CGEIT Isaca Certified in the Governance of Enterprise IT Exam Free Practice Exam Questions (2025 Updated)

Outsourcing IT services requires a clear distinction between core and non-core processes to ensure that strategic capabilities are retained in-house while non-core activities are outsourced. The CGEIT Review Manual 8th Edition highlights that identifying core and non-core processes is the most essential consideration for outsourcing decisions.

Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"The most critical consideration in outsourcing IT services is identifying core and non-core business processes. Core processes, which provide competitive advantage, should typically be retained, while non-core processes can be outsourced to improve efficiency and focus on strategic priorities." (Approximate reference: Domain 5, Section on Outsourcing Strategy)

Identification of core and non-core business processes (option A) ensures that outsourcing aligns with the enterprise’s strategic goals and avoids compromising critical capabilities.

Why not the other options?

B. Compliance with enterprise architecture (EA): EA compliance is important but secondary to determining what processes should be outsourced.

C. Alignment with existing human resources (HR) policies and practices: HR alignment is operational and less critical than strategic process identification.

D. Adoption of a diverse vendor selection process: Vendor selection follows the decision to outsource and is not the primary consideration.

 A whistle-blower policy is a document that defines how ethics violations should be reported and how the whistle-blowers should be protected from retaliation. A whistle-blower policy is the best way to encourage employees to raise ethics concerns in full confidence, as it provides them with a clear, safe, and confidential channel to voice their concerns and seek resolution. A whistle-blower policy also demonstrates the organization’s commitment to ethical conduct and accountability, and fosters a culture of trust and openness12.

The other options are not as effective as establishing and communicating a whistle-blower policy. Publishing and enforcing a code of conduct policy is important for defining the ethical standards and expectations for the organization, but it does not necessarily encourage employees to raise ethics concerns, unless it is accompanied by a whistle-blower policy that ensures their protection and support3. Providing access to legal resource benefits is helpful for employees who need legal advice or assistance, but it does not guarantee their confidence or safety in reporting ethics violations, especially if they fear retaliation from their employer or co-workers4. Providing protection language in employment contracts is useful for safeguarding the rights and interests of employees, but it may not be sufficient or specific enough to address the issues and challenges faced by whistle-blowers, such as harassment, discrimination, or termination5.

 A cost-benefit analysis (CBA) is a process that’s used to estimate the costs and benefits of projects or investments to determine their profitability for an organization. A CBA is a versatile method that’s often used for business administration, project management and public policy decisions1. A CBA can help the CIO prioritize the improvement initiatives based on theirexpected value and feasibility, and justify the allocation of resources and funding for them. A CBA can also align the IT goals with the enterprise objectives and demonstrate the IT value delivery to the stakeholders2. References :=

2: CGEIT Exam Content Outline | ISACA

1: Cost-Benefit Analysis: A Quick Guide with Examples and Templates

This is because moving all IT applications to an external SaaS cloud provider means that the organization is outsourcing the development, deployment, maintenance, and operation of its IT applications to a third-party vendor. This implies that the organization is relinquishing some control and ownership over its IT applications, and relying on the vendor to provide the required functionality, performance, quality, and security1. Therefore, the organization needs to shift its focus from delivering IT services internally to managing IT services externally. This involves the following activities2:

Establishing and maintaining a clear and comprehensive contract or service level agreement (SLA) with the SaaS vendor that defines the roles, responsibilities, expectations, and outcomes of both parties2

Monitoring and measuring the SaaS vendor’s compliance with the contract or SLA, and ensuring that the vendor meets the agreed service levels, standards, and metrics2

Communicating and collaborating with the SaaS vendor regularly, and resolving any issues, conflicts, or changes that may arise during the service delivery2

Evaluating and improving the effectiveness and efficiency of the SaaS vendor’s service delivery, and identifying and implementing any opportunities for innovation or optimization2

Managing the risks and challenges associated with outsourcing IT services to a SaaS vendor, such as data privacy, security, availability, compatibility, integration, dependency, cost, and performance issues2

The shift from service delivery to service management can have a significant impact on the IT governance framework, processes, policies, and practices of the organization. It can also affect the IT skills, roles, and responsibilities of the IT staff and stakeholders. Therefore, the organization needs to adapt and adjust its IT governance approach accordingly to ensure that it can effectively oversee and optimize its IT services in a SaaS environment3.

