ISACA series
ISACA CISA® Exam Prep
JUMPSTART YOUR CAREER WITH CISA
Validate your expertise with ISACA’s CISA, the gold standard for IT audit, assurance, security, and cybersecurity professionals.
Write your awesome label here.
Upcoming Courses
Position yourself for success with the in-demand CISA certification.
Since its inception in 1978, more than 150,000 people have obtained ISACA®’s Certified Information Systems Auditor® (CISA®) certification. Join this community of elite professionals and get the recognition you deserve.
The first step to becoming CISA certified is to take and pass the CISA certification exam. The exam consists of 150 questions covering 5 job practice domains and tests your understanding of the knowledge and practical abilities an expert professional brings to the real-life job practice as it relates to information systems. Your ability to pass the exam will amount to substantial proof of your own expertise in these practical work-related domains:
Domain 1
Auditing Information Systems
Providing audit services in accordance with standards to assist organizations in protecting and controlling information systems.
Domain 1 affirms your credibility to offer conclusions on the state of an organization’s IS/IT security, risk and control solutions.
Domain 2
Governance and Management of IT
Delivering assurance that the necessary leadership, structures and processes are in place to achieve organizational objectives and support strategy.
Domain 2 confirms to stakeholders your abilities to identify critical issues and recommend enterprise-specific practices to support and safeguard the governance of information and related technologies.
Domain 3
Information Systems Acquisition, Development and Implementation
Providing assurance that the practices in these areas will meet strategies and objectives.
Domains 3 and 4 offer proof not only of your competency in IT controls, but also your understanding of how IT relates to business.
Empty space, drag to resize
Domain 4
Information Systems Operations, Maintenance and Service Management
Providing assurance that processes also meet strategies and objectives.
Domains 3 and 4 offer proof not only of your competency in IT controls, but also your understanding of how IT relates to business.
Empty space, drag to resize
Domain 5
Protection of Information Assets
Providing assurance that policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets.
Cybersecurity now touches virtually every information systems role, and understanding its principles, best practices and pitfalls is a major focus within Domain 5.
See why CISA is a lifelong symbol of knowledge and expertise.
In today’s complex, fast-paced business environment, information has become the most valuable currency for enterprises around the globe.
Information systems professionals play vital roles in leveraging the value and assuring the security and integrity of data that drives business. CISA is recognized the world over as proof of competency and experience in providing assurance that critical business assets are secured and available.
Hiring managers look for it. Some business and governmental agency roles require it. Organizations and professionals worldwide consider CISA “the gold standard” for IS/IT certifications.
Write your awesome label here.
ANSI-Accredited
The American National Standards Institute (ANSI) has accredited the CISA certification program under ISO/IEC 17024:2012.
Write your awesome label here.
DoD 8570 Approved
The U.S. Department of Defense (DoD) 8570.01-M “Information Assurance Workforce Improvement Program” named ISACA’s CISA certification among those approved for US DoD information assurance (IA) professionals.
Write your awesome label here.
High-Paying Certification
CISA named among the 10 highest paying certifications of 2020 by PC Mag.
Write your awesome label here.
Hottest Certification
CRN placed CISA on their list of “The 11 Hottest Cybersecurity Certifications In 2020”.
Build your confidence on exam day—with test prep solutions from deltamine.
Gear up for your CISA certification exam with the most comprehensive, up-to-date study materials and training designed to fit your study needs and schedule. Create your own combination, choose from:
Virtual Instructor-Led Training
Live, interactive sessions with expert instructors for a dynamic learning experience.
On-Demand Review Courses
Flexible online courses available anytime to fit your schedule.
Review Manuals
Print or downloadable materials in multiple languages for comprehensive exam prep.
Q&A Database
12-month access to exam-style questions with detailed explanations.
Plus, exam prep and discussion forums on engage.isaca.org
Deltamine is proud to be an ISACA Accredited Training Partner, recognized for delivering high-quality training that meets ISACA's rigorous standards. Our CISM course is designed by experienced instructors who are experts in the field, ensuring you receive the most current and relevant knowledge to excel in your certification journey.
Featured links
Get in touch
-
1140 Avenue of the Americas, 9th Floor
New York, NY 10036 -
learning@deltamine.com
-
+1 (212) 537-5899
Connect with us
Copyright © 2025
CIA Triad
Three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad.
Three principles of security control and management. Also known as the information security triad. Also referred to in reverse order as the AIC triad.
Confidentiality
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.
Integrity
The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.
The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.
Availability
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.
Non-Repudiation
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.
National Institute of Standards and Technology (NIST) - https://www.nist.gov
Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.
Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.
Cybersecurity Frameworks (CSFs)
Standards, best practices, and guidelines for effective security risk management. Some frameworks are general in nature, while others are specific to industry or technology types.
Standards, best practices, and guidelines for effective security risk management. Some frameworks are general in nature, while others are specific to industry or technology types.
Security Controls
A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.
A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.
Gap Analysis
An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.
An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.
Identity and Access Management (IAM)
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
Identification
The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
Authentication
A method of validating a particular entity's or individual's unique credentials.
