ISACA CERTIFIED IN

GOVERNANCE OF ENTERPRISE
IT STUDY GUIDE: INCLUDES
THE LATEST PRACTICE
QUESTIONS AND ANSWERS

By

Daniel L. Patton
Introduction
In this book, we’ll cover these main areas:

- 2020 CGEIT Changes

- CGEIT Requirements
- Content Domains and Job Practices
- Exam Essentials
- Exam Preparation Tips
- Over 100 Recent Exam Practice Questions and Answers

ISACA CGEIT is the only governance certification that can give you the
mind-set to access, design, implement and manage enterprise IT governance
systems aligned with your overall business goals. It is globally accepted and
recognized and is framework agnostic. It addresses an overarching
governance posture that associates with multiple relevant frameworks,
standards, bodies of knowledge, and models that are relevant and valuable to
your overall governance system. The CGEIT exam offers concise job practice
areas addressing new trends, technologies and changing business needs that
are designed to keep you at the top of your game and improve business
performance. This update can not only help you and your career but can also
enable you to think strategically, plan proactively and optimize resources,
deliver business value, and mitigate risk and streamline operations including
and especially during times of crisis. CGEIT recognizes a range of
professionals for their knowledge and application of enterprise IT governance
principles and practices. To earn the CGEIT designation, you must meet the
following requirements.

- Of course, you have to pass the exam. We'll talk about that in in
more detail later in this book.
- Submit your application, you have to do that within five years of
passing the exam with verified evidence of a minimum of at least
five or more years of experience in an advisory or oversight role
supporting the governance of IT-related contribution to an
enterprise. Currently there's a waiver for the one-year requirement
related to domain one, and that may be obtained by holding a
COBIT 2019 design and implementation certificate. I recommend
that you first review the exam content outline for any certification
 of interest to ensure that your work experience qualifies, then
review any other specific requirements as well.
- ISACA sets forth a code of professional ethics to guide the
professional and personal conduct of its members and certification
holders. Members and those certified are required to abide by
ISACA’s code of professional ethics.
- To maintain your CGEIT, you must earn and report a minimum of
120 CPE hours every three year reporting cycle and at least 20
hours annually. This reporting is due by the end of each calendar
year and is required to renew through the following year.

2020 CHANGES
Let's take a look at some of the changes that we see with the new CGEIT
exam. The new CGEIT domains address new trends, emerging technologies,
changing business needs, accounting for the latest governance industry
practices. The first we'll talk are the exam preparation materials. The CGEIT
review manual eighth edition and CGEIT review questions, answers and
explanations manual fifth edition have been revised and updated to reflect the
2020 outline.

Next on the exam content outline, a format changes to outline exam

specifications focus on areas of knowledge as opposed to task statements.
New outline contains a list of secondary task statements or activities that
apply the knowledge from each of the four domains. The inclusion of several
new sub topic areas relevant to IT governance professionals also is in there.
And the integration of knowledge related to the previous domain, which was
called strategic management goes now throughout all four domains of the
new content outline. Below are the four CGEIT domains:

1. Governance of Enterprise IT.

2. IT resources.
3. Benefits Realization.
4. Risk Optimization.

Let’s look at these in more detail.

1. Governance of enterprise IT - This domain basically has three

 major areas we have governance framework, technology
governance and information governance. In this domain, you can
expect about 40% of the questions coming from this domain.
2. IT Resources – There are two big areas here, IT resource planning,
and IT resource optimization. And of course, in the exam, you can
expect about 15% of the questions to come from here.
3. Benefits Realization - In this area, we include it performance and
oversight, and management of IT enabled investments. In the exam,
you can expect about 26% of the questions from benefits
realization.
4. Risk Optimization - This includes areas like risk strategy and risk
management. And of course, in the exam, you can expect about
19% of the exam questions coming from risk optimization.

