HomeContent Library › ISC

ISC Study Hub

Information Systems & Controls. Four section notes, clarified and updated for the 2026 testing year. Pick a section to start reading. Each area now includes 30 original practice MCQs.

Mnemonics you’ll build hereGIPDRRSTRIDESPICIA+ more in every Area

Exam map & what changed

4 hrs
exam length
82
MCQs · 60% of score
6
task-based sims · 40%
60/40
the only CPA section
AICPA AreaWeightWhat it covers
I. Information Systems & Data Management35–45%IT governance & frameworks, IT general controls, infrastructure & cloud, the data life cycle, databases, change management, availability.
II. Security, Confidentiality & Privacy35–45%Threats & attacks, NIST CSF, encryption & hashing, access-control models, network security, privacy regulation, incident response.
III. Considerations for SOC Engagements15–25%SOC 1/2/3 & SOC for Cybersecurity, Trust Services Criteria, Type 1 vs. Type 2, opinions, planning & performing.
2026 update EU–US transfers now run on the EU–US Data Privacy Framework (DPF, 2023). "Safe Harbor"/"Privacy Shield" are obsolete. NIST CSF 2.0 has six Functions; the Privacy Framework has five. HIPAA key-term definitions are now testable.

Weights are the AICPA's stated ranges; confirm against the current official blueprint before exam day.

Section 1 FREE

IT Governance, Frameworks & Regulatory Standards

NIST CSF & Privacy Framework, SP 800-39/800-53, HIPAA, GDPR, PCI DSS, CIS Controls, and COBIT 2019.

AICPA Blueprint: Areas I & II (Governance; Security & Privacy)
Section 2 🔒 $19/mo

IT Infrastructure, Systems & Data Management

The OSI model, cloud computing, ERP/AIS, resiliency & disaster recovery, change management, and databases.

AICPA Blueprint: Primarily Area I; overlaps Area II
Section 3 🔒 $19/mo

Security, Confidentiality & Privacy

Risk exposure, attack types & stages, threat modeling, controls & access models, encryption & DLP, and incident response.

AICPA Blueprint: Area II (Security, Confidentiality & Privacy)
Section 4 🔒 $19/mo

SOC Engagements

Trust Services Criteria, SOC 1/2/3 & SOC for Cybersecurity, Type 1 vs. Type 2, CUECs/CSOCs, opinions, and performing the engagement.

AICPA Blueprint: Area III (SOC Engagements)

Community

Join the DiscordHow the community works