CGEIT Isaca Certified in the Governance of Enterprise IT Exam Free Practice Exam Questions (2025 Updated)

The best criterion for prioritizing IT risk remediation when resource requirements are equal is the impact on business, as it reflects the potential consequences of the IT risk on the enterprise’s objectives, operations, reputation, and stakeholders. The impact on business can be measured by factors such as financial loss, operational disruption, customer dissatisfaction, regulatory violation, or reputational damage. The higher the impact on business, the higher the priority for IT risk remediation.

Deviation from IT standards, IT strategy alignment, and IT audit recommendations are also important criteria for prioritizing IT risk remediation, but they are not the best criterion. Deviation from IT standards is the degree to which an IT process, system, or service does not comply with the established policies, procedures, or best practices. Deviation from IT standards can indicate a weakness or gap in IT governance or management, but it does not necessarily reflect the severity or urgency of the IT risk. IT strategy alignment is the degree to which an IT process, system, or service supports and enables the enterprise’s strategy and goals. IT strategy alignment can indicate the value or importance of an IT process, system, or service, but it does not directly measure the impact of the IT risk on the business. IT audit recommendations are the suggestions or actions proposed by an IT auditor to address the findings or issues identified during an IT audit. IT audit recommendations can provide guidance and direction for IT risk remediation, but they are not a definitive or objective criterion for prioritization.

References := IT Risk Management Guide for 2022 | CIO Insight; What is IT Governance, Risk, and Compliance (GRC)?; Holistic IT Governance, Risk Management, Security and Privacy: Needed for Effective Implementation and Continuous Improvement - ISACA; Cyberrisk Governance: A Practical Guide for Implementation - ISACA.

Learn more:

1. cioinsight.com2. securityscorecard.com3. isaca.org4. isaca.org5. cldigital.com+1 more

 The PRIMARY purpose of information governance is to set direction for information management capabilities through prioritization and decision making. Information governance is the overall strategy for information at an organization. It balances the risk that information presents with the value that information provides1. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery1. To achieve this, information governance requires setting direction for information management capabilities through prioritization and decision making. This involves defining and implementing policies and processes for the effective and efficient acquisition, storage, distribution, usage, and disposal of information in alignment with business objectives and regulatory requirements2. It also involves ensuring the protection of information quality, integrity, availability, confidentiality, and ownership2. By setting direction for information management capabilities through prioritization and decision making, information governance can help to optimize the value and minimize the risk of information assets. References :=

Information governance - Wikipedia1

What is Information Governance? Why is it Important?3

 The business manager has the primary responsibility to define the requirements for IT service levels for the enterprise, as they are the ones who understand the business needs, objectives, and expectations from the IT services. The business manager should communicate these requirements to the IT service provider, who should then design, deliver, and monitor the IT services according to the agreed service levels. The help desk, the CIO, and the business continuity vendor are not primarily responsible for defining the IT service level requirements, although they may have roles in supporting, implementing, or ensuring them. References := CGEIT Review Manual, 27th Edition, Domain 1: Governance of Enterprise IT, page 20-21.

An information classification framework would be the most helpful to an enterprise that wants to standardize how sensitive corporate data is handled, because it provides a systematic and consistent way to identify, label, and protect the data according to its level of sensitivity and the impact of its exposure. An information classification framework helps to define the criteria and methods for classifying data into different categories, such as public, internal, confidential, or secret1. It also helps to specify the roles and responsibilities, policies and procedures, standards and expectations, and tools and techniques for handling data securely and appropriately throughout its life cycle2. An information classification framework also helps to comply with the legal and regulatory requirements, and to reduce the risks, costs, and complexity associated with data management3.

References := Information classification – How to do it according to ISO 27001, Create a well-designed data classification framework, Information classification framework diagram.

The best approach to help ensure future service delivery in accordance with business objectives is to implement contract monitoring, because this would enable the enterprise to measure and evaluate the performance and compliance of the third-party IT suppliers, and identify and resolve any issues or gaps that may affect the service quality, availability, and reliability. Contract monitoring should involve defining and tracking key performance indicators (KPIs), key risk indicators (KRIs), service level agreements (SLAs), and contractual obligations, and applying corrective actions or penalties when necessary12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 67-68.

