CPAISC
ISC·discipline
Updated April 2026

CPA ISC Study Plan — Information Systems and Controls (Discipline)

CPA ISC (Information Systems and Controls) is the IT-focused Discipline section. Best for candidates pursuing IT audit, cybersecurity, or technology advisory. Upload your study materials and exclam.ai builds a fully guided plan.

Typical prep
~130h
Timeline
~10w
Areas
3
Type
discipline
Start free Back to CPA hub

Exam format

4 hours. 82 MCQs and 6 TBSs. Scored 60% MCQs / 40% TBSs. Passing score: 75.

ISC areas (AICPA Blueprint)

The 3 areas tested on ISC, with approximate weights from the 2026 AICPA Blueprint. Each area is broken into groups, topics, and representative tasks in the full Blueprint PDF.

1

Information Systems and Data Management

35–45%

IT infrastructure, business processes, data management, and emerging technologies in accounting systems.

Key topics
  • IT infrastructure (hardware, software, networks)
  • System development lifecycle (SDLC)
  • Business process understanding
  • Data lifecycle (collection, storage, processing, analysis)
  • Data governance and quality
  • Database concepts (relational, NoSQL)
  • Emerging technologies (AI, blockchain, RPA)
  • Cloud computing concepts
2

Security, Confidentiality, and Privacy

35–45%

Information security frameworks, access controls, encryption, incident response, and privacy regulations.

Key topics
  • Security frameworks (NIST, ISO 27001, COBIT)
  • Access controls (authentication, authorization)
  • Encryption concepts
  • Network security (firewalls, IDS/IPS)
  • Incident response and business continuity
  • Privacy regulations (GDPR, CCPA, HIPAA)
  • Risk assessment methodologies
  • Third-party risk management
3

Considerations for System and Organization Controls (SOC) Engagements

15–25%

SOC 1, SOC 2, and SOC 3 engagements: planning, performing, and reporting on controls at service organizations.

Key topics
  • SOC 1 (Type 1 and Type 2) engagements
  • SOC 2 Trust Services Criteria
  • SOC 3 reports
  • Complementary user entity controls
  • Subservice organizations
  • Risk assessment for service organizations
  • Testing controls at service organizations
  • SOC report drafting

Bloom's skill-level distribution

The AICPA Blueprint specifies what percentage of ISC tests each Bloom's skill level. Use this to calibrate how much pure memorization vs application vs analysis practice you need.

Skill levelWeight
Remembering and Understanding55–65%
Application20–30%
Analysis10–20%

How exclam.ai helps with ISC

Area-weighted flashcards

Upload your ISC review notes and exclam.ai generates flashcards weighted by area percentages. Heavy areas get more cards; light areas get proportionally fewer.

Skill-level-tuned quizzes

If ISC is Application and Analysis heavy, quizzes generate accordingly — not just pure recall drills.

Adaptive review across sections

exclam.ai remembers what you know from FAR when you start AUD. Concepts that overlap (ratios, internal control) don't restart from zero.

Popular ISC review courses

exclam.ai works alongside any of these review courses. Upload your session notes — we don't reproduce or redistribute commercial review content.

Becker
Upload your notes
Wiley/UWorld
Upload your notes
Gleim
Upload your notes
Surgent
Upload your notes

ISC study plans by duration

intensive
6-week plan
~25 hrs/wk
intensive
8-week plan
~19 hrs/wk
balanced
12-week plan
~13 hrs/wk
balanced
16-week plan
~9 hrs/wk
relaxed
20-week plan
~8 hrs/wk

Other Discipline sections

BAR
Business Analysis and Reporting
3 areas · ~150h
TCP
Tax Compliance and Planning
3 areas · ~130h

ISC questions

How technical is ISC?

Moderately technical but not deeply so. You need to understand IT infrastructure concepts, security frameworks (NIST, ISO, COBIT), and SOC engagements at a practical level. No programming or deep network security required. Most CPAs without IT backgrounds pass with focused prep.

Who should pick ISC over BAR or TCP?

Candidates targeting IT audit, SOC practice, cybersecurity consulting, or tech advisory roles. Big 4 IT audit practices often prefer ISC candidates. If you have any IT background, ISC is typically the easiest Discipline to pass.

Does ISC include privacy regulations like GDPR?

Yes. Privacy regulations (GDPR, CCPA, HIPAA) are part of the Security, Confidentiality, and Privacy area. Focus on high-level requirements and CPA responsibilities — not deep legal analysis.

Start your ISC plan today

Upload your review course notes and exclam.ai builds a fully guided plan aligned to the AICPA Blueprint.

See pricing