ISC CPA Exam 2026: Syllabus, Format & Study Plan
ISC CPA Exam 2026: Syllabus, Format and How Indian Candidates Pass It
ISC is the CPA Discipline section for IT audit, information security and SOC engagements. It is the most framework-heavy section on the exam and the only one scored 60% MCQ, 40% TBS. For candidates with a CISA background or IT-audit exposure it is the most natural Discipline of the three. This guide maps the 2026 Blueprint and gives you a structure to pass it.
Updated July 2026 · Eduyush CPA Team · 12 min read
ISC (Information Systems and Controls) is one of three CPA Discipline sections, alongside BAR and TCP. It tests IT audit and advisory work: information systems and data management, security, confidentiality and privacy, and System and Organization Controls (SOC) engagements. The 2026 exam has 82 multiple-choice questions and 6 task-based simulations across three Blueprint areas. Unlike every other CPA section, ISC is scored 60% MCQ and 40% TBS, not 50/50. It is the most framework-and-memorisation-heavy section (Remembering & Understanding is 55–65% of the skill mix), and posted a 66.79% pass rate in Q1 2026 — the second-highest of the six sections.
| ISC at a glance | Detail |
|---|---|
| Duration | 4 hours |
| MCQs | 82 — the most of any section |
| TBSs | 6 — the fewest of any section |
| Scoring weight | 60% MCQ / 40% TBS — the only section not 50/50 |
| Pass rate (Q1 2026) | 66.79% — second-highest of six sections |
| Core / Discipline | Discipline (one of three choices) |
| Closest adjacent credential | CISA; overlaps AUD's IT-controls content |
| Main focus | IT audit, information security, SOC engagements |
- ISC is one of three Disciplines you choose alongside your three Core sections — see the six CPA sections and how to choose between BAR, ISC and TCP if you haven't decided.
- Three Blueprint areas: Information Systems and Data Management, Security, Confidentiality and Privacy, and Considerations for SOC Engagements.
- ISC is the exam's outlier on two counts: it is scored 60/40 (MCQs matter more here than anywhere else) and its skill mix is 55–65% Remembering and Understanding — it rewards knowing frameworks cold.
- It overlaps heavily with AUD's IT-controls content and with the CISA credential, which makes it the natural Discipline for systems-and-controls candidates.
- ISC is unaffected by the July 2026 OBBBA tax update — that change touches only REG and TCP.
What is the CPA ISC exam?
ISC is the CPA Discipline section that tests IT audit and advisory work: information systems, data management, security, confidentiality and privacy, and System and Organization Controls (SOC) engagements. Candidates choose one Discipline — ISC, BAR or TCP — in addition to the three Core sections (AUD, FAR, REG) that everyone must pass. ISC is the natural choice for candidates oriented toward information systems, cybersecurity and controls rather than tax or financial analysis.
The 2026 Blueprint frames ISC around the work an entry-level CPA does when assessing an entity's systems and controls. On SOC engagements specifically, it focuses on the Description Criteria and Trust Services Criteria used in planning, performing and reporting a SOC 2 engagement, and on planning, certain procedures and reporting for a SOC 1 engagement — explicitly excluding the testing of internal controls over financial reporting, which sits in AUD. The section assumes fluency with frameworks: COBIT 2019, the NIST Cybersecurity and Privacy Frameworks, NIST SP 800-53, the CIS Controls, HIPAA, GDPR and PCI DSS.
ISC is the section where an information-systems background pays off most. If you hold or are studying CISA, or you work in IT audit, SOC reporting or information security, much of Area I and Area II will be familiar — the frameworks are the same ones used globally. What is new is the CPA-specific SOC engagement content and the sheer breadth of named frameworks you must recall. If you have not yet mapped your route from ICAI into the CPA, read CPA after CA first.
What is tested on ISC? The three Blueprint areas and weights
ISC is tested across three content areas. The first two carry equal, dominant weight (35–45% each); SOC engagements are lighter at 15–25%. These are the official AICPA allocations effective 1 January 2026.
| Blueprint area | Weight | What it covers |
|---|---|---|
| I — Information Systems and Data Management | 35–45% | IT architecture and cloud models, enterprise and accounting information systems, processing integrity, system availability, IT change management, data extraction and SQL, business process models |
| II — Security, Confidentiality and Privacy | 35–45% | Security regulations and frameworks, threats and attacks, preventive/detective/corrective controls, encryption, confidentiality vs privacy, data loss prevention, incident response |
| III — Considerations for SOC Engagements | 15–25% | SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity reports, Trust Services Criteria, management assertions, complementary user-entity and subservice-organisation controls |
Areas I and II together are 70–90% of ISC. Weight your study there first, then SOC engagements. The skill mix is the real tell: Remembering and Understanding is 55–65% of the exam, Application 20–30%, Analysis only 10–20%, and there is no Evaluation content. ISC rewards recall of frameworks and definitions more than any other CPA section — it is closer to a knowledge exam than a judgment exam.
