CISA Mock
← All articles

May 18, 2026

How Long Should You Study for CISA? A Realistic Timeline by Background

The most common question CISA candidates ask before starting prep is also the hardest one to answer honestly: how long will this take? The answers you find online range from "two months part-time" to "six months of intensive study," and both are correct depending on who's asking. Study time for CISA depends heavily on your professional background, your familiarity with audit methodology, and how much time you can realistically commit per week.

This guide gives realistic timelines for the four most common candidate profiles, what factors compress or extend the timeline, and how to know when you're actually ready to sit the exam rather than just running out of patience.

The honest range

Most candidates need between 80 and 200 hours of focused study to be ready for CISA. That's a wide range, and the difference between the low and high ends comes down to background. A senior IT auditor with five years of CISA-relevant experience can be ready in 80 hours. A career switcher coming from software development with no audit background needs closer to 200 hours.

Translated into calendar time at typical part-time study rates (10 to 15 hours per week), the range is roughly:

  • Strong background, focused prep: 8 to 10 weeks
  • Average background, steady prep: 12 to 16 weeks
  • Limited background, careful prep: 16 to 24 weeks

The specific number matters less than understanding which end of the range applies to you. Below are the four common profiles and what each one actually needs.

Profile 1: The experienced IT auditor

If you've been working as an IT auditor for three or more years, you have a significant head start. You already know what control testing looks like, you understand the audit lifecycle, and you've encountered most of the technical concepts CISA tests on. The exam isn't going to ask you to learn audit methodology from scratch.

What you do need to learn is the ISACA way of answering questions. Your professional experience may have taught you to handle a control weakness one way; ISACA may prefer a different approach for exam purposes. The Code of Professional Ethics, the standard auditor responsibilities, and ISACA's specific framing of independence and objectivity questions are the topics where experienced auditors most often pick the "real-world" answer that ISACA marks wrong.

Realistic timeline: 8 to 10 weeks at 10 hours per week (80 to 100 hours total).

A reasonable allocation:

  • Weeks 1-3: Read the Review Manual selectively, focusing on the domains where your professional experience is weakest. Skip or skim the parts you already know well.
  • Weeks 4-6: Drill ISACA QAE questions to calibrate your answer style to ISACA's preferences. This is the most important phase for experienced auditors — the gap is rarely knowledge, it's calibration.
  • Weeks 7-8: Take a full-length timed mock. Review the pacing chart and wrong-answer patterns. Identify which question types are still tripping you up.
  • Weeks 9-10: Final review of weak areas, second timed mock, exam.

The risk profile for experienced auditors is overconfidence. The exam is harder than it looks if you skip the calibration phase, and "I know this stuff" doesn't help when ISACA's preferred answer differs from industry practice on a question.

Profile 2: The accountant or financial auditor

If your background is in accounting or financial audit (CPA, CA, ACCA, or similar), you understand audit methodology and risk-based thinking, but you may have limited exposure to the IT-specific content that dominates CISA. Domains 3, 4, and 5 (acquisition/development, operations/resilience, and information asset protection) cover technical material that financial auditors typically haven't worked with deeply.

What you have going for you is the audit mindset. Risk assessment, control testing, evidence gathering, professional skepticism — these are second nature for you. The CISA exam tests these skills constantly, and you'll find Domain 1 (audit process) and Domain 2 (governance) relatively comfortable.

What you have to build is the technical depth. SDLC, change management, system architecture, network security, business continuity, encryption basics — if these terms are vague to you, that's where the bulk of your study time needs to go.

Realistic timeline: 12 to 16 weeks at 10 hours per week (120 to 160 hours total).

A reasonable allocation:

  • Weeks 1-2: Skim the Review Manual front to back to identify your weak domains. Likely Domains 3-5.
  • Weeks 3-8: Deep study of the technical domains. Don't try to become an IT expert — focus on the concepts and vocabulary CISA tests on, not on practitioner-level depth.
  • Weeks 9-11: Question drilling across all domains. Use Gleim or QAE for volume.
  • Weeks 12-13: First timed mock. Review the pacing chart and identify weak patterns.
  • Weeks 14-16: Targeted review based on mock results, second timed mock, exam.

The risk profile for accountants is technical overwhelm. The IT material can feel endless, and there's a temptation to keep studying it until you feel "expert." You don't need expert-level technical knowledge; you need test-relevant familiarity with the concepts ISACA actually asks about.

Profile 3: The information security or IT professional

If your background is information security, IT operations, network engineering, or software development, you have the opposite problem from the accountant. You know the technical material — sometimes better than the Review Manual covers it — but audit methodology may be unfamiliar territory.

What you have going for you is technical depth. You'll find Domains 3, 4, and 5 relatively comfortable, and you may even find some of the Review Manual's technical content slightly outdated relative to your daily work.

What you have to build is the audit mindset. Independence, objectivity, audit evidence, materiality, the difference between an auditor's role and a consultant's role — these distinctions matter for CISA, and they're often subtle for someone whose career has been about fixing problems rather than reporting on them.

