- What Is CIA Domain 10: Information Security?
- Where Domain 10 Lives Within the CIA Exam
- Core Topics You Must Master
- How Domain 10 Questions Are Written
- Registration, Fees, and Scheduling Context
- A Domain-Anchored Study Schedule for Part 3
- Who Hires for CIA Information Security Expertise
- Scoring and What It Takes to Pass Part 3
- Frequently Asked Questions
- Domain 10: Information Security is one of three domains in CIA Part 3, which contains 100 questions answered in 2 hours.
- The 2025 syllabus increased emphasis on information security, making this domain a heavier hitter than in prior versions.
- Part 3 registration costs approximately $215 for IIA members and $340 for non-members.
- A scaled score of 600 on the 250-750 scale is required to pass each part, including Part 3.
What Is CIA Domain 10: Information Security?
CIA Domain 10: Information Security is one of three domains that make up CIA Part 3 of the Certified Internal Auditor exam, administered by The Institute of Internal Auditors (IIA). The full Part 3 syllabus also includes Domain 9: Business Acumen and Domain 11: Information Technology. Together, these three domains test a candidate's ability to audit in an increasingly digital, data-driven business environment.
Domain 10 focuses specifically on the principles, frameworks, and audit techniques that internal auditors apply when evaluating an organization's information security posture. This is not a surface-level overview of cybersecurity buzzwords. The IIA expects candidates to understand how information security governance is structured, what controls are relevant, how risks are identified and treated, and-critically-how an internal auditor independently assesses all of it.
The 2025 syllabus update, aligned with the new Global Internal Audit Standards that went live in May 2025, deliberately increased the emphasis on information security and technology in Part 3. If you studied for the CIA under an older syllabus, do not assume your preparation is sufficient. This domain has grown in scope and sophistication.
Where Domain 10 Lives Within the CIA Exam
Understanding where Domain 10 sits structurally helps you allocate preparation time intelligently. The CIA is a three-part exam, and the parts can be taken in any order-though most candidates attempt Part 1 first to build the foundational internal audit knowledge that informs everything else.
- Part 1 covers Domains 1-4: Internal Audit Fundamentals, Ethics and Professionalism, Governance, Risk Management, and Control, and the newly distinct Fraud Risks domain. It contains 125 multiple-choice questions in 2.5 hours.
- Part 2 covers Domains 5-8: Managing the Internal Audit Function, Planning the Internal Audit Engagement, Performing the Internal Audit Engagement, and Communicating Internal Audit Results and Monitoring Progress. It contains 100 questions in 2 hours.
- Part 3 covers Domains 9-11: Business Acumen, Information Security, and Information Technology. It also contains 100 questions in 2 hours.
Domain 10 shares Part 3 with two other demanding domains, which means your study time for this section must be disciplined. You cannot over-invest in Domain 9's business acumen content at the expense of Domains 10 and 11, both of which require technical grounding.
Domain 10: Information Security - Audit Scope at a Glance
Candidates must be able to evaluate an organization's information security program from an internal audit perspective, not merely describe cybersecurity concepts.
- Information security governance frameworks (e.g., ISO 27001, NIST Cybersecurity Framework)
- Risk identification, assessment, and treatment specific to information assets
- Access controls: logical, physical, and administrative
- Incident response planning and audit of response effectiveness
- Data classification, data loss prevention, and privacy considerations
- Cloud security controls and third-party/vendor risk management
- Audit procedures for evaluating security controls and control gaps
- Regulatory and compliance obligations (e.g., GDPR, HIPAA from an auditor's viewpoint)
Core Topics You Must Master
Information Security Governance
Governance is the starting point for any audit of an information security program. CIA candidates must understand how boards and senior management set tone and accountability for information security, how policies and standards cascade from governance structures, and how internal audit evaluates the adequacy of that governance. Questions in this area often test whether the candidate can distinguish between management's role in running the security program and internal audit's role in independently assessing it.
Risk Assessment in an Information Security Context
Part 3 questions on information security risk are not abstract. They ask candidates to apply risk assessment methodologies to specific scenarios: a healthcare organization storing patient records, a financial services firm with third-party data processors, a retailer running e-commerce platforms. You need to understand threat identification, vulnerability assessment, likelihood and impact estimation, and how residual risk is communicated to management and the audit committee.
