ISC CPA Exam 2026: Syllabus, Format & Study Plan

by Eduyush CPA Team
CPA Discipline Guide · ISC

ISC CPA Exam 2026: Syllabus, Format and How Indian Candidates Pass It

ISC is the CPA Discipline section for IT audit, information security and SOC engagements. It is the most framework-heavy section on the exam and the only one scored 60% MCQ, 40% TBS. For candidates with a CISA background or IT-audit exposure it is the most natural Discipline of the three. This guide maps the 2026 Blueprint and gives you a structure to pass it.

Updated July 2026 · Eduyush CPA Team · 12 min read

📅
2026 Blueprint
Effective 1 January 2026
4 hours
82 MCQs · 6 TBSs
📊
66.79%
Q1 2026 pass rate
Quick answer

ISC (Information Systems and Controls) is one of three CPA Discipline sections, alongside BAR and TCP. It tests IT audit and advisory work: information systems and data management, security, confidentiality and privacy, and System and Organization Controls (SOC) engagements. The 2026 exam has 82 multiple-choice questions and 6 task-based simulations across three Blueprint areas. Unlike every other CPA section, ISC is scored 60% MCQ and 40% TBS, not 50/50. It is the most framework-and-memorisation-heavy section (Remembering & Understanding is 55–65% of the skill mix), and posted a 66.79% pass rate in Q1 2026 — the second-highest of the six sections.

ISC at a glance Detail
Duration 4 hours
MCQs 82 — the most of any section
TBSs 6 — the fewest of any section
Scoring weight 60% MCQ / 40% TBS — the only section not 50/50
Pass rate (Q1 2026) 66.79% — second-highest of six sections
Core / Discipline Discipline (one of three choices)
Closest adjacent credential CISA; overlaps AUD's IT-controls content
Main focus IT audit, information security, SOC engagements
Key takeaways
  • ISC is one of three Disciplines you choose alongside your three Core sections — see the six CPA sections and how to choose between BAR, ISC and TCP if you haven't decided.
  • Three Blueprint areas: Information Systems and Data Management, Security, Confidentiality and Privacy, and Considerations for SOC Engagements.
  • ISC is the exam's outlier on two counts: it is scored 60/40 (MCQs matter more here than anywhere else) and its skill mix is 55–65% Remembering and Understanding — it rewards knowing frameworks cold.
  • It overlaps heavily with AUD's IT-controls content and with the CISA credential, which makes it the natural Discipline for systems-and-controls candidates.
  • ISC is unaffected by the July 2026 OBBBA tax update — that change touches only REG and TCP.

What is the CPA ISC exam?

ISC is the CPA Discipline section that tests IT audit and advisory work: information systems, data management, security, confidentiality and privacy, and System and Organization Controls (SOC) engagements. Candidates choose one Discipline — ISC, BAR or TCP — in addition to the three Core sections (AUD, FAR, REG) that everyone must pass. ISC is the natural choice for candidates oriented toward information systems, cybersecurity and controls rather than tax or financial analysis.

The 2026 Blueprint frames ISC around the work an entry-level CPA does when assessing an entity's systems and controls. On SOC engagements specifically, it focuses on the Description Criteria and Trust Services Criteria used in planning, performing and reporting a SOC 2 engagement, and on planning, certain procedures and reporting for a SOC 1 engagement — explicitly excluding the testing of internal controls over financial reporting, which sits in AUD. The section assumes fluency with frameworks: COBIT 2019, the NIST Cybersecurity and Privacy Frameworks, NIST SP 800-53, the CIS Controls, HIPAA, GDPR and PCI DSS.

Note for Indian candidates

ISC is the section where an information-systems background pays off most. If you hold or are studying CISA, or you work in IT audit, SOC reporting or information security, much of Area I and Area II will be familiar — the frameworks are the same ones used globally. What is new is the CPA-specific SOC engagement content and the sheer breadth of named frameworks you must recall. If you have not yet mapped your route from ICAI into the CPA, read CPA after CA first.

