Free Practice Questions for Isaca CGEIT Exam

The alignment of user access rights with business requirements is most effectively achieved throughsystem design. During the design phase, systems are architected to incorporate role-based access controls, least privilege principles, and segregation of duties based on business needs. While data classification and architecture support information management, and maturity models help assess governance capability,system design operationalizes access controls directly in alignment with enterprise roles and responsibilities.

This is supported byCOBIT principlesthat emphasize embedding governance requirements into system design and implementation to ensure alignment, value delivery, and risk mitigation.

Information security must approve the criteria for technology-enabled services to ensure that all security-related considerations, including compliance, risk mitigation, and data protection, are addressed. This step aligns the service design with the enterprise's security policies and regulatory requirements before it progresses to stakeholders. Other functions such as QA and PMO contribute to execution and oversight, but the responsibility for security approvals rests with information security. References: COBIT 2019, ISACA Security Guidance.

The board’s concern about the total cost of IT requires a clear explanation of how IT spending is structured. The CGEIT Review Manual 8th Edition notes that providing a breakdown of operational versus capital expenditures is critical to helping stakeholders understand IT costs and their alignment with business value.

Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"When addressing concerns about IT costs, the CIO should provide a clear breakdown of operational expenditures (e.g., maintenance, salaries) versus capital expenditures (e.g., new systems, infrastructure). This transparency helps the board understand cost drivers and their contribution to business value." (Approximate reference: Domain 5, Section on Cost Management)

A breakdown of operational versus capital expenditures (option D) directly addresses the board’s concern by showing how IT funds are allocated, distinguishing between ongoing costs and investments in new capabilities.

Why not the other options?

A. A summary of benefits that will be achieved once key IT initiatives are completed: While benefits are important, they do not directly address the total cost concern, which requires cost transparency first.

B. A mapping of IT employee roles to the balanced scorecard: This is a performance management tool, not directly relevant to explaining total IT costs.

C. A benchmark of IT employee salary costs against comparable organizations: Benchmarking salaries is a narrow focus and does not provide a comprehensive view of total IT costs.

Critical success factors (CSFs)are the specific conditions or variables that are essential for achieving business objectives. Effective KPIs must align with these CSFs to ensure they measure what truly matters to project and business success.

KRIs relate to risk, and while important, they serve a different purpose. Future-state architecture and portfolio principles guide strategy, butCSFs provide the foundational context for performance measurement.

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Risk Optimization domain, emphasizes the importance of aligning IT risk management with the enterprise’s overall risk management strategy. Key risk indicators (KRIs) are metrics used to monitor potential risks and provide early warnings. To establish effective KRIs, the enterprise must first understand its risk tolerance and priorities.

Option A: The enterprise risk appetite should be identified first. Risk appetite defines the level of risk the enterprise is willing to accept in pursuit of its objectives, guiding the selection of KRIs. For example, if the enterprise has a low risk appetite for data breaches, KRIs might focus on metrics like unauthorized access attempts. Identifying risk appetite ensures KRIs are relevant and aligned with strategic goals. The manual likely references COBIT 2019’s APO12-Managed Risk, which highlights risk appetite as a foundational element of risk management.

Option B: Key performance metrics relate to performance, not risk, and are not directly relevant to KRIs.

Option C: Risk mitigation strategies are developed after identifying risks and KRIs, not before.

Option D: Enterprise architecture (EA) components may inform risk identification but are secondary to defining risk appetite.

Double Verification: The answer aligns with COBIT’s APO12 and the CGEIT domain’s focus on risk management foundations. Risk appetite is a prerequisite for KRI development in ISACA’s frameworks.

ISACA CGEIT Review Manual 8th Edition, Domain 4: Risk Optimization (focus on risk management and KRIs).

COBIT 2019, APO12-Managed Risk.

ISACA Glossary (for definitions of risk appetite and KRIs), available at https://www.isaca.org/resources/glossary.

