As one of the toughest exams in the IT Security domain, the CISA exam is notorious for being difficult to pass and as having a low pass-rate. Although ISACA, the body administering the exam, has stopped publishing information about pass-rates in recent years, discussions with both, input from both, successful and unsuccessful CISA candidates suggests the pass-rate hovers around the 40-50% mark.
But the question remains: Why is the CISA seem like such a tough nut to crack? Here’s a few reasons why:

1. The CISA is a paper-based test. Unlike most vendor professional certification exams, CISA’s conventional nature means candidates with little to no experience taking paper-based exams are caught out.
2. There are no official educational requirements to be able to take the CISA exam, meaning casual candidates from a wide variety of backgrounds register for the exam, creating artificial competition.
3. The questions on the CISA exam are often ambiguous and subjective, and many candidates complain sample questions offered by ISACA are often vague and less relevant to the actual written exam.
4. Emphasis on rote learning and memory. A common complaint is that questions on the CISA exam involve recollection of nomenclature and terminology from the IT Security syllabus.