has a direct study implication. A common mistake is to over-invest in Domain 1, where an auditor already feels fluent, and under-invest in Domain 5, which sounds technical and intimidating. The exam math does not reward that allocation. If more than half your questions come from Domains 4 and 5, more than half your weak-area study time probably should too. (One caution: these percentages have shifted across past syllabus updates, so always confirm them against ISACA's published content outline for the version you are sitting.)
Question style: scenario stems and qualifier words
CISA questions are predominantly scenario-based, not definitional. You are rarely asked "what is a firewall." You are far more often given a short situation — an auditor finds X, a control is configured as Y, a process does Z — and asked what the auditor should do first, what the primary risk is, or what the best recommendation would be.
Two features of this style decide most of your answers. The first is that two of the four options frequently both look correct, because both describe defensible actions. The exam is testing which one is correct from the IS auditor's perspective and within the specific scope of the question. The second is that the qualifier word in the stem — BEST, FIRST, PRIMARY, MOST, GREATEST — often determines the credited answer outright. The same four options can have different correct answers depending on whether the question asks for the first step or the best control.
Here is a stripped-down, original illustration of the mechanism — not a real exam item. A scenario notes that access rights were never revoked after several staff changed roles, and two of the four options both sound reasonable: remove the excess access, or recommend that management establish a periodic access review. Which one is credited depends heavily on the qualifier. A stem that asks what the auditor should do FIRST points toward the auditor's role — identifying the control gap and recommending the process that prevents recurrence — rather than performing the operational cleanup an auditor would not own. Reword the stem around the single best immediate corrective action and the emphasis can move. The four options barely changed; the small word in the stem did the work.
Training yourself to read the qualifier before you read the options is one of the highest-return habits in CISA prep, and it is the subject of the qualifier word framework. For the format, the point is to set expectations: this is a judgment exam written in scenarios, not a recall exam written in definitions, and the small words in the stem carry real weight.
Delivery mode: online proctored or a test center
You can take the CISA exam two ways: online with remote proctoring, or in person at a PSI testing center. The content, length, scoring, and passing standard are identical across both. What differs is the environment and the failure modes.
Remote proctoring lets you sit the exam from a private room at home. It requires a webcam, a stable connection, a clear desk, and a room scan, and it enforces strict rules — no notes, no phone, no leaving your seat, no one else in the room. Its failure modes are technical and environmental: a dropped connection, a room that is not clean enough, an ID problem at check-in. Each is preventable with preparation, but each is real.
A testing center removes the technical risk by giving you a controlled, supervised room, at the cost of scheduling around the center's availability and traveling to it. The trade is essentially flexibility versus environmental control. Neither mode is harder than the other; they suit different circumstances. A candidate with a quiet, dedicated space and confidence in their setup tends to prefer remote; one without that space, or who would rather not manage any technical variables on exam day, tends to prefer the center.
Registration, eligibility, and cost
Registration is handled through ISACA. At current published rates, the exam fee is $575 for ISACA members and $760 for non-members. Membership carries its own annual cost, so whether joining first saves money depends on how many ISACA benefits you would actually use; run that arithmetic for your own case rather than assuming the member rate is automatically cheaper overall. A separate certification application processing fee applies later, after you pass, when you apply for the credential itself.
The eligibility detail that confuses many first-time candidates is the experience requirement. Full CISA certification requires a minimum of five years of professional information systems auditing, control, or security experience. Certain education and other certifications can waive a portion of that requirement, and the experience can be earned within a defined window around your exam date rather than strictly beforehand.
Crucially, you do not need the experience to sit or pass the exam. You can take and pass the CISA exam first and then apply for certification once your experience is verified — candidates have a multi-year window after passing to do so. This means a candidate early in their career can sit the exam now and complete the certification later, which is a deliberate and common path. Confirm the current experience rules, substitutions, and fees on ISACA's site before you register, since these are the details most likely to change between syllabus cycles.
What the format means for how you should study
The format is not trivia. Each mechanical fact points at a study decision. The 150-in-240 structure means timed full-length rehearsal is not optional — pacing is a behavior you have to practice under the real clock, not a fact you can read about once. The 18/18/12/26/26 domain weighting means your study hours should lean toward Domains 4 and 5, not toward the audit-process material that feels most familiar. The scenario-and-qualifier question style means drilling judgment under realistic stems beats memorizing definitions. And the scaled-scoring model means you should aim to be clearly above the standard on practice rather than chasing a specific raw percentage.
How aggressively you can act on all of this depends on how much runway you have, which is itself a function of your background. A working IT auditor and a candidate pivoting from a non-IT field need different timelines and different domain emphases for the same exam. The study timeline by background lays out what realistic preparation looks like depending on where you are starting from. The format gives you the constraints; your background determines the plan that fits inside them.
Independent CISA practice material. Not affiliated with ISACA. CISA, CISM, and CRISC are registered trademarks of ISACA, used here for descriptive reference only.
Practice under the real format
Reading about the format gets you an accurate mental model. It does not tell you what 240 minutes of sustained, scenario-by-scenario judgment actually feels like, or where your own pace drifts, or which domains drain your clock disproportionately. Those only surface when you sit the format itself under timing.
If you want to see what 96-second pacing actually feels like across 240 minutes straight, our free CISA mock is built for exactly this — the same scenario-stem style, the same clock pressure, with a pacing breakdown afterward that shows where your time went. The format on paper is simple. Knowing how you personally hold up inside it is the part worth practicing before exam day.