The other options, the integration of the IT department with business lines, the improvement of IT service alignment with business, and the necessity to update key risk indicators (KRIs) are not as significant as the shift from service delivery to service management for moving all IT applications to an external SaaS cloud provider from an IT governance perspective. They are more related to the outcomes or consequences of moving to a SaaS environment, rather than the impact or change itself. They may also not be unique or specific to a SaaS environment, as they may apply to other types or models of IT service delivery as well.

A balanced scorecard is a tool that helps to measure and communicate the value of IT initiatives to the board of directors. It aligns IT objectives with business goals, tracks performance indicators, and shows the contribution of IT to the enterprise value. A balanced scorecard can also help to identify gaps and areas for improvement in IT governance. References := CGEIT Review Manual, 7th Edition, Chapter 3: Benefits Realization, Section 3.3: Value Delivery Frameworks and Mechanisms, pp. 103-105.

Given that critical security monitoring was being neglected due to other demands, theIT steering committee's first priority should be to re-prioritize IT projects.This ensures that resources are allocated to security monitoring and risk mitigation, which are essential to enterprise protection.

Assessments and staffing changes may follow, butthe immediate governance action is to adjust prioritiesin light of organizational risk.

Developing an IT risk management framework begins with aligning it to the enterprise risk management (ERM) framework. This ensures consistency across all organizational risk domains and supports the integration of IT risk into the broader enterprise risk strategy. The ERM provides a foundation for identifying, assessing, and managing IT risks in a way that aligns with the organization's overall objectives. Promoting a culture of risk awareness, while critical, is a subsequent step once the framework is defined. References: COBIT 2019 Risk Management Process, CGEIT Exam Manual.

Enterprise architecture (EA) is the most useful in developing IT strategic plans aligned with technological needs because it provides a holistic view of the current and desired state of the organization, including its business processes, information systems, data, applications, infrastructure, and security. EA helps to align the organization’s vision, strategy, and goals with its IT capabilities and resources. EA also helps to identify the gaps, risks, and opportunities for improvement in the existing IT environment and to design and implement the optimal IT solutions that can support the business needs and objectives. EA can help to ensure that the IT strategic plans are consistent, coherent, and feasible12.

A business impact analysis (BIA) is a tool that helps to assess the potential impact of a disruption or change on the business objectives, processes, and functions. A BIA can help to prioritize the criticality of the IT resources and determine the acceptable level of risk and recovery time. A BIA can provide a basis for deciding how to allocate the budget, reduce the requirements, or contract external resources3. However, a BIA is not sufficient for developing IT strategic plans aligned with technological needs because it does not provide a comprehensive view of the current and future IT architecture and its alignment with the business strategy.

A business case is a document that describes the rationale and justification for initiating a project or investment. A business case can help to evaluate the costs, benefits, risks, and alternatives of different IT options and to communicate the value proposition to the stakeholders4. However, a business case is not enough for developing IT strategic plans aligned with technological needs because it does not provide a holistic view of the current and future IT architecture and its alignment with the business strategy.

A benchmark analysis is a process of comparing the performance, quality, or practices of an organization with those of its peers or competitors. A benchmark analysis can help to identify the best practices, standards, or trends in the industry and to measure the gap between the current and desired state of an organization. However, a benchmark analysis is not adequate for developing IT strategic plans aligned with technological needs because it does not provide a holistic view of the current and future IT architecture and its alignment with the business strategy.

References := Implement Agile IT Strategic Planning with Enterprise Architecture, The Benefits of Enterprise Architecture in Organizational Transformation, Business Impact Analysis, Business Case, [Benchmark Analysis]

This is because training metrics are measurable values that indicate the effectiveness and impact of the training programs on the IT staff’s knowledge, skills, and performance1. By embedding training metrics into the annual performance appraisal process, the CIO can:

Communicate the importance and value of IT-related training to the IT management team and direct employees2

Motivate and incentivize the IT management team and direct employees to participate in and complete the IT-related training2

Monitor and evaluate the IT management team and direct employees’ progress, achievement, and improvement in the IT-related training2

Provide feedback and recognition to the IT management team and direct employees who excel in the IT-related training2

Identify and address any gaps or issues in the IT-related training or its outcomes2

Embedding training metrics into the annual performance appraisal process can help to create a culture of learning, development, and accountability for IT-related training within the organization. It can also help to align the individual goals of the IT management team and direct employees with the organizational goals of IT governance.