This is a barrier to strategic alignment of business and IT, as it creates inconsistency and fragmentation in the IT governance process across the enterprise. Strategic alignment of business and IT is the degree of fit and integration among business strategy, IT strategy, business infrastructure, and IT infrastructure1. It helps to ensure that IT supports and enables the achievement of the enterprise’s goals and objectives, and delivers value to the stakeholders1. To achieve strategic alignment, an enterprise needs to have a coherent and coordinated IT governance process that aligns IT with business goals, optimizes IT investments and resources, manages IT risks and opportunities, and measures IT performance and benefits1. However, if each business unit has its own steering committee for IT investment and prioritization, this may result in conflicting or competing IT priorities, duplication or waste of IT resources, lack of communication or collaboration among IT stakeholders, or misalignment of IT services and capabilities with business needs and expectations1. Therefore, each business unit having its own steering committee for IT investment and prioritization is a barrier to strategic alignment of business and IT.

The other options are not barriers to strategic alignment of business and IT, as they are possible enablers or indicators of strategic alignment. Uniform portfolio management is the process of selecting, prioritizing, balancing, and monitoring the IT investments and initiatives that support the enterprise’s strategic objectives and deliver value to the stakeholders2. Uniform portfolio management can help to align IT with business goals, optimize resource allocation, manage risks and dependencies, and measure performance and benefits2. IT being the exclusive provider of IT services to the business units can help to ensure that the IT services are consistent, reliable, secure, and compliant with the enterprise’s standards and policies3. The enterprise’s CIO being a member of the executive committee can help to demonstrate the strategic importance and contribution of IT to the enterprise’s success, as well as facilitate the communication and collaboration between IT and business leaders4.

The MOST important consideration when planning for long-term IT service delivery is the ability of the IT organization to sustain business requirements. A service-oriented IT organization model is one that focuses on delivering value and outcomes to the business through IT services that are aligned with business needs and expectations1. To achieve this, the IT organization must be able to adapt to the changing and growing demands of the business, as well as the advances in technology and innovation. The IT organization must also have the necessary resources, capabilities, processes, and governance mechanisms to ensure the quality, reliability, availability, security, and performance of the IT services2. Therefore, the ability of the IT organization to sustain business requirements is essential for long-term IT service delivery.

The other options are not as important as option D. While it is important to have the approval of the business, an IT risk management process, and a comprehensive service catalog, these are not sufficient to ensure long-term IT service delivery. They are rather means to achieve the end goal of satisfying and sustaining business requirements. References :=

Make the IT function service-oriented - @CIOPortfolio1

What is SOA (Service-Oriented Architecture)? | IBM

 Key performance indicators (KPIs) are the best source of information for the IT steering committee to evaluate whether a third-party supplier is delivering the correct level of service, as they are metrics that measure the achievement of specific goals or objectives. KPIs can help the committee assess the quality, efficiency, effectiveness, and value of the supplier’s services, as well as their alignment with the enterprise’s strategy and expectations. KPIs can also help the committee identify and address any issues or gaps in the supplier’s performance, as well as monitor and report on their progress and improvement.

Service portfolio management, vendor status reports, and operational cost reduction reports are also useful sources of information for the IT steering committee, but they are not as comprehensive and reliable as KPIs. Service portfolio management is the process of managing the lifecycle of IT services, from conception to retirement. Service portfolio management can help the committee understand the scope, objectives, and benefits of the supplier’s services, as well as their interdependencies and risks. Vendor status reports are documents that provide updates on the supplier’s activities, deliverables, milestones, and issues. Vendor status reports can help the committee track and communicate the status of the supplier’s services, as well as identify and resolve any problems or conflicts. Operational cost reduction reports are documents that show how the supplier’s services have reduced or optimized the enterprise’s operationalcosts. Operational cost reduction reports can help the committee evaluate the financial impact and return on investment (ROI) of the supplier’s services.