An IT skills inventory is a list of the skills, competencies, and qualifications of the IT staff in an organization. It can help to identify the current and potential capabilities of the IT workforce, as well as the gaps and needs for improvement. An IT skills inventory would be most helpful to review when determining how to allocate IT resources during a resource shortage, because it canhelp to match the right people with the right tasks, optimize the utilization and productivity of the existing IT staff, and prioritize the critical and urgent IT activities. The other options are not as helpful as an IT skills inventory for allocating IT resources during a resource shortage. An IT strategic plan is a document that defines the vision, mission, goals, and objectives of the IT function and how they align with the business strategy. It can help to guide the direction and scope of the IT activities and investments, but it does not provide detailed information on the availability and suitability of the IT resources. An IT organizational structure is a diagram that shows the hierarchy, roles, and responsibilities of the IT staff in an organization. It can help to clarify the reporting lines and communication channels of the IT function, but it does not reflect the skills and competencies of the IT staff. An IT skill development plan is a document that outlines the learning and training opportunities for the IT staff to enhance their skills and competencies. It can help to improve the performance and career progression of the IT staff, but it does not address the immediate needs and challenges of allocating IT resources during a resource shortage. References := What is an IT Skills Inventory?, How to Conduct an Effective Skills Gap Analysis, Resource allocation 101: How to manage your team’s resources | Planio

 The frequency of IT services risk profile updates is a metric that measures how often the IT organization assesses and updates the risks associated with its services. This metric is useful to ensure that IT services meet business requirements, as it helps to identify and mitigate potential threats and vulnerabilities that could affect the availability, performance, reliability, and security of the services. A high frequency of IT services risk profile updates indicates that the IT organization is proactive and responsive to changing business needs and expectations. A low frequency of IT services risk profile updates suggests that the IT organization is reactive and complacent, and may not be aware of or prepared for emerging risks that could impact the business. References := Performance Measurement Metrics for IT Governance - ISACA, The 8 IT service management metrics that matter most

A periodic service provider audit is a process of conducting an independent and objective assessment of the service provider’s performance, quality, compliance, and security in relation to the agreed service level agreement (SLA) and the enterprise’s expectations and requirements. A periodic service provider audit can help provide quality of service oversight by:

Verifying and validating the service provider’s claims and credentials, and ensuring that they meet the contractual obligations and standards

Identifying and evaluating the strengths, weaknesses, opportunities, and threats of the service provider’s services, processes, and controls

Detecting and reporting any issues, gaps, or risks that may affect the quality of service delivery or the enterprise’s objectives and value

Recommending and implementing corrective and preventive actions to address and resolve the issues, gaps, or risks

Monitoring and measuring the outcomes and effectiveness of the corrective and preventive actions, and ensuring their alignment with the SLA

 The CTO should first understand the enterprise’s risk tolerance before assessing the impact of wearable technology. This will help the CTO to align the assessment with the enterprise’s objectives, culture, and appetite for risk. The other options are important steps in the assessment process, but they are not the first ones. Creating an IT risk scorecard and prioritizing wearable technology risk require a clear understanding of the enterprise’s risk tolerance, which is the basis for defining risk criteria and thresholds. References := ISACA, CGEIT Review Manual, 7th Edition, Chapter 2: Strategic Management, Section 2.3: Risk Optimization, p. 63-64.

Determining whether a quality assurance (QA) program meets business requirements requires an objective evaluation of its effectiveness in delivering expected outcomes. The CGEIT Review Manual 8th Edition states that a quality audit is the most effective method to assess whether QA processes align with business needs, as it provides a structured review of performance and compliance.

Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"A quality audit is the most effective way to determine whether an enterprise’s quality assurance program meets business requirements. The audit evaluates the QA processes, controls, and outcomes against defined business objectives, identifying gaps and areas for improvement." (Approximate reference: Domain 5, Section on Quality Management and Assurance)

Performing a quality audit (option D) provides a comprehensive assessment of the QA program’s alignment with business requirements, examining processes, metrics, and deliverables to ensure they meet stakeholder expectations.

Why not the other options?

A. Review the quality framework: Reviewing the framework provides insight into design but does not assess actual performance or alignment with business needs.