The other options, developing training programs based on results of an IT staff survey of preferences, promoting IT-specific training awareness program, and researching and identifying training needs based on industry trends are not as effective as embedding training metrics into the annual performance appraisal process for ensuring that IT-related training is taken seriously by the IT management team and direct employees. They are more related to the design and delivery of the IT-related training, rather than its integration and evaluation. They may also not have a significant impact on the behavior and attitude of the IT management team and direct employees towards IT-related training, as they may not provide sufficient motivation, feedback, or recognition for participation or completion.

 The CTO should first understand the enterprise’s risk tolerance before assessing the impact of wearable technology. This will help the CTO to align the assessment with the enterprise’s objectives, culture, and appetite for risk. The other options are important steps in the assessment process, but they are not the first ones. Creating an IT risk scorecard and prioritizing wearable technology risk require a clear understanding of the enterprise’s risk tolerance, which is the basis for defining risk criteria and thresholds. References := ISACA, CGEIT Review Manual, 7th Edition, Chapter 2: Strategic Management, Section 2.3: Risk Optimization, p. 63-64.

 An updated business case for IT resourcing is a document that provides the rationale and justification for the proposed changes in the IT staff structure, such as the number, roles, skills, and costs of the IT personnel. An updated business case for IT resourcing should align with the IT strategy and objectives, as well as the business needs and expectations. An updated business case for IT resourcing should also include the benefits, risks, and impacts of the IT staff restructure, as well as the alternatives and recommendations12.

The other options are not as effective as an updated business case for IT resourcing to support an IT staff restructure. Established IT key performance indicators (KPIs) are measures that evaluate the performance and outcomes of the IT department, such as service quality, customer satisfaction, project delivery, and innovation. Established IT KPIs are important for monitoring and reporting the IT results and achievements, but they do not necessarily support an IT staff restructure, unless they are linked to the proposed changes in the IT staff structure3. IT staff training program requirements are specifications that define the learning needs and objectives of the IT personnel, such as skills development, knowledge enhancement, and career advancement. IT staff training program requirements are beneficial for improving the capabilities and competencies of the IT staff, but they do not directly support an IT staff restructure, unless they are aligned with the new roles and responsibilities of the IT personnel4. External IT staffing benchmarks are standards or best practices that compare the IT staff structure of other organizations or industries, such as staffing ratios, skill levels, or salary ranges. External IT staffing benchmarks are useful for assessing and improving the competitiveness and efficiency of the IT department, but they do not adequately support an IT staff restructure, unless they are customized and adapted to the specific context and situation of the organization5.

This is because employee engagement is a key factor for the success of any change initiative, especially one that involves governance. Employee engagement refers to the degree of commitment, involvement, and ownership that employees have toward the organization and its goals1. By designing the implementation plan to engage employees across the enterprise, the organization can:

Communicate the vision, purpose, and benefits of the new governance initiative to employees2

Solicit feedback and suggestions from employees on how to implement the new governance initiative effectively2

Address any concerns or resistance that employees may have toward the new governance initiative2

Empower and motivate employees to participate in and support the new governance initiative2

Foster a culture of collaboration, learning, and innovation among employees2

Designing the implementation plan to engage employees across the enterprise can help to ensure that the new governance initiative is understood, accepted, and adopted by all stakeholders, and that it delivers the desired outcomes and value.

The other options, staff have been trained on the new initiative, external consultants created the plan, and the plan assigns responsibility for completing milestones are not as indicative as the plan is designed to engage employees across the enterprise for the success of the implementation plan for a new governance initiative. They are more related to the execution and management of the implementation plan, rather than its design and alignment. They may also not be sufficient or effective for ensuring the success of the implementation plan, as they may not address the human and behavioral aspects of change, such as awareness, understanding, involvement, commitment, and ownership3. References := Employee Engagement: What Is It? | SHRM, How To Engage Employees In Organizational Change | Forbes, Change Management Best Practices: A Comprehensive Guide | Smartsheet

 A root cause analysis is the first step to identify the factors that are causing the loss of top talent and to devise appropriate solutions. A SWOT analysis, an incentive and retention program, and an aggressive talent acquisition program are possible outcomes of a root cause analysis, but they are not the first action to take. References := CGEIT Review Manual, 7th Edition, page 103.

Outsourcing decisions require a clear understanding of the financial and operational implications. The CGEIT Review Manual 8th Edition advises that conducting a cost-benefit analysis is the first step to evaluate whether outsourcing non-core IT processes aligns with enterprise objectives.

Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"Before outsourcing IT processes, the enterprise should conduct a cost-benefit analysis to assess the financial, operational, and strategic implications. This analysis determines whether outsourcing delivers value and supports business objectives." (Approximate reference: Domain 5, Section on Outsourcing Decisions)

Conducting a cost-benefit analysis for outsourcing (option D) provides the data needed to make an informed decision, comparing costs, risks, and benefits of outsourcing versus in-house management.

Why not the other options?

A. Update resource allocation policies: Policy updates follow the decision to outsource, based on the analysis.

B. Issue a formal request for proposal (RFP) to outsourcing vendors: Issuing an RFP is premature without confirming that outsourcing is viable.

C. Establish service-level metrics for outsourced activities: Metrics are defined after deciding to outsource and selecting a vendor.

A due diligence process is the best way to enable a clear understanding of the vendor’s capabilities that will be critical to the enterprise’s strategy. A due diligence process is a systematic and comprehensive investigation and evaluation of the vendor’s background, reputation, performance, quality, reliability, security, compliance, and suitability for the enterprise’s needs and expectations. A due diligence process can help the enterprise:

Verify the vendor’s claims and credentials, and validate the vendor’s references and testimonials

Assess the vendor’s financial stability, legal status, and ethical standards

Identify the vendor’s strengths, weaknesses, opportunities, and threats

Compare the vendor’s offerings, capabilities, and prices with other vendors and market benchmarks

Determine the risks and benefits of engaging with the vendor, and the mitigation and contingency plans

Negotiate the terms and conditions of the contract, service level agreement (SLA), and key performance indicators (KPIs)

This is because KPIs are measurable values that indicate how well the IT governance framework is achieving its objectives and delivering value to the business1. By evaluating KPI results, the organization can:

Monitor and review the IT governance framework’s progress, performance, quality, and outcomes

Highlight the IT governance framework’s achievements, challenges, and opportunities

Demonstrate the alignment of the IT governance framework with the business strategy, goals, and priorities

Provide recommendations and feedback for the IT governance framework’s improvement and adjustment

Evaluating KPI results can provide a comprehensive and objective overview of the IT governance framework’s effectiveness and impact.

The other options, developing a business case for the program portfolio, benchmarking the IT governance framework to industry best practice, and reviewing results of IT audit reports are not as effective as evaluating KPI results for assessing the effectiveness of a newly established IT governance framework. They are more related to the design and implementation of the IT governance framework, rather than its evaluation. They may also be too narrow or subjective for assessing the IT governance framework’s effectiveness, as they may not cover all aspects or perspectives of the IT governance framework. They may also depend on external factors or standards that may not be relevant or applicable to the organization’s specific context and needs.

The most efficient way for an IT transformation project manager to communicate the project progress with stakeholders is to include key performance indicators (KPIs) in a monthly newsletter. This is because KPIs are measurable values that indicate how well the project is achieving its objectives and delivering value to the business1. By including KPIs in a monthly newsletter, the project manager can:

Provide a concise, clear, and consistent overview of the project status and results to the stakeholders2

Highlight the project achievements, challenges, and opportunities2

Demonstrate the alignment of the project with the business strategy, goals, and priorities2

Solicit feedback and suggestions from the stakeholders2

Foster a sense of engagement and collaboration among the stakeholders2

A monthly newsletter is an efficient communication channel, as it can reach a large and diverse audience of stakeholders, such as senior executives, business managers, IT staff, customers, and partners. It can also be easily distributed and accessed through email or intranet. A monthly frequency is appropriate for communicating the project progress, as it can provide timely and relevant information without overwhelming or distracting the stakeholders.

The other options, establishing governance forums within project management, sharing the business case with stakeholders, and posting the project management report to the enterprise intranet site are not as efficient as including KPIs in a monthly newsletter for communicating the project progress with stakeholders. They are more related to the planning and execution of the project, rather than its communication. They may also be too formal, detailed, or infrequent for some stakeholders who may prefer a more informal, concise, or frequent view of the project progress.

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Benefits Realization domain, stresses the importance of evaluating IT investments to ensure they deliver sustained value to the enterprise. The IT steering committee needs a holistic approach to assess benefits, not just financial metrics at specific points.