What topics are in ISC?
ISC's substance is the frameworks, controls and engagement procedures an IT auditor applies. The three cards below map what each area asks you to know and do.
The accounting-information-systems layer of Area I is covered in depth in our complete guide to accounting information systems — read it alongside this section guide for the AIS detail.
Candidates confuse the SOC report types under exam pressure. A SOC 1 report addresses controls relevant to a user entity's financial reporting; a SOC 2 report addresses the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy); a SOC 3 is a general-use summary of a SOC 2. Fix which report answers which user's need before you read the options — the examiner tests exactly this distinction, and it is easy marks once locked.
How many MCQs are on ISC? The exam format
ISC contains 82 multiple-choice questions and 6 task-based simulations, delivered across five testlets in a four-hour sitting. ISC is the one CPA section where MCQs and TBSs are not weighted equally: MCQs are 60% of your score and TBSs 40%.
| Component | Count | Detail |
|---|---|---|
| Multiple-choice questions | 82 | Two MCQ testlets of 41 each |
| Task-based simulations | 6 | Three TBS testlets: 1 + 3 + 2 |
| Scoring weight | 60 / 40 | MCQs 60%, TBSs 40% — unique to ISC |
| Total time | 4 hours | Passing score 75 on a scaled basis |
Because MCQs carry 60% of the ISC score — more than on any other section — the return on drilling the question bank is higher here than anywhere else. Since CPA Evolution (January 2024) the exam uses a linear design: every MCQ testlet is weighted equally, so difficulty does not ramp based on your first testlet, and there is no adaptive penalty for a strong start. Pace at roughly 1.3 minutes per MCQ and protect time for the six simulations, which still carry 40% between them.
Is ISC the easiest CPA section?
No — but it is one of the more passable ones. ISC posted a 66.79% pass rate in Q1 2026, the second-highest of the six sections behind TCP (79.28%) and just ahead of REG (66.65%), well above AUD (47.80%), FAR (43.46%) and BAR (41.30%). Its 2025 cumulative rate was around 68%, so the strong showing is consistent rather than a one-quarter spike.
The favourable pass rate reflects two things: a self-selecting candidate pool (people who choose ISC usually have systems or controls experience) and a skill mix weighted toward recall, which is more trainable than the judgment FAR and BAR demand. That does not make it light — the breadth of named frameworks is large, and getting the SOC engagement details exact takes deliberate practice. See the full pass rate picture across all six sections before choosing a Discipline on pass rate alone.
ISC rewards candidates who memorise frameworks precisely and drill MCQs relentlessly. It punishes those who treat named standards as interchangeable — the examiner tests whether you know which framework does what.
How hard is ISC for Indian CAs?
For Indian CAs and CISA holders, ISC is among the more approachable Disciplines — provided you have real IT-audit or information-security exposure. The frameworks tested (COBIT, NIST, ISO-adjacent controls, GDPR, PCI DSS) are used globally, so a candidate from an IT-audit or SOC-reporting background starts with much of Area I and Area II already familiar.
The friction is different from the tax sections. ISC does not demand new jurisdiction-specific rules the way REG does; it demands breadth of framework recall and precision on the CPA-specific SOC engagement content. A CA with no systems background will find ISC harder than a tax-oriented Discipline, because the vocabulary — encryption techniques, authorisation models, Trust Services Criteria — is entirely new. Match the Discipline to your background, not to the pass rate.
ISC is a breadth exam: dozens of named frameworks, control types and SOC distinctions, most of which reward recognition over reasoning. That is exactly what adaptive question practice is built for. The Eduyush CPA course is built on Surgent's adaptive A.S.A.P. platform, which finds the frameworks you keep confusing — say, SOC 1 vs SOC 2, or discretionary vs role-based access — and concentrates drilling there rather than re-testing what you already know. Eduyush delivers it with India-specific pricing (₹32,000, roughly $330 at ₹97/USD) and a question bank of 9,000+ MCQs and 500+ simulations. Given ISC's 60% MCQ weighting, that volume of targeted question practice matters more here than on any other section. Read more on how Eduyush delivers Surgent in India.