Access Controls
Access control is one of the highest-yield topic areas within Domain 10. Expect questions on the principle of least privilege, segregation of duties in IT environments, privileged access management, user provisioning and de-provisioning processes, and how internal audit tests whether access controls are operating as designed versus as documented. The distinction between detective, preventive, and corrective controls in an access control context is frequently tested.
Incident Response and Business Continuity
Internal auditors do not manage incident response-they audit it. Domain 10 requires candidates to understand how an auditor would assess whether an organization's incident response plan is adequate, tested, and likely to function under actual breach conditions. Related topics include business continuity planning, disaster recovery, and the audit of backup and recovery procedures.
Emerging Technology and Cloud Security
The 2025 syllabus update reflects the reality that most organizations now operate in hybrid or fully cloud-based environments. Candidates should understand shared responsibility models in cloud computing, the audit implications of SaaS, PaaS, and IaaS environments, and how vendor contracts and service-level agreements factor into information security assurance. This is an area where candidates with a purely traditional IT audit background may encounter unfamiliar material.
How Domain 10 Questions Are Written
Every question on the CIA exam is multiple choice. There are no simulations, no essays, and no drag-and-drop items. All 100 questions in Part 3 are four-option multiple-choice questions, delivered via Pearson VUE testing centers available year-round worldwide.
Information security questions in Domain 10 tend to follow several recurring structures:
- Scenario-based judgment questions: A vignette describes an organization's security situation and asks what an internal auditor should do next, what the highest-priority finding is, or what recommendation is most appropriate.
- Control identification questions: A control is described, and the candidate must identify whether it is preventive, detective, or corrective-and whether it addresses the risk described.
- Framework application questions: A scenario references a specific governance or compliance framework, and the candidate must apply it correctly.
- Independence and objectivity questions: These test whether the internal auditor maintains independence when advising on security implementations-a recurring ethics intersection with Domain 10.
Practicing with realistic exam-style questions is essential. Use CIA Exam Prep practice tests to work through Domain 10 scenarios under timed, exam-like conditions. The goal is to train your reasoning process, not just memorize definitions.
Registration, Fees, and Scheduling Context
Before sitting for Part 3, you must have an approved application on file with the IIA. The application fee is approximately $115 for IIA members and $230 for non-members. Per-part registration then costs approximately $215 for IIA members and $340 for non-members. Across all three parts, total costs run approximately $760 for members and $1,250 for non-members.
You have three years from acceptance into the CIA program to complete all three parts and the experience requirement. That deadline should directly inform how aggressively you schedule Part 3-many candidates treat it as the last hurdle and underestimate its technical demands.
Part 3 is available year-round at Pearson VUE centers and can be taken before Parts 1 or 2 if your preparation warrants it. Some candidates with strong IT audit backgrounds choose to sit Part 3 first precisely because Domain 10 and Domain 11 align with their daily work. There is no required sequencing.
Key Takeaway
If you are approaching the end of your three-year window, register for Part 3 as soon as you complete Part 2-or even concurrently. Waiting risks running into scheduling gaps at Pearson VUE centers, especially during high-demand periods near fiscal year-end when many audit professionals are stretched thin at work.
A Domain-Anchored Study Schedule for Part 3
Part 3 contains three distinct domains of meaningfully different character. Domain 9 (Business Acumen) draws on economics, finance, and organizational knowledge. Domain 10 (Information Security) requires technical security audit knowledge. Domain 11 (Information Technology) covers IT general controls, systems development, and data analytics. Treat them as three separate study modules.
Domain 9: Business Acumen Foundation
- Cover organizational structures, financial statement fundamentals, and strategic risk concepts
- Complete one timed practice block of 20-25 Domain 9 questions to benchmark baseline
Domain 10: Information Security Deep Dive
- Week 3: Governance frameworks (ISO 27001, NIST CSF), security policy structure, audit independence in security contexts
- Week 4: Access controls, incident response audit, cloud security shared responsibility models
- Week 5: Data classification, privacy regulations from an auditor's viewpoint, practice question block of 30+ Domain 10 items
Domain 11: Information Technology
- IT general controls, systems development life cycle audit, data analytics in internal audit
- Practice 25+ Domain 11 questions; note overlap areas with Domain 10
Full Part 3 Simulation
- Take a full 100-question timed simulation covering all three domains
- Review every incorrect answer with a focus on why the correct answer was correct, not just what it was
- Revisit CIA Exam Prep practice tests for additional targeted drilling on weak Domain 10 subtopics
Who Hires for CIA Information Security Expertise
The CIA credential is the only globally recognized internal audit certification, and employers know what it signals. When the CIA is combined with demonstrated information security audit competence-the kind Domain 10 tests-the career applications span a wide range of industries and organizational types.