References := Performance Measurement Metrics for IT Governance; KPIs for Corporate Governance Dashboard - BSC Designer; feature Performance Measurement Metrics for IT Governance - ISACA; Performance Measurement Metrics for IT Governance - ISACA.

Negotiating service level agreements (SLAs) is the best way for an organization to minimize the difference between expected and delivered services when acquiring resources, because SLAs define the scope, quality, availability, performance, and security of the services that the provider will deliver to the customer. SLAs also specify the roles and responsibilities, escalation procedures, and penalties for non-compliance of both parties. By negotiating SLAs, the organization can ensure that its expectations and requirements are clearly communicated and agreed upon by the provider, and that there are mechanisms to measure and monitor the service delivery and outcomes. Negotiating SLAs also helps to prevent or resolve any disputes or issues that may arise from the service provision, and to ensure that the organization receives the value and benefits that it expects from the provider. One of the sources that supports this answer is Service-level Agreement: 3 Types And Templates - Contract Lawyers, which states that “A service-level agreement is important because it: Protects both parties: The SLA sets standards for the service, ensuring both the service provider and end user are on the same page with expectations.”

The number of events impacting business processes due to delays in responding to risks is the best outcome measure to determine the effectiveness of IT risk management processes, because it reflects the actual consequences and losses that result from inadequate or ineffective riskmanagement. Outcome measures are metrics that evaluate the results and benefits of a process or activity, rather than the inputs or outputs1. Outcome measures help to assess whether the process or activity is achieving its objectives and delivering value to the organization1. The number of events impacting business processes due to delays in responding to risks is an outcome measure that indicates how well the IT risk management processes are able to identify, analyze, evaluate, treat, monitor, and communicate IT risks in a timely and appropriate manner. A high number of such events would suggest that the IT risk management processes are not effective, and that they need to be improved or revised. A low number of such events would suggest that the IT risk management processes are effective, and that they are reducing the likelihood and impact of IT risks on the organization.

References := How To Measure Risk Management KPI & Metrics - ERM Software

A business continuity plan (BCP) is the most important element for IT governance to have in place to ensure the enterprise can maintain operations during extensive system downtime. A BCP consists of the processes and procedures an organization needs to ensure its critical business processes continue operating during a disaster1. A BCP should include methods to ensure uninterrupted delivery of critical IT services, identify the resources needed, and outline manual workarounds. It should also contain policies, standards, procedures, and tools for responding to and preventing major incidents, as well as the IT architecture of the organization2. A BCP should be reviewed regularly and updated as needed.

References := Business continuity planning (BCP) - Learning Center, IT Business Continuity | DisasterRecovery.org, IT Governance Blog: free business continuity plan template

 An enterprise IT strategy is a plan that defines the vision, mission, goals, and objectives of the IT function in relation to the business needs and expectations of the enterprise. An enterprise IT strategy also outlines the principles, policies, standards, and frameworks that guide the IT governance, management, and operations. An enterprise IT strategy best supports enterprise decision making for IT resource allocation, as it helps to align the IT resources with the business priorities and strategies, and to optimize the value and performance of the IT function and its services. An enterprise IT strategy also helps to identify and prioritize the IT initiatives and investments that can deliver the desired outcomes and benefits for the enterprise, and to allocatethe appropriate resources for their execution and delivery. An enterprise IT strategy also helps to monitor and evaluate the results and impacts of the IT resource allocation decisions, and to provide feedback and improvement opportunities. References: CGEIT Exam Content Outline | ISACA1, CGEIT Review Manual (Digital Version), What is an IT Strategy? - Definition from Techopedia2, How to create an effective IT strategy | The Enterprisers Project3

Discretionary investments are those that are not mandatory or essential for the business, but may provide some benefits or opportunities. The IT strategy committee should evaluate whether the discretionary investment supports the corporate goals and aligns with the business strategy, as this is the most important criterion for IT governance and value creation. The technical feasibility, the business and technical scope, and the alignment with the EA are also important factors, but they are secondary to the strategic alignment and value proposition of the investment. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, p. 92-93; Rethinking traditional technology budgeting processes; Discretionary Investment Management Definition, Benefits & Risks.