B. Perform a SWOT analysis: A SWOT analysis identifies strengths, weaknesses, opportunities, and threats but is too broad and not specific to evaluating QA effectiveness.

C. Review service outage reports: Outage reports may indicate issues but are limited to specific incidents and do not provide a holistic view of the QA program’s alignment with business requirements.

The most efficient way for an IT transformation project manager to communicate the project progress with stakeholders is to include key performance indicators (KPIs) in a monthly newsletter. This is because KPIs are measurable values that indicate how well the project is achieving its objectives and delivering value to the business1. By including KPIs in a monthly newsletter, the project manager can:

Provide a concise, clear, and consistent overview of the project status and results to the stakeholders2

Highlight the project achievements, challenges, and opportunities2

Demonstrate the alignment of the project with the business strategy, goals, and priorities2

Solicit feedback and suggestions from the stakeholders2

Foster a sense of engagement and collaboration among the stakeholders2

A monthly newsletter is an efficient communication channel, as it can reach a large and diverse audience of stakeholders, such as senior executives, business managers, IT staff, customers, and partners. It can also be easily distributed and accessed through email or intranet. A monthly frequency is appropriate for communicating the project progress, as it can provide timely and relevant information without overwhelming or distracting the stakeholders.

The other options, establishing governance forums within project management, sharing the business case with stakeholders, and posting the project management report to the enterprise intranet site are not as efficient as including KPIs in a monthly newsletter for communicating the project progress with stakeholders. They are more related to the planning and execution of the project, rather than its communication. They may also be too formal, detailed, or infrequent for some stakeholders who may prefer a more informal, concise, or frequent view of the project progress.

Thebest strategic responseis todevelop and enforce IT asset life cycle policies in consultation with business units. This approach ensures that legacy systems are managed proactively and collaboratively, balancing risk management, regulatory compliance, and operational needs. Policies should define criteria for decommissioning, archival solutions, and acceptable retention practices.

Firewalls and isolation are tactical mitigations, not strategic solutions. Surcharges may discourage usage but do not resolve governance and retention challenges comprehensively.

When operating in a jurisdiction withstrict privacy regulations, the first and most effective step is toconsult the legal and compliance department. They can provide guidance to ensure full compliance with local laws, such as GDPR or other data protection mandates, reducing the risk of regulatory non-compliance.

While revising policies or implementing technical controls (e.g., SIEM, KRIs) is useful, legal compliance is foundational and dictates how other controls should be shaped.

Assigning information risk to a department without designating an individual owner is most likely to have a negative impact on accountability for information risk ownership. This lack of individual accountability can lead to ambiguities in responsibility, making it difficult to ensure that appropriate risk management actions are taken and followed up on. When an individual owner is clearly identified, it establishes direct responsibility and accountability, improving the effectiveness of risk management practices. While the scenarios described in the other options present challenges, the absence of a specific individual owner represents a fundamental weakness in establishing clear accountability for managing information risk.

Reviewing the information governance framework should be the CIO’s primary focus before the migration, because it will help the CIO to ensure that the enterprise’s data and applications are secure, compliant, and aligned with the business objectives and policies in the cloud environment. The information governance framework defines the roles, responsibilities, processes, standards, and metrics for managing information assets across the enterprise. It also covers aspects such as data classification, data quality, data protection, data retention, data sovereignty, and data privacy. By reviewing the information governance framework, the CIO can identify the requirements, risks, and gaps that need to be addressed before moving to the cloud. The other options are not as important as reviewing the information governance framework, because they are either dependent on or secondary to it. Selecting best-of-breed cloud offerings is a tactical decision that should be based on the information governance framework and the enterprise architecture. Updating the enterprise architecture repository is a good practice, but not a primary focus before the migration. It can be done after the migration to reflect the changes in the IT landscape. Conducting IT staff training to manage cloud workloads is a necessary step, but not a primary focus before the migration. It can be done in parallel with or after the migration to ensure that the IT staff have the skills and knowledge to operate and optimize the cloud environment. References := Migration environment planning checklist, Practical Guide to Cloud Governance, Governance or compliance strategy