Financial services firms-banks, insurance companies, asset managers-are among the most active hirers of internal auditors with information security backgrounds. Regulatory scrutiny in this sector around data security, third-party risk, and cyber resilience is intense, and internal audit functions are expected to provide meaningful assurance over security controls.
Healthcare organizations face overlapping privacy and security obligations. Internal auditors who understand how to evaluate HIPAA-related security controls, audit EHR system access, and assess business associate agreements are in demand at hospital systems, payers, and health technology companies.
Technology and software companies increasingly staff internal audit teams with professionals who can credibly evaluate security engineering practices, cloud infrastructure controls, and software development security. Domain 10 knowledge is table stakes for this work.
Government and public sector entities, consulting firms, and large multinationals also actively seek CIA-holders with information security audit competencies, particularly as regulators worldwide increase expectations around cybersecurity governance disclosures.
Scoring and What It Takes to Pass Part 3
Every part of the CIA exam is scored on a scale of 250 to 750. The passing score is a scaled score of 600. This is not a raw percentage-it is a scaled score derived through IIA psychometric methodology. For a detailed breakdown of how this scale works and what it means for your preparation strategy, see our article on CIA Exam Scoring 2026: How the 600 Passing Score Works.
What this means practically for Domain 10 preparation: you do not need to answer every information security question correctly. You need to demonstrate consistent, reliable competence across all three Part 3 domains. Weak performance in Domain 10 will drag your scaled score down even if you ace Domains 9 and 11.
| CIA Part | Domains Covered | Questions | Time Allowed | Passing Scaled Score |
|---|---|---|---|---|
| Part 1 | Domains 1-4 (incl. Fraud Risks) | 125 | 2.5 hours | 600 of 750 |
| Part 2 | Domains 5-8 | 100 | 2 hours | 600 of 750 |
| Part 3 | Domains 9-11 (incl. Info Security) | 100 | 2 hours | 600 of 750 |
Effective April 2026, the IIA is updating its scoring process so that candidates receive official results within three weeks of sitting their exam. This change reduces the uncertainty period that many candidates find stressful and allows faster re-registration if a retake is needed.
After earning the CIA, maintaining the credential requires 40 CPE hours annually, with a minimum of 20 hours in internal audit topics. Given the pace of change in information security, many CIA-holders will find that continuing education in this area naturally satisfies a significant portion of that annual requirement. For a broader view of how Domain 10 fits within your overall exam strategy, revisit our complete guide on CIA Domain 10: Information Security Study Guide 2026.
Frequently Asked Questions
Difficulty is subjective and depends heavily on your background. Candidates with IT audit or cybersecurity experience often find Domain 10 more approachable than Domain 9's finance and economics content. Those from a purely financial audit background typically find Domain 10 the steepest learning curve in Part 3. The 2025 syllabus update added depth to this domain, so do not rely on older study materials.
No professional certification in cybersecurity is required. The CIA tests information security from an internal audit perspective-assessing controls, evaluating governance, and reporting findings-not implementing technical security solutions. Strong auditing reasoning skills combined with solid conceptual knowledge of security frameworks and controls is what the exam rewards.
Yes. The CIA parts can be taken in any order. Candidates with substantial IT audit experience sometimes choose to sit Part 3 first. However, many exam prep advisors suggest starting with Part 1 because foundational concepts in Domains 1-4-particularly governance, risk, and control-provide important context for evaluating information security controls in Domain 10.
There is no universally correct answer, but given that Domain 10 is one of three domains sharing 100 questions over two hours, it warrants proportional study investment with additional time if information security is outside your daily work. The eight-week schedule above allocates three weeks specifically to Domain 10 within a Part 3 preparation context, which is a reasonable baseline to adjust based on your diagnostic practice test results.
Practice questions must reflect the 2025 syllabus update to be relevant, particularly the increased emphasis on information security governance and cloud environments. Use CIA Exam Prep practice tests to access updated, exam-aligned questions for Domain 10 and all other CIA domains. Timed practice under realistic conditions is the most effective way to build both content knowledge and exam-day pacing.