Exam Essentials
The CGEIT certification Working Group oversees the development of this
exam, ensuring that the job practice is properly tested. There'll be 150
multiple choice questions. And there's one best answer from four options A,
B, C, or D. You'll have four hours or 240 minutes to take the exam, which
allows for a little over a minute and a half per question. CGEIT certification
exams can now be taken via online Remote Proctor or at an in person testing
center. You'll schedule your exam for any available date, time or location
within the 365-day eligibility period. If you're within 48 hours of your
scheduled testing appointment, you must take the exam or forfeit the
registration fee. Please note that the payment is required before you schedule
the exam. And it's about $575 per members and $764 for non-members.
Scores are reported as a scaled score. This is a conversion of your raw score
on the exam to a common scale from 200 to 800. And to pass, you must
receive a score of 450 or higher, which represents a minimum consistent
standard knowledge is established by ISACA CGEIT certification. You can
find more information on this and register for the exam at the official ISACA
website.

Exam Preparation Tips

I would suggest first get the candidate information guide. This gives a lot of
practical information on the exam. It includes exam registration deadlines,
and details for exam day administration. It even has significant information
such as the exam domains, the number of questions, its length and the
language is available. No one should take the ISACA CGEIT exam without
reading this guide. Also we have the CGEIT review manual, I can tell you
this is a must read. The manual is available in e-book and hardcopy format,
and it's arranged according to CGEIT’s four job practice areas.
Practice Questions
1. IT investments must meet the following criteria in order to provide value
for the company:

A. a part of the balanced scorecard

B. in line with the IT strategy goals
C. The CFO has given his OK.
D. in line with the company's strategic objectives

Answer: D

2. By establishing a standard definition for likelihood and impact, a company

can:

A. Make threat assessment a top priority.

B. limit the amount of variation in risk evaluations
C. develop key risk indicators (KRIs).
D. Reduce your risk appetite and tolerance.

Answer: A

3. What is the NEXT step in developing the department's human resource

assets now that the required core competencies of the IT personnel have been
predicted and identified?

A. Create a RACI (responsible, accountable, consulted, and informed)

chart.
B. Develop third-party assurance staff requirements.
 C. Create a program for effective recruiting, retention, and training.
D. Stick to the performance metrics and bonus structure established by
the board.
Answer: C
4. Senior management is analyzing the findings of a recent security incident
that had a substantial impact on the company. Which of the following
findings should worry you the most?

A. There was no record of the occurrence in the ticketing system.

B. Without consulting the right authority, decisions on response were made.
C. The incident documentation has a number of significant flaws.
D. Due to a lack of internal resources, response attempts had to be
outsourced.

Answer: C

5. A risk program must be properly implemented across the organization,

according to an IT strategy committee. Which of the following would be the
most beneficial to this goal?

A. A risk recognition and reporting policy

B. A risk management framework
C. Mandatory risk awareness courses for staff
D. Commitment from senior management

Answer: D

6. It is critical to define skill requirements based on the following criteria to

enable the creation of required IT skill sets for the enterprise:

A.training needs.
B. a best practices framework.
C. each of the IT department's roles
D. a set of skills for all IT staff
Answer: C
7. Which of the following would be the most concerning in terms of risk
management process effectiveness?

A. Annual updates to the plans and procedures are not made.

B. There is no system in place to assure accurate risk event reporting.
C. There are no key risk indicators (KRIs) in place.
D. Performance evaluations do not incorporate risk management
standards.

Answer: C

8. Which of the following is the MOST EFFECTIVE method for managing

risks in a business?

A. Assign risk management tasks and accountability to individuals.

B. Procedures and reporting processes should be documented.
C. Financial resources should be allocated to risk management
systems.
D. Make employees aware of the dangers in their area and how to
manage them.

Answer: A

9. Which of the following factors has the most impact on data quality
assurance?

A. Data encryption
B. Data stewardship
C. Data modelling
D. Data classification

Answer: B

10. Which of the following would be the most effective way to ensuring that
an IT governance framework is accepted?
 A. Using subject matter experts
B. Using industry-accepted practices
C. Regulatory compliance
D. Taking into account the impact of enterprise culture

Answer: D

11. An organization wishes to handle the human components of social

engineering risk. Which of the following is the BEST strategy to manage this
risk from a governance perspective?

A. Social media access should be limited.

B. Make annual security awareness training a requirement.
C. Staff should be given a copy of the social media information
security policy.
D. Employee contracts should incorporate security standards.

Answer: C

12. Which of the following has the most serious consequences for a company
with a poor information architecture?

A. Poor business decisions

B. Poor desktop service delivery
C. Redundant systems
D. Data retention

Answer: A

13. An organization is concerned about data leakage as a result of increased

use of social media in the workplace and wants to develop a social media
strategy. Which of the following factors should be prioritized when
establishing this strategy?