Option D: Measure value creation throughout the economic life cycle is the best approach. This involves tracking benefits (e.g., revenue growth, cost savings, customer satisfaction) from project initiation through implementation and into ongoing operations, ensuring the investment delivers value over its full lifecycle. For example, a new CRM system’s benefits (e.g., improved sales) should be measured post-implementation to confirm sustained value. The manual likely references COBIT 2019’s APO05-Managed Portfolio, which advocates for lifecycle-based value management.

Option A: Measure ROI during implementation is premature, as ROI is most meaningful post-implementation when benefits are realized.

Option B: Measure NPV during stage gate review is useful for decision-making but focuses on financial projections at a single point, not actual benefits.

Option C: Measure planned versus actual spend tracks costs, not benefits, and is irrelevant to value creation.

Double Verification: The answer aligns with COBIT’s emphasis on lifecycle value management and the CGEIT domain’s focus on benefits realization. Lifecycle measurement is a standard ISACA practice for IT investments.

ISACA CGEIT Review Manual 8th Edition, Domain 3: Benefits Realization (focus on value measurement).

COBIT 2019, APO05-Managed Portfolio.

ISACA Glossary (for definitions of value creation), available at https://www.isaca.org/resources/glossary.

According to the web search results, the customer dimension of an IT balanced scorecard is the perspective that measures how well the IT department meets the needs and expectations of its internal and external customers, such as business units, end users, suppliers, and partners. The customer dimension helps the IT department to align its services and products with the customer requirements and preferences, and to deliver value and satisfaction to the customers12.

The most important measure to include in the customer dimension of an IT balanced scorecard is stakeholder satisfaction, which is the degree to which the customers are satisfied with the quality, performance, and outcomes of the IT services and products. Stakeholder satisfaction reflects the customer perception and feedback of the IT department, and influences the customer loyalty, retention, and advocacy. Stakeholder satisfaction can be measured by various methods, such as surveys, interviews, focus groups, complaints, compliments, and referrals34.

The other options are not as important as stakeholder satisfaction to include in the customer dimension of an IT balanced scorecard. Business value creation is a measure that belongs to the financial dimension of an IT balanced scorecard, as it evaluates how much value the IT department contributes to the business strategy and objectives5. Maintenance of IT operations is a measure that belongs to the internal process dimension of an IT balanced scorecard, as it assesses how well the IT department manages and improves its core processes and activities. Support for corporate customers is a measure that belongs to the learning and growth dimension of an IT balanced scorecard, as it indicates how well the IT department develops and enhances its capabilities and competencies to support its customers.

Utilizing a capability maturity model is the best way for a CIO to assess the consistency of IT processes against industry benchmarks and determine where to focus improvement initiatives. Capability maturity models provide a structured framework for evaluating the maturity of an organization's processes in comparison to industry best practices. This approach helps identify areas of strength and opportunities for improvement, guiding strategic decisions on where to allocate resources for process enhancements. While balanced scorecards, key performance measures, and IT process audit results are useful, a capability maturity model offers a comprehensive assessment specifically designed for process improvement.

A communication plan is a document that outlines the objectives, strategies, tactics, and messages for communicating with a specific audience. A communication plan for disseminating information regarding the technical risks of BYOD should include the following elements12:

The purpose and goals of the communication

The target audience and their needs and preferences

The key messages and tone of the communication

The communication channels and methods

The roles and responsibilities of the communicators

The timeline and frequency of the communication

The evaluation and feedback mechanisms

The most important element to include in this communication plan is the key messages, which should convey the potential exposures and impacts of BYOD using common terms that the audience can understand. The key messages should explain what BYOD is, why it is important, what are the benefits and challenges, what are the risks and threats, how to protect the devices and data, and what are the best practices and policies. The key messages should also be consistent, clear, concise, relevant, and engaging12.

The other options are not as important as the key messages, as they are either supporting or secondary elements of the communication plan. A link on the corporate intranet to the BYOD policy is a communication channel, which is a means of delivering the message, but not the message itself. A schedule and content for mandatory training is a communication tactic, which is a specific action or activity to implement the strategy, but not the strategy itself. Disciplinary actions for violation of the BYOD policy is a message detail, which is a specific piece of information to support the message, but not the message itself.

Operational processes are the routine and repetitive tasks that support the day-to-day operations of an enterprise, such as data entry, payroll, customer service, etc. These processes are usually well-defined, standardized, and measurable, which makes them easier to outsource to a third-party provider who can perform them more efficiently and cost-effectively. Outsourcing operational processes can also free up internal resources and capabilities for more strategic and innovative activities that add value to the enterprise. Therefore, operational processes that are well-defined are a good candidate for outsourcing.