 A cost-benefit analysis (CBA) is a process that evaluates the costs and benefits of a project or investment to determine its feasibility and profitability for an organization. A CBA can help the IT steering committee to compare different options for establishing a virtual reality store, such as the required hardware, software, data center, security, marketing, maintenance, etc. A CBA can also help estimate the potential revenues, customer satisfaction, competitive advantage, and social impact of the virtual reality store. A CBA can provide a rational basis for decision-making and prioritization of the project. A CBA should be requested before other actions such as a resource gap analysis, a key risk indicator (KRI) development, or a threat assessment, as they depend on the scope and objectives of the project that are defined by the CBA. References: ISACA, Performance Measurement Metrics for IT Governance, page 11. ProjectManager, Cost-Benefit Analysis: A Quick Guide with Examples and Templates2. HBS Online, Cost-Benefit Analysis: What It Is & How to Do It

A vision statement should be the primary input when developing IT strategy, because it is a concise and clear expression of the enterprise’s desired future state and direction, and it reflects the enterprise’s mission, values, and goals12. A vision statement can help to guide and inspire the IT function to align its activities and resources with the business needs and expectations, and to deliver value and innovation to the enterprise. A vision statement can also help to communicate and monitor the IT strategy and objectives, and measure the IT performance and outcomes12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 23-24.

Organizational culture is the most important consideration when designing an implementation plan for IT governance, because it influences the ethics, values, behaviors, and attitudes of the people involved in the governance process. Organizational culture also affects the acceptance, adoption, and sustainability of the IT governance framework and practices. According to COBIT 5, one of the seven enablers of IT governance is culture, ethics and behavior1. The roadmap for implementing and improving IT governance also emphasizes the importance of understanding and addressing the cultural and behavioral aspects of the enterprise2. References := 1: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, page 312: A Roadmap for Implementing and Improving IT Governance1

The BEST time for the enterprise to plan for the event of contract termination is when developing the initial contract. Contract termination is the process of ending a contractual relationship between two parties, either by mutual agreement or by exercising a right to terminate under the contract terms1. Contract termination can have significant impacts and implications for both parties, such as loss of revenue, loss of service, loss of data, legal disputes, reputational damage, etc.2 Therefore, it is important to plan for the event of contract termination in advance, and include appropriate provisions and mechanisms in the contract to ensure a smooth and orderly exit3.

Some of the benefits of planning for contract termination when developing the initial contract are4:

It clarifies the expectations and obligations of both parties in case of contract termination, such as the notice period, the termination fees, the transition services, the data return or destruction, etc.

It reduces the risks and costs associated with contract termination, such as service disruption, data loss, litigation, penalties, etc.

It enables faster and more effective resolution of contract termination issues, such as dispute resolution, arbitration, mediation, etc.

It fosters a positive and professional relationship between the parties, even in case of contract termination, by avoiding surprises, conflicts, or misunderstandings.

Therefore, planning for contract termination when developing the initial contract is the best time for the enterprise to ensure a successful and beneficial outsourcing engagement.

The committee should find the information about who is responsible for the risk response in the RACI chart, as this is a tool that assigns the roles and responsibilities of the stakeholders for each task or activity in a project or process. RACI stands for Responsible, Accountable, Consulted,and Informed, which are the four types of involvement or participation that a stakeholder can have in a task or activity. A RACI chart is a matrix that shows the tasks or activities as rows and the stakeholders as columns, and indicates their roles and responsibilities using the RACI codes. A RACI chart can help clarify and communicate who is doing what, who is making decisions, who is providing input, and who is being updated in a project or process1.

A resource management plan, a risk management plan, and a risk register are also important documents for managing IT risks, but they do not provide the information about who is responsible for the risk response. A resource management plan is a document that defines how the resources, such as human, financial, physical, or technological resources, will be acquired, allocated, managed, and controlled in a project or process. A resource management plan can help ensure that the resources are available and sufficient for the risk response activities. A risk management plan is a document that defines how the risks will be identified, analyzed, evaluated, treated, monitored, and communicated in a project or process. A risk management plan can help ensure that the risks are managed effectively and efficiently according to the enterprise’s objectives and policies. A risk register is a document that records the risks that may affect the achievement of an objective or the performance of an activity, as well as their likelihood, impact, mitigation strategies, and status. A risk register can help identify and prioritize the risks that need to be addressed or monitored.