How long does ISC take to study?
Plan ISC study time by your systems background, not just your accounting background. A candidate with IT-audit or CISA experience needs far fewer hours than one meeting these frameworks for the first time.
| Background | Estimated ISC study hours |
|---|---|
| CISA / IT-audit experience | 60–90 |
| CA (ICAI), no IT-audit exposure | 90–130 |
| B.Com | 120–160 |
| Non-accounting | 140–190 |
Estimates, not guarantees — your hours depend on prior systems and security exposure and weekly consistency.
ISC topics candidates struggle with most
A handful of topics account for most of the difficulty candidates report on ISC — concentrated in the SOC engagement content and the precise boundaries between similar frameworks.
- SOC report types — SOC 1 vs SOC 2 vs SOC 3 vs SOC for Cybersecurity, and their intended users.
- Trust Services Criteria — the five categories (security, availability, processing integrity, confidentiality, privacy) and which apply to a given SOC 2.
- Type 1 vs Type 2 engagements — design at a point in time versus operating effectiveness over a period.
- Complementary controls — user-entity controls versus subservice-organisation controls.
- Authorisation models — discretionary, role-based and mandatory access control, and when each applies.
- Framework boundaries — knowing which of COBIT, NIST CSF, NIST SP 800-53, CIS Controls, HIPAA, GDPR or PCI DSS governs a given scenario.
- Confidentiality vs privacy — a distinction the exam tests directly, not interchangeably.
What changed on the 2026 ISC Blueprint?
The 2026 ISC Blueprint changes are refinements, not a restructuring — the format, timing and scoring are unchanged. The updates fall in Area I's change-management content: added detail on the documentation types used in change management (system component inventory, baseline configuration, change requests, ticketing, rollback procedures), added patch-management examples, and a revised representative task focused on testing code changes and deployment across IT resources. If you are studying from 2025 materials, confirm your provider has folded these clarifications in.
Where ISC sits among the six CPA sections
ISC is one of three Disciplines; you also pass the three Core sections. Use the links below to move across the full cluster.
Frequently asked questions about the ISC CPA exam
Talk to someone who passed the same exam. Eduyush delivers the Surgent-powered CPA course with India pricing and local support.
Talk to an advisor →FAQs
ACCA blogs
Follow these links to help you prepare for the ACCA exams
IFRS blogs
Follow these blogs to stay updated on IFRS
Formats
Use these formats for day to day operations
- Account closure format
- Insurance claim letter format
- Transfer certification application format
- Resignation acceptance letter format
- School leaving certificate format
- Letter of experience insurance
- Insurance cancellation letter format
- format for Thank you email after an interview
- application for teaching job
- ACCA PER examples
- Leave application for office
- Marketing manager cover letter
- Nursing job cover letter
- Leave letter to class teacher
- leave letter in hindi for fever
- Leave letter for stomach pain
- Leave application in hindi
- Relieving letter format
Interview questions
Link for blogs for various interview questions with answers
- Strategic interview questions
- Accounts payable interview questions
- IFRS interview questions
- CA Articleship interview questions
- AML and KYC interview questions
- Accounts receivable interview questions
- GST interview questions
- ESG Interview questions
- IFRS 17 interview questions
- Concentric Advisors interview questions
- Questions to ask at the end of an interview
- Business Analyst interview questions
- Interview outfits for women
- Why should we hire you question
leave application format
- Leave application for office
- Leave application for school
- Leave application for sick leave
- Leave application for marriage
- leave application for personal reasons
- Maternity leave application
- Leave application for sister marriage
- Casual leave application
- Leave application for 2 days
- Leave application for urgent work
- Application for sick leave to school
- One day leave application
- Half day leave application
- Leave application for fever
- Privilege leave
- Leave letter to school due to stomach pain
- How to write leave letter
Insurance blogs
- Sample letter of appeal for reconsideration of insurance claims
- How to increase insurance agent productivity
- UAE unemployment insurance
- Insurance cancellation letter
- Insurance claim letter format
- Insured closing letter formats
- ACORD cancellation form
- Provision for insurance claim
- Cricket insurance claim
- Insurance to protect lawsuits for business owners
- Certificate holder insurance
- does homeowners insurance cover mold
- sample letter asking for homeowner right to repair for insurance
- Does homeowners insurance cover roof leaks
Leave a comment