A. Data ownership
 B. Information's criticality
C. Keeping the enterprise architecture (EA) up to date
D. The right mix of business rewards and risk

Answer: D

14. Which of the following aspects of business ethics is the most important?

A. Ensure that vendor management practices are fair and consistent.

B. Protecting the interests of stakeholders
C. Providing employees with equal opportunities
D. Observing all applicable legal and regulatory requirements

Answer: D

15. A CIO just got a final audit report indicating that the enterprise's mobile
device acceptable usage policy is being applied inconsistently across all
business divisions. Which of the following should be the first step in
resolving the problem?

A. Integrate compliance metrics into your performance objectives.

B. All mobile device users must receive mandatory awareness training.
C. Put in place controls to ensure that the policy is followed.
D. Review the current policy's applicability.

Answer: D

16. Employees' increased usage of personal devices for work-related

activities has raised IT security concerns, despite employees' claims that it
allows them to be more productive. The following factors should be
considered when deciding whether or not to change the enterprise
information security policy:

A. the security implications

B. an assessment of the risks and benefits
C. Procedures for approving user access
 D. Findings of the audit

Answer: B

17. An organization changed its business operating model significantly,

resulting in a new strategic direction. To guarantee IT alignment with the new
business strategy, which of the following should be assessed first?

A. IT risk appetite
B. Enterprise project management framework
C. Information systems architecture
D. IT investment portfolio

Answer: B

18. Which of the following provides the most in-depth analysis of IT

effectiveness?

A. Return on investment (ROI)

B. Key risk indicators (KRIs)
C. IT balanced scorecard
D. IT strategy

Answer: C

19. Non-compliance with privacy standards resulted in sanctions for a

company. Which of the following is the MOST critical factor in ensuring
proper ownership of access controls in order to overcome this deficiency?

A. Access to information is granted based on the information

architecture.
B. Multi-factor authentication controls are being implemented.
C. Access to information assets is authenticated based on roles or
business rules.
D. Performing a logical access control and related security policy audit
Answer: D

20. An IT manager is trying to figure out what the best IT service levels are.
Which of the following should be the most important factor to consider?

A. Resource utilization analysis

B. Internal rate of return
C. Recovery time objective (RTO)
D. Cost-benefit analysis

Answer: D
21. A company is considering enacting a policy that would make personal
data in enterprise systems anonymous. Which of the following is the MOST
critical factor for the IT steering committee to examine before making a
decision?

A. Business impact analysis (BIA) results

B. Potential implementation barriers
C. Sustainability costs to the enterprise
D. Regulatory requirements

Answer: D

22. An executive sponsor of a partially completed IT project has discovered

that the project's financial assumptions have altered. Which of the following
governance measures should be implemented first?

A. Request that the business case be updated.

B. Re-evaluate the project in the portfolio.
C. Request a risk assessment.
D. Schedule an interim project review.

Answer: B

23. Which of the following provides the BEST proof of an enterprise-wide IT

risk-aware culture?
 A. The policies relating to IT risk have been made public.
B. IT threats are reported by business staff.
C. The business is informed about IT risk.
D. The IT infrastructure has a high level of resiliency.

Answer: D

24. When it comes to aligning IT and enterprise resource management

procedures, the most important thing to remember is to make sure that:

A. Business strategies are developed by IT.

B. A policy for IT sourcing has been established.
C. Business priorities are mapped to IT resources.
D. The program for resource management is being monitored.

Answer: C

25. A marketing firm is exploring obtaining client data in order to better

focus consumer communications and boost sales. The cost of data to the
company is extremely significant. Which of the following would provide the
most thorough picture of the organization's prospective value?

A. Investment services board review

B. Net present value (NPV) calculation
C. Cost-benefit analysis results
D. Risk assessment results

Answer: C
26. Which of the following is a barrier to business and IT strategic alignment
in an organization with global business units and a centralized financial
control model?

A. Portfolio management is standardized across all business units.

B. IT is the exclusive provider of information technology services to
the business units.
 C. The CIO of the company sits on the executive committee.
D. Each business unit has its own IT investment and prioritization
steering group.