What is tested on ISC? The three Blueprint areas and weights

ISC is tested across three content areas. The first two carry equal, dominant weight (35–45% each); SOC engagements are lighter at 15–25%. These are the official AICPA allocations effective 1 January 2026.

Blueprint area Weight What it covers
I — Information Systems and Data Management 35–45% IT architecture and cloud models, enterprise and accounting information systems, processing integrity, system availability, IT change management, data extraction and SQL, business process models
II — Security, Confidentiality and Privacy 35–45% Security regulations and frameworks, threats and attacks, preventive/detective/corrective controls, encryption, confidentiality vs privacy, data loss prevention, incident response
III — Considerations for SOC Engagements 15–25% SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity reports, Trust Services Criteria, management assertions, complementary user-entity and subservice-organisation controls
🎯 Exam pattern

Areas I and II together are 70–90% of ISC. Weight your study there first, then SOC engagements. The skill mix is the real tell: Remembering and Understanding is 55–65% of the exam, Application 20–30%, Analysis only 10–20%, and there is no Evaluation content. ISC rewards recall of frameworks and definitions more than any other CPA section — it is closer to a knowledge exam than a judgment exam.

What topics are in ISC?

ISC's substance is the frameworks, controls and engagement procedures an IT auditor applies. The three cards below map what each area asks you to know and do.

I — Information Systems & Data Management
IT architecture (operating systems, servers, networks, end-user devices), cloud models (IaaS, PaaS, SaaS; public/private/hybrid), ERP and accounting information systems, COSO applied to cloud and blockchain, change management, system availability and business continuity, the data life cycle, SQL queries and data integration, and business process reconciliation.
II — Security, Confidentiality & Privacy
Regulations and frameworks (COBIT 2019, NIST CSF, NIST SP 800-53, CIS Controls, HIPAA, GDPR, PCI DSS), threat and attack types, least-privilege, zero-trust and defence-in-depth, identification and authentication, authorisation models, encryption, data loss prevention, confidentiality vs privacy, and incident response plans.
III — SOC Engagements
Form, content and management assertions in SOC 1, SOC 2 and SOC 3 reports; the purpose and intended users of each plus SOC for Cybersecurity; the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy); Type 1 vs Type 2 engagements; and complementary user-entity and subservice-organisation controls.

The accounting-information-systems layer of Area I is covered in depth in our complete guide to accounting information systems — read it alongside this section guide for the AIS detail.

Common mistake

Candidates confuse the SOC report types under exam pressure. A SOC 1 report addresses controls relevant to a user entity's financial reporting; a SOC 2 report addresses the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy); a SOC 3 is a general-use summary of a SOC 2. Fix which report answers which user's need before you read the options — the examiner tests exactly this distinction, and it is easy marks once locked.

How many MCQs are on ISC? The exam format

ISC contains 82 multiple-choice questions and 6 task-based simulations, delivered across five testlets in a four-hour sitting. ISC is the one CPA section where MCQs and TBSs are not weighted equally: MCQs are 60% of your score and TBSs 40%.

Component Count Detail
Multiple-choice questions 82 Two MCQ testlets of 41 each
Task-based simulations 6 Three TBS testlets: 1 + 3 + 2
Scoring weight 60 / 40 MCQs 60%, TBSs 40% — unique to ISC
Total time 4 hours Passing score 75 on a scaled basis
💡 Study tip

Because MCQs carry 60% of the ISC score — more than on any other section — the return on drilling the question bank is higher here than anywhere else. Since CPA Evolution (January 2024) the exam uses a linear design: every MCQ testlet is weighted equally, so difficulty does not ramp based on your first testlet, and there is no adaptive penalty for a strong start. Pace at roughly 1.3 minutes per MCQ and protect time for the six simulations, which still carry 40% between them.

Is ISC the easiest CPA section?

No — but it is one of the more passable ones. ISC posted a 66.79% pass rate in Q1 2026, the second-highest of the six sections behind TCP (79.28%) and just ahead of REG (66.65%), well above AUD (47.80%), FAR (43.46%) and BAR (41.30%). Its 2025 cumulative rate was around 68%, so the strong showing is consistent rather than a one-quarter spike.

