CISA - Certified Information Systems Auditor Cheat Sheet

The CISA (Certified Information Systems Auditor) credential from ISACA validates your ability to audit, control, and assure an organization's information systems, and it is the global benchmark for IS audit, risk, and control professionals. The exam has 150 questions across five job practice domains, weighted Information Systems Auditing Process (18%), Governance and Management of IT (18%), Information Systems Acquisition, Development and Implementation (12%), Information Systems Operations and Business Resilience (26%), and Protection of Information Assets (26%); the current job practice took effect on 1 August 2024. CISA is criterion referenced, so the correct answer is the one ISACA's ITAF standards and an auditor's risk based, evidence driven mindset support, which is frequently not the most technical option but the one that best protects independence, objectivity, and the organization. Read every scenario as an auditor: identify the risk, test the control, gather sufficient and appropriate evidence, and report to those who can act, before doing anything else.

What This Cheat Sheet Covers

This topic spans 59 focused tables and 608 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: IS Audit Standards, Guidelines and Code of EthicsTable 2: Types of Audits, Assessments and ReviewsTable 3: Risk-Based Audit PlanningTable 4: Types of Controls and ConsiderationsTable 5: Audit Project ManagementTable 6: Audit Testing and Sampling MethodologyTable 7: Audit Evidence Collection and Data Analytics (CAATs)Table 8: Audit Reporting and Communication TechniquesTable 9: Quality Assurance and Improvement of the Audit ProcessTable 10: Laws, Regulations and Industry StandardsTable 11: Organizational Structure, IT Governance and IT StrategyTable 12: IT Policies, Standards, Procedures and PracticesTable 13: Enterprise Architecture and ConsiderationsTable 14: Enterprise Risk ManagementTable 15: Privacy Program and PrinciplesTable 16: Data Governance and ClassificationTable 17: IT Resource ManagementTable 18: IT Vendor ManagementTable 19: IT Performance Monitoring and Reporting (KPIs and KRIs)Table 20: Quality Assurance and Quality Management of ITTable 21: Project Governance and ManagementTable 22: Business Case and Feasibility AnalysisTable 23: System Development MethodologiesTable 24: Control Identification and DesignTable 25: System Readiness and Implementation TestingTable 26: Implementation Configuration and Release ManagementTable 27: System Migration, Infrastructure Deployment and Data ConversionTable 28: Post-implementation ReviewTable 29: IT ComponentsTable 30: IT Asset ManagementTable 31: Job Scheduling and Production Process AutomationTable 32: System InterfacesTable 33: Shadow IT and End-User ComputingTable 34: Systems Availability and Capacity ManagementTable 35: Problem and Incident ManagementTable 36: IT Change, Configuration and Patch ManagementTable 37: Operational Log ManagementTable 38: IT Service Level ManagementTable 39: Database ManagementTable 40: Business Impact AnalysisTable 41: System and Operational ResilienceTable 42: Data Backup, Storage and RestorationTable 43: Business Continuity PlanTable 44: Disaster Recovery PlansTable 45: Information Asset Security Frameworks, Standards and GuidelinesTable 46: Physical and Environmental ControlsTable 47: Identity and Access ManagementTable 48: Network and Endpoint SecurityTable 49: Data Loss PreventionTable 50: Data EncryptionTable 51: Public Key InfrastructureTable 52: Cloud and Virtualized EnvironmentsTable 53: Mobile, Wireless and Internet-of-Things DevicesTable 54: Security Awareness Training and ProgramsTable 55: Information System Attack Methods and TechniquesTable 56: Security Testing Tools and TechniquesTable 57: Security Monitoring Tools and TechniquesTable 58: Security Incident Response ManagementTable 59: Evidence Collection and Forensics

Table 1: IS Audit Standards, Guidelines and Code of Ethics

Domain 1 (Information Systems Auditing Process), A. Planning: the ITAF authority structure an IS auditor works under, and the independence, objectivity and ethics rules that govern how the work is performed.

Concept	Example	Description
ITAF (IS Audit and Assurance Framework)	Auditor asks "which ISACA rule applies here?" and reaches for ITAF first	ISACA's single reference framework for IT audit and assurance. Holds three tiers: Standards, Guidelines, and Tools and Techniques. Defines roles, ethics, required skills, and terms.
IS Audit and Assurance Standards (mandatory)	"Is this a Standard? Then I must comply."	The MANDATORY tier of ITAF. Three groups: General (1000), Performance (1200), Reporting (1400). Non-compliance can trigger investigation of a CISA holder.
IS Audit and Assurance Guidelines (recommended)	"The Guideline suggests a method, but I can choose another and justify it."	Guidance that supports the Standards and helps achieve alignment. Recommended, NOT mandatory. Numbered in 2000/2200/2400 series mirroring the Standards.
Tools and Techniques	An ISACA audit program or white paper used as a starting template	The example tier of ITAF: audit programs, white papers, reference books. Optional aids, never mandatory. Not to be confused with Standards.
Code of Professional Ethics	A non-auditing CISA holder still owes confidentiality and due care	ISACA's seven-principle ethics code binding all members and certification holders regardless of role. Covers objectivity, due care, confidentiality, competence, and full disclosure.

Table 1: IS Audit Standards, Guidelines and Code of Ethics

Concept	Example	Description
ITAF (IS Audit and Assurance Framework)	Auditor asks "which ISACA rule applies here?" and reaches for ITAF first	ISACA's single reference framework for IT audit and assurance. Holds three tiers: Standards, Guidelines, and Tools and Techniques. Defines roles, ethics, required skills, and terms.
IS Audit and Assurance Standards (mandatory)	"Is this a Standard? Then I must comply."	The MANDATORY tier of ITAF. Three groups: General (1000), Performance (1200), Reporting (1400). Non-compliance can trigger investigation of a CISA holder.
IS Audit and Assurance Guidelines (recommended)	"The Guideline suggests a method, but I can choose another and justify it."	Guidance that supports the Standards and helps achieve alignment. Recommended, NOT mandatory. Numbered in 2000/2200/2400 series mirroring the Standards.
Tools and Techniques	An ISACA audit program or white paper used as a starting template	The example tier of ITAF: audit programs, white papers, reference books. Optional aids, never mandatory. Not to be confused with Standards.
Code of Professional Ethics	A non-auditing CISA holder still owes confidentiality and due care	ISACA's seven-principle ethics code binding all members and certification holders regardless of role. Covers objectivity, due care, confidentiality, competence, and full disclosure.