Answer: D

27. Following a large data breach at a company, a directive was issued to

tighten and enforce current data governance standards. Which of the
following should be completed first in order to reach this goal?

A. Analyze data quality.

B. Verify data owners.
C. Assess data security controls.
D. Review data logs.

Answer: C

28. Who is primarily responsible for delivering the business advantages of an

IT-enabled investment program?

A.Program manager
B. CIO
C. IT steering committee chair
D. Business sponsor
Answer: B

29. The CEO of a company is concerned about discrepancies in the

classification of information assets across the company. Which of the
following would be the most effective strategy for the CIO to solve these
issues?

A. Data assets should be included in the IT inventory.

B. Identify the data owners across the organization.
C. Implement data governance across the company.
D. Make business risk assessments a requirement.
Answer: C

30. Several months ago, a strategic systems project was started. Which of the
following is the BEST reference for the IT steering committee to use when
assessing the project's success?

A. The new system's operating metrics

B. The net present value (NPV) of the project
C. Stakeholder satisfaction surveys
D. The business case for the project

Answer: D

31. To ensure that information can be traced back to its source and
responsible parties, a company should first:

A. Review the source information retention requirements.

B. Examine the information event logs for any possible incidents.
C. capture source information and supporting evidence.
D. Enhance control of business process

Answer: C

32. When planning to install a cloud-based application for sharing documents

with internal and external parties, which of the following is the MOST
critical factor to consider?

A. Third-party access rights

B. User experience
C. Cloud implementation model
D. Information ownership

Answer: A

33. An organization has made the strategic choice to embark on a global

expansion program that will need the establishment of sales offices in
countries all over the globe. Which of the following should be the most
important factor to consider when it comes to the centralized IT service desk?

A. Application of a uniform policy throughout all regions

B. Availability of sufficient resources to support new users
C. Determine which IT service desk functions can be outsourced.
D. Variances in service delivery due to regional differences

Answer: B

34. Which of the following provides the BEST assurance that IT service
management methods are effective?

A. Performance of incident response

B. Continuous monitoring
C. Key risk indicators (KRIs)
D. Internal control compliance

Answer: B

35. When assessing the loss associated with a large risk occurrence, which of
the following is the MOST important input?

A. Business impact analysis (BIA) report

B. IT environment threat modelling
C. Recovery time objectives (RTOs)
D. Key risk indicators (KRIs)

Answer: D

36. The BEST method to handle governance-related process improvement is

to:

A. Accountability should be defined in terms of roles and obligations.

B. demand impartial third-party reviews
C. use good quality management techniques
D. assess existing process resource capacities.
Answer: D

37. Senior management's commitment to IT governance is best demonstrated

by communicating which of the following?

A. Legal and regulatory requirements

B. Approved IT investment opportunities
C. Need for enterprise architecture (EA)
D. Objectives and responsibilities

Answer: D

38. An IT steering committee wants the company's mobile workforce to save

non-sensitive corporate data in the cloud, eliminating the need for remote
access to that data. What should be included in the data management policy
before this modification is implemented?

A. A mandate for the encryption of all corporate data files at rest that
contain sensitive data
B. A requirement that employees be trained on how to categorise
company data files on a regular basis.
C. Approved cloud-based apps must be scanned for improper
information.
D. If unsuitable content is identified, a procedure for banning access to
cloud-based apps is established.

Answer: A

39. As part of the formulation of an IT strategy, a company conducts a

SWOT analysis. Which of the following would be the MOST useful tool for
identifying opportunities and threats?

A. Internal framework assessment

B. Critical success factors (CSF)
C. Competitor analysis
D. Risk appetite
Answer: B

40. The CIO of a multinational corporation is considering storing customer

data on an overseas cloud service provider. When making this decision,
which of the following should be the MOST crucial factor to consider?

A. Compliance with applicable legislation

B. The tendency of natural disasters
C. Roles and duties in IT service delivery
D. The reputation of the cloud service provider

Answer: A

41. The CIO of a multinational corporation wants confidence that significant

IT risk is being proactively monitored and that risk tolerance criteria are not
being exceeded. The BEST approach to ensure that this assurance is
maintained is to necessitate the development of:

A. a risk register.
B. a risk management policy.
C. an IT risk appetite statement.
D. key risk indicators (KRIs).

Answer: D

42. Which of the