The favourable pass rate reflects two things: a self-selecting candidate pool (people who choose ISC usually have systems or controls experience) and a skill mix weighted toward recall, which is more trainable than the judgment FAR and BAR demand. That does not make it light — the breadth of named frameworks is large, and getting the SOC engagement details exact takes deliberate practice. See the full pass rate picture across all six sections before choosing a Discipline on pass rate alone.

ISC rewards candidates who memorise frameworks precisely and drill MCQs relentlessly. It punishes those who treat named standards as interchangeable — the examiner tests whether you know which framework does what.

How hard is ISC for Indian CAs?

For Indian CAs and CISA holders, ISC is among the more approachable Disciplines — provided you have real IT-audit or information-security exposure. The frameworks tested (COBIT, NIST, ISO-adjacent controls, GDPR, PCI DSS) are used globally, so a candidate from an IT-audit or SOC-reporting background starts with much of Area I and Area II already familiar.

The friction is different from the tax sections. ISC does not demand new jurisdiction-specific rules the way REG does; it demands breadth of framework recall and precision on the CPA-specific SOC engagement content. A CA with no systems background will find ISC harder than a tax-oriented Discipline, because the vocabulary — encryption techniques, authorisation models, Trust Services Criteria — is entirely new. Match the Discipline to your background, not to the pass rate.

🤖 Why adaptive learning fits ISC

ISC is a breadth exam: dozens of named frameworks, control types and SOC distinctions, most of which reward recognition over reasoning. That is exactly what adaptive question practice is built for. The Eduyush CPA course is built on Surgent's adaptive A.S.A.P. platform, which finds the frameworks you keep confusing — say, SOC 1 vs SOC 2, or discretionary vs role-based access — and concentrates drilling there rather than re-testing what you already know. Eduyush delivers it with India-specific pricing (₹32,000, roughly $330 at ₹97/USD) and a question bank of 9,000+ MCQs and 500+ simulations. Given ISC's 60% MCQ weighting, that volume of targeted question practice matters more here than on any other section. Read more on how Eduyush delivers Surgent in India.

How long does ISC take to study?

Plan ISC study time by your systems background, not just your accounting background. A candidate with IT-audit or CISA experience needs far fewer hours than one meeting these frameworks for the first time.

Background Estimated ISC study hours
CISA / IT-audit experience 60–90
CA (ICAI), no IT-audit exposure 90–130
B.Com 120–160
Non-accounting 140–190

Estimates, not guarantees — your hours depend on prior systems and security exposure and weekly consistency.

ISC topics candidates struggle with most

A handful of topics account for most of the difficulty candidates report on ISC — concentrated in the SOC engagement content and the precise boundaries between similar frameworks.

🎯 Highest-friction ISC topics
  • SOC report types — SOC 1 vs SOC 2 vs SOC 3 vs SOC for Cybersecurity, and their intended users.
  • Trust Services Criteria — the five categories (security, availability, processing integrity, confidentiality, privacy) and which apply to a given SOC 2.
  • Type 1 vs Type 2 engagements — design at a point in time versus operating effectiveness over a period.
  • Complementary controls — user-entity controls versus subservice-organisation controls.
  • Authorisation models — discretionary, role-based and mandatory access control, and when each applies.
  • Framework boundaries — knowing which of COBIT, NIST CSF, NIST SP 800-53, CIS Controls, HIPAA, GDPR or PCI DSS governs a given scenario.
  • Confidentiality vs privacy — a distinction the exam tests directly, not interchangeably.

What changed on the 2026 ISC Blueprint?

The 2026 ISC Blueprint changes are refinements, not a restructuring — the format, timing and scoring are unchanged. The updates fall in Area I's change-management content: added detail on the documentation types used in change management (system component inventory, baseline configuration, change requests, ticketing, rollback procedures), added patch-management examples, and a revised representative task focused on testing code changes and deployment across IT resources. If you are studying from 2025 materials, confirm your provider has folded these clarifications in.

Where ISC sits among the six CPA sections

ISC is one of three Disciplines; you also pass the three Core sections. Use the links below to move across the full cluster.