The accountability for a business continuity program for business-critical systems is best assigned to the CIO, because the CIO is responsible for the IT strategy, operations, and resources that support the business objectives and continuity. The other options are not as suitable as the CIO, because they do not have the same level of authority, expertise, or involvement in the IT function. The enterprise risk manager oversees the overall risk management process, but does not have direct control over the IT resources and activities. The CEO is ultimately accountable for the entire organization, but delegates the responsibility for IT to the CIO. The director of internal audit provides assurance and consulting services on the effectiveness of governance, risk management, and control processes, but does not have operational responsibility for IT or business continuity. References := Business Continuity Program Roles & Responsibilities, Who Should Manage the Business Continuity Program?

When conducting a risk assessment in support of a new regulatory requirement, the IT risk committee should first consider the risk profile of the enterprise. Understanding the overall risk landscape, including existing vulnerabilities, threats, and the impact of potential risks, provides a foundation for evaluating how new regulatory requirements will affect the organization. This initial step ensures that subsequent risk management efforts, including compliance activities, are aligned with the enterprise's risk appetite and strategic objectives. While cost, system readiness, and operational disruption are important considerations, they should be evaluated in the context of the enterprise's risk profile.

Themost critical factor in aligning IT and enterprise resource managementis ensuring thatIT resources are mapped to business priorities. This guarantees that resource allocation supports strategic objectives and delivers maximum value.

Without this alignment, IT efforts may be misdirected, underutilized, or not supporting enterprise goals—even if sourcing and monitoring are in place.

Performing a business impact analysis (BIA) is the first course of action when a shortfall of IT resources is identified because it helps to assess the potential impact of the resource gap on thebusiness processes, objectives, and goals. A BIA can also help to prioritize the criticality of the IT resources, identify the minimum acceptable levels of service, and determine the recovery strategies and resource requirements. A BIA can provide a basis for making informed decisions on how to allocate the available IT resources or acquire additional resources to close the gap.

 Change management is the process of planning, implementing, and managing the human side of change in an organization. Change management aims to minimize the resistance and disruption caused by a change, and maximize the adoption and benefits of the change1. Deploying a new enterprise-wide tool is a significant change that affects the way people work, communicate, and collaborate. Therefore, the best way for a CIO to manage the organizational impact of this change is to implement change management practices, such as:

Assessing the readiness and impact of the change on the stakeholders

Developing a communication and engagement plan to inform and involve the affected parties

Providing training and support to help the users learn and use the new tool

Measuring and monitoring the progress and outcomes of the change

Reinforcing and sustaining the change through feedback and recognition

Project management, risk management, and resource management are also important aspects of deploying a new enterprise-wide tool, but they are not sufficient to address the human side of change. Project management focuses on delivering the project on time, on budget, and on scope2. Risk management identifies, analyzes, and mitigates the potential threats and opportunities associated with the project3. Resource management allocates and optimizes the use of human, financial, and physical resources for the project4. However, none of these processes directly deal with the behavioral and emotional aspects of change, such as overcoming resistance, building commitment, and creating a culture of change. Therefore, change management is the best way for a CIO to manage the organizational impact of deploying a new enterprise-wide tool.

Within IT portfolio management, themost important objective is maximizing the earned value of IT investments.This ensures that projects contribute meaningfully to enterprise goals, provide strong return on investment, and optimize the use of limited IT resources.

Decisions about discontinuation or risk are part of the process, butvalue delivery is the primary metricin portfolio optimization.

The executive team consists of the senior leaders of the enterprise, such as the CEO, CFO, COO, etc. They are responsible for setting the vision, mission, goals, and strategy of the enterprise, andfor overseeing its performance and governance. The CIO is part of the executive team and should align the IT strategic plan with the enterprise business objectives. Therefore, the CIO would be most effective by starting the interview process with the executive team, as they can provide the most relevant and authoritative input on the enterprise’s direction, priorities, challenges, and expectations. The executive team can also help the CIO gain support and approval for the IT strategic plan from other stakeholders, such as the internal auditors, senior IT managers, and business process owners. References: ISACA, Reporting Cybersecurity Risk to the Board of Directors, page 81. ISACA, Performance Measurement Metrics for IT Governance, page 1