A method of validating a particular entity's or individual's unique credentials.
Authorization
The process of determining what rights and privileges a particular entity has.
The process of determining what rights and privileges a particular entity has.
Accounting
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
Authentication, Authorization, and Accounting (AAA)
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
Managerial Control
A category of security control that gives oversight of the information system.
A category of security control that gives oversight of the information system.
Operational Control
A category of security control that is implemented by people.
A category of security control that is implemented by people.
Technical Control
A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.
A category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.
Physical Control
A category of security control that acts against in-person intrusion attempts.
A category of security control that acts against in-person intrusion attempts.
Preventive Control
A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed.
A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed.
Detective Control
A type of security control that acts during an incident to identify or record that it is happening.
A type of security control that acts during an incident to identify or record that it is happening.
Corrective Control
A type of security control that acts after an incident to eliminate or minimize its impact.
A type of security control that acts after an incident to eliminate or minimize its impact.
Directive Control
A type of control that enforces a rule of behavior through a policy or contract.
A type of control that enforces a rule of behavior through a policy or contract.
Deterrent Control
A type of security control that discourages intrusion attempts.
A type of security control that discourages intrusion attempts.
Compensating Controls
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
Chief Information Officer
A company officer with the primary responsibility for management of information technology assets and procedures.
A company officer with the primary responsibility for management of information technology assets and procedures.
Chief Technology Officer
A company officer with the primary role of making effective use of new and emerging computing platforms and innovations.
A company officer with the primary role of making effective use of new and emerging computing platforms and innovations.
Chief Security Officer
Typically the job title of the person with overall responsibility for information assurance and systems security.
Typically the job title of the person with overall responsibility for information assurance and systems security.
Information System Security Officer (ISSO)
Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.
Organizational role with technical responsibilities for implementation of security policies, frameworks, and controls.
Security Operations Center (SOC)
The location where security professionals monitor and protect critical information assets in an organization.
The location where security professionals monitor and protect critical information assets in an organization.
Development and Operations (DevOps)
A combination of software development and systems operations, and refers to the practice of integrating one discipline with the other.
A combination of software development and systems operations, and refers to the practice of integrating one discipline with the other.
DevSecOps
A combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others.
A combination of software development, security operations, and systems operations, and refers to the practice of integrating each discipline with the others.
Computer Incident Response Team
Team with responsibility for incident response. The CSIRT must have expertise across a number of business domains (IT, HR, legal, and marketing, for instance).
Team with responsibility for incident response. The CSIRT must have expertise across a number of business domains (IT, HR, legal, and marketing, for instance).
Vulnerability
A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.
A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.
Threat
A potential for an entity to exercise a vulnerability (that is, to breach security).
A potential for an entity to exercise a vulnerability (that is, to breach security).
Risk
Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.
Internal/External
The degree of access that a threat actor possesses before initiating an attack. An external threat actor has no standing privileges, while an internal actor has been granted some access permissions.
The degree of access that a threat actor possesses before initiating an attack. An external threat actor has no standing privileges, while an internal actor has been granted some access permissions.
Threat Actor
A person or entity responsible for an event that has been identified as a security incident or as a risk.
A person or entity responsible for an event that has been identified as a security incident or as a risk.
Level of Sophistication/Capability
A formal classification of the resources and expertise available to a threat actor.
A formal classification of the resources and expertise available to a threat actor.
Resources/Funding
The ability of threat actors to draw upon funding to acquire personnel, tools, and to develop novel attack types.
The ability of threat actors to draw upon funding to acquire personnel, tools, and to develop novel attack types.
Service Disruption
A type of attack that compromises the availability of an asset or business process.
A type of attack that compromises the availability of an asset or business process.
Data Exfiltration
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
Disinformation
A type of security control that discourages inA type of attack that falsifies an information resource that is normally trusted by others.trusion attempts.
A type of security control that discourages inA type of attack that falsifies an information resource that is normally trusted by others.trusion attempts.
Blackmail
Demanding payment to prevent the release of information.
Demanding payment to prevent the release of information.
Extortion
Demanding payment to prevent or halt some type of attack.
Demanding payment to prevent or halt some type of attack.
Fraud
Falsifying records, such as an internal fraud that involves tampering with accounts.
Falsifying records, such as an internal fraud that involves tampering with accounts.
Hackers
Often used to refer to someone who breaks into computer systems or spreads viruses, ethical hackers prefer to think of themselves as experts on and explorers of computer security systems.
Often used to refer to someone who breaks into computer systems or spreads viruses, ethical hackers prefer to think of themselves as experts on and explorers of computer security systems.
Unauthorized
A hacker operating with malicious intent.
A hacker operating with malicious intent.
Authorized
A hacker engaged in authorized penetration testing or other security consultancy.
A hacker engaged in authorized penetration testing or other security consultancy.
Unskilled Attackers
An inexperienced, unskilled attacker that typically uses tools or scripts created by others.
An inexperienced, unskilled attacker that typically uses tools or scripts created by others.
Hacktivist
A threat actor that is motivated by a social issue or political cause.
A threat actor that is motivated by a social issue or political cause.