An enterprise code of ethics is a set of principles and values that guide the behavior and decision-making of the organization and its members. It can help to incorporate desired organizational behaviors into the IT governance framework by establishing a common understanding and expectation of what is acceptable and unacceptable, and by promoting a culture of integrity, accountability, and responsibility. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 17.

The main goal of the IT strategy committee after establishing stakeholder desired outcomes should be to ensure IT risk alignment with enterprise risk. IT risk alignment means that the IT risk management program is consistent and integrated with the enterprise risk management (ERM) program, and that the IT risks are identified, assessed, and treated in relation to the enterprise’s objectives, strategies, and risk appetite. IT risk alignment can help the enterprise achieve the following benefits1:

Enhance the value delivery of IT to the business

Improve the decision making and prioritization of IT investments and initiatives

Reduce the likelihood and impact of IT-related incidents and losses

Increase the resilience and agility of IT in responding to changes and disruptions

Strengthen the governance and accountability of IT performance and compliance

To ensure IT risk alignment with enterprise risk, the IT strategy committee should perform the following tasks2:

Define the scope, objectives, and criteria for IT risk management

Establish the roles and responsibilities for IT risk management

Align the IT risk management framework and processes with the ERM framework and processes

Communicate and collaborate with the ERM function and other stakeholders on IT risk issues

Monitor and review the effectiveness and maturity of IT risk management

The other options are not the main goal of the IT strategy committee after establishing stakeholder desired outcomes. Identifying business data that requires protection, performing a risk analysis on key IT processes, and implementing controls to address high risk areas are steps that are part of the IT risk management process, but they are not specific to ensuring IT risk alignment with enterprise risk. These steps should be done by the IT risk management function or team, under the guidance and oversight of the IT strategy committee.

A cost-benefit analysis is a process that compares the costs and benefits of a decision or an action, such as outsourcing non-core IT processes. A cost-benefit analysis can help the enterprise evaluate the feasibility, profitability, and sustainability of outsourcing, as well as identify the potential risks and opportunities. A cost-benefit analysis can also help the enterprise determine the optimal level and scope of outsourcing, and select the most suitable outsourcing partner. A cost-benefit analysis should be the first step before issuing a formal request for proposal, establishing service level metrics, or updating resource allocation policies. References :=

The Outsourcing Handbook A guide to outsourcing - Deloitte United Kingdom, page 10

Five Tips For Outsourcing Business Processes Effectively In 2021 - Forbes

An enterprise that has identified potential environmental disasters that could occur in the area where its data center is located should next assess the likelihood and impact on the data center, because this would help to evaluate the level of risk and prioritize the appropriate risk response strategies. The likelihood and impact assessment should consider the frequency, severity, duration, and scope of the potential disasters, and the potential consequences for the data center’s availability, integrity, confidentiality, and performance12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 75-76.

The primary basis for establishing categories within an information classification scheme should be the business impact, because it reflects the level of importance and sensitivity of the information to the organisation and its stakeholders. The business impact can be assessed by considering the potential consequences of unauthorised disclosure, modification, or loss of availability of the information. The higher the business impact, the higher the level of protection required for the information. For example, information that could cause severe damage to the organisation’s reputation, operations, or finances if compromised should be classified as Top Secret1, whereas information that is intended for public release should be classified as Public2. The information security policy should provide guidance on how to classify information based on the business impact, but it is not the primary basis for establishing categories. The information architecture and industry standards may also influence the classification scheme, but they are not as relevant as the business impact.

To develop appropriate measures to improve organizational performance, the measures must be accepted by and meaningful to the stakeholders, because they are the ones who will use the measures to monitor and evaluate the achievement of the enterprise’s objectives and goals. Themeasures should be relevant, reliable, valid, and understandable for the stakeholders, and aligned with their expectations and needs . References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 43-44.