Realistic timeline: 12 to 16 weeks at 10 hours per week (120 to 160 hours total).

A reasonable allocation:

  • Weeks 1-2: Read Domain 1 (audit process) and Domain 2 (governance) carefully. These are your gap.
  • Weeks 3-5: Skim the technical domains, focusing only on the concepts where ISACA's framing differs from industry practice.
  • Weeks 6-9: Question drilling with attention to "what should the auditor do" questions. These test the audit mindset directly.
  • Weeks 10-12: First timed mock. Review wrong answers carefully — most of your wrong answers will be on audit-mindset questions, not technical questions.
  • Weeks 13-16: Targeted review of audit methodology, second timed mock, exam.

The risk profile for security/IT professionals is technical confidence undermining audit calibration. You can know everything about the technical content and still fail if you keep answering questions like a practitioner rather than like an auditor. ISACA wants the auditor's response, not the engineer's response.

Profile 4: The career switcher

If you're new to both IT and audit — coming from a different professional field entirely, or early in your career — CISA is a steeper climb. You don't have either the audit foundation or the technical foundation, and the Review Manual will introduce both at once.

This is achievable but requires more time and more structure than the other profiles.

Realistic timeline: 16 to 24 weeks at 10 to 15 hours per week (160 to 360 hours total).

A reasonable allocation:

  • Weeks 1-4: Read the Review Manual carefully, twice if needed. Don't skip anything.
  • Weeks 5-8: Deep study of Domain 1 (audit process) and Domain 2 (governance). These set the foundation for the rest.
  • Weeks 9-14: Domain-specific study of the technical domains. Use supplementary materials (YouTube explainer videos, Hemang Doshi's framework guides) when the Review Manual is unclear.
  • Weeks 15-18: Question drilling. You need volume here because pattern recognition takes longer to develop without prior exposure.
  • Weeks 19-20: First timed mock. Don't be discouraged if the score is low — it usually is for this profile, and improvement happens fast in the final stretch.
  • Weeks 21-24: Focused review, second timed mock, exam.

The risk profile for career switchers is starting too late. CISA isn't a casual exam, and trying to compress the prep into 8 weeks usually results in needing a second sitting. Better to give yourself the full 16 to 24 weeks and pass on the first try than to rush it and need to repeat.

Factors that compress or extend the timeline

A few specific factors meaningfully change study time, in ways the profile averages don't capture:

Native English speakers vs. non-native. CISA is in English, and the questions use formal English with subtle qualifier words (BEST, FIRST, PRIMARY, MOST). Non-native speakers often need an extra 10 to 20 hours specifically for question-pattern recognition, even when their content knowledge is strong. Reading practice questions aloud helps train the ear for ISACA's specific phrasing patterns.

Recent graduates vs. mid-career professionals. Recent graduates are often better at exam discipline (they took exams recently and remember how to study), but worse at the practical scenario questions that make up much of CISA. Mid-career professionals are the opposite — strong on scenarios, rusty on disciplined study habits. Adjust your timeline based on which gap is yours.

Self-study vs. instructor-led training. Instructor-led training compresses the timeline because someone else is structuring the content for you. Self-study is cheaper and more flexible but requires more discipline. Don't confuse the two — if you're self-studying, allocate more weeks than the typical training timeline suggests.

Exam date locked vs. flexible. Candidates with a fixed exam date (employer deadline, certification renewal pressure) tend to manage time better because the deadline forces decisions. Candidates with flexible dates often drift, study casually for months, and never feel "ready." Pick a date and commit.

How to know when you're actually ready

Running out of weeks isn't the same as being ready. The honest readiness check is a full-length timed mock under realistic conditions. If you can finish a 150-question, 240-minute timed mock with a score around 70-75% and complete the exam comfortably within the time limit, you're ready. If you can't, you're not — and an extra two weeks of targeted prep is worth more than sitting an exam you're likely to fail.

The two-mock pattern works well for this calibration. Take the first timed mock at the four-week-out mark and use the result to prioritize your remaining study. Take the second mock at the one-week-out mark to confirm you're ready. If the second mock shows a meaningful improvement and you're at or above the readiness threshold, sit the exam confidently. If it shows the same gaps as the first mock, consider rescheduling.

Take a free 50-question diagnostic to gauge where you actually are →

The free diagnostic on cisamock.com is calibrated to roughly the same difficulty as the full exam and gives you a percentile against other demo takers. It's a useful early read on whether you're closer to the 80-hour profile or the 200-hour profile, before you commit to a study plan.

The cost of underestimating

The most expensive mistake in CISA prep isn't studying too much — it's underestimating the timeline, sitting the exam unprepared, and needing a second attempt. The exam fee, the rescheduling time, and the morale hit add up to far more than the cost of an extra month of focused prep.

Be honest about your background. Pick the profile that actually fits you, not the one you'd like to fit. And give yourself enough weeks to do the work properly. CISA is passable on the first try for most candidates who plan realistically; it's painfully hard for candidates who plan optimistically.