Core sections (all required)
  • FAR — financial accounting and reporting, the toughest Core section by pass rate.
  • AUD — auditing and attestation; its IT-controls content overlaps directly with ISC.
  • REG — US taxation, business law and ethics.
Disciplines (choose one)
  • ISC — this section: IT audit, security and SOC engagements.
  • BAR — business analysis and reporting, for finance-analytical candidates.
  • TCP — tax compliance and planning; highest pass rate of any section.

Frequently asked questions about the ISC CPA exam

What is the CPA ISC exam?
ISC (Information Systems and Controls) is one of three CPA Discipline sections. It tests IT audit and advisory work: information systems and data management, security, confidentiality and privacy, and System and Organization Controls (SOC) engagements, under frameworks such as COBIT, NIST, HIPAA, GDPR and the Trust Services Criteria.
How many MCQs are on ISC?
ISC has 82 multiple-choice questions and 6 task-based simulations — the most MCQs and fewest TBSs of any section. The MCQs are split into two testlets of 41, and the simulations into testlets of 1, 3 and 2. ISC is scored 60% MCQ and 40% TBS.
Why is ISC scored 60/40 instead of 50/50?
ISC is the only CPA section weighted 60% MCQ, 40% TBS; every other section is 50/50. The AICPA weights ISC this way because its content is more recall-based — the skill mix is 55–65% Remembering and Understanding — so the multiple-choice format carries more of the assessment.
Is ISC the easiest CPA section?
No, but it is one of the more passable. ISC posted 66.79% in Q1 2026, second only to TCP and just ahead of REG. Its favourable rate reflects a self-selecting, systems-experienced candidate pool and a recall-weighted skill mix, not light content — the breadth of frameworks is large.
Should I choose ISC, BAR or TCP?
Choose by background and career direction, not pass rate. ISC suits candidates with IT-audit, cybersecurity or CISA experience; BAR suits those oriented toward financial analysis and technical accounting; TCP suits tax-focused candidates or strong REG performers. See the full comparison in choosing your CPA discipline.
How does ISC relate to AUD?
AUD's IT general controls and internal-control content overlaps directly with ISC's Area I and Area II, so the two reinforce each other. AUD covers controls in the context of a financial statement audit; ISC goes deeper into the systems, security and SOC engagement side. Taking AUD first gives useful grounding for ISC.
How hard is ISC for Indian CAs?
It depends on IT-audit exposure. For a CISA holder or an IT-audit professional, ISC is among the more approachable Disciplines because the frameworks are globally used. For a CA with no systems background, the vocabulary is entirely new and ISC is harder than a tax-oriented Discipline.
Does ISC test the One Big Beautiful Bill Act (OBBBA)?
No. The July 2026 OBBBA update is a tax-law change and affects only REG and TCP. ISC, along with FAR, AUD and BAR, is unaffected.
How much does it cost to sit ISC?
ISC carries the same per-section Discipline exam fee as BAR and TCP, plus application and, for Indian candidates, international testing surcharges. Fees are set by NASBA and your state board and can change, so confirm the current breakdown in our guide to CPA exam cost from India before you book.
Is ISC mostly theory?
Largely, yes. ISC is the most recall-weighted section — 55–65% Remembering and Understanding, 20–30% Application, 10–20% Analysis, and no Evaluation content. There is applied procedure work, but the core of the exam is knowing frameworks, controls and SOC report distinctions precisely.
Ready to start your CPA?

Talk to someone who passed the same exam. Eduyush delivers the Surgent-powered CPA course with India pricing and local support.

Talk to an advisor →

Leave a comment

Please note, comments must be approved before they are published

This site is protected by hCaptcha and the hCaptcha Privacy Policy and Terms of Service apply.


Featured product

Featured product

Popular posts

How to Become a CPA in India: 8-Step Guide
CPA Updated Jun 12, 2026 ·
How to Become a CPA in India: 8-Step Guide
A step-by-step guide to becoming a CPA from India. Learn eligibility, credits, NIES evaluation, exams, costs and licensing.
Read article →

Featured product

FAQs