The IT strategy is the document that defines how IT will be used to support and achieve the business objectives of the organization. It aligns the IT investments, resources, and activities with the business priorities and direction. When there is a change in the business objectives, such as a re-prioritization by management, the IT strategy should be updated accordingly to ensure that IT remains relevant and aligned with the new business goals. Updating the IT strategy should be done first before allocating resources to IT processes, because it provides the basis for determining which IT processes are most critical and valuable for the organization. The other options are not the best actions to perform first in this scenario. Performing a maturity assessment, implementing a RACI model, and refining the human resource management plan are all useful activities for improving the IT processes, but they are not directly related to the change in business objectives. They should be done after updating the IT strategy, based on the new strategic direction and priorities. References:

1: https://www.projectpractical.com/human-resource-management-plan-template-free-download/

2: https://open.lib.umn.edu/humanresourcemanagement/chapter/2-2-writing-the-hrm-plan/

3: https://www.isixsigma.com/getting-started/are-you-ready-how-conduct-maturity-assessment/

4: https://www.smartsheet.com/content/organizational-maturity

5: https://www.process.st/maturity-model/

A risk management framework is a set of principles, policies, roles, responsibilities, and processes that guide, direct, and control the identification, analysis, evaluation, and treatment of IT risks. A risk management framework can help ensure that IT risk is managed in a consistent manner by:

Providing a clear and coherent structure for managing IT risks across the organization

Aligning IT risks with the enterprise objectives, strategy, and risk appetite

Defining the roles and responsibilities of the IT risk owners, managers, and stakeholders

Establishing the criteria and methods for assessing, prioritizing, and reporting IT risks

Setting the standards and expectations for implementing and monitoring IT risk controls and responses

Ensuring the accountability and transparency of IT risk decisions and outcomes

 Quantitative analysis is the best method to assess the risk of plausible scenarios that could result in economic loss associated with major IT investments, because it tries to assign objective numerical or measurable values to the components of the risk assessment and to the assessment of potential loss1. Quantitative analysis can help estimate the probability and impact of risk events, calculate the expected monetary value (EMV) of risk, and compare the costs and benefits of different risk responses2. Quantitative analysis can also provide a more accurate and objective basis for decision making than qualitative analysis, which is scenario-based and relies on subjective judgments1. References := 1: Risk Assessment and Analysis Methods: Qualitative and Quantitative - ISACA12: 6 Types of Risk Assessment Methodologies + How to Choose - Drata2

Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite of the enterprise should be the primary consideration when developing a risk management policy for a portfolio of IT-enabled investments, because it helps to align the risk management strategy with the business strategy and goals. Risk appetite also helps to define the risk tolerance and thresholds for each investment, and to prioritize and allocate resources accordingly. Risk appetite also helps to communicate the expectations and responsibilities of the stakeholders involved in the risk management process, and to foster a risk-aware culture within the organization. References := CGEIT Review Manual, Chapter 4: Risk Optimization, Section 4.1: IT Risk Management Strategy, Subsection 4.1.1: Establishing IT Risk Appetite, Page 139.

Data management is the aspect of IT governance that BEST addresses the potential intellectual property implications of a cloud service provider having a database in another country. Data management involves defining and implementing policies and processes for the effective and efficient acquisition, storage, distribution, usage, and disposal of data in alignment with business objectives and regulatory requirements1. Data management also includes ensuring the protection of data quality, integrity, availability, confidentiality, and ownership1. Therefore, data management can help mitigate the risks of intellectual property infringement, theft, or misuse that may arise from storing data in a foreign jurisdiction with different legal and regulatory frameworks23. References :=

CGEIT Review Manual (Digital Version), Chapter 4: Value Optimization, Section 4.2: IT Value Delivery, Subsection 4.2.3: IT Resource Management, Page 123

CGEIT Review Manual (Print Version), Chapter 4: Value Optimization, Section 4.2: IT Value Delivery, Subsection 4.2.3: IT Resource Management, Page 123

Cloud computing: A brief overview of intellectual property issues “in the cloud” - Lexology2

Protecting Intellectual Property in the Cloud - WIPO