IT Governance, Frameworks & Regulatory Standards
NIST CSF & Privacy Framework, SP 800-39/800-53, HIPAA, GDPR, PCI DSS, CIS Controls, and COBIT 2019.
Information Systems & Controls. Four section notes, clarified and updated for the 2026 testing year. Pick a section to start reading. Each area now includes 30 original practice MCQs.
| AICPA Area | Weight | What it covers |
|---|---|---|
| I. Information Systems & Data Management | 35–45% | IT governance & frameworks, IT general controls, infrastructure & cloud, the data life cycle, databases, change management, availability. |
| II. Security, Confidentiality & Privacy | 35–45% | Threats & attacks, NIST CSF, encryption & hashing, access-control models, network security, privacy regulation, incident response. |
| III. Considerations for SOC Engagements | 15–25% | SOC 1/2/3 & SOC for Cybersecurity, Trust Services Criteria, Type 1 vs. Type 2, opinions, planning & performing. |
Weights are the AICPA's stated ranges; confirm against the current official blueprint before exam day.
NIST CSF & Privacy Framework, SP 800-39/800-53, HIPAA, GDPR, PCI DSS, CIS Controls, and COBIT 2019.
The OSI model, cloud computing, ERP/AIS, resiliency & disaster recovery, change management, and databases.
Risk exposure, attack types & stages, threat modeling, controls & access models, encryption & DLP, and incident response.
Trust Services Criteria, SOC 1/2/3 & SOC for Cybersecurity, Type 1 vs. Type 2, CUECs/CSOCs, opinions, and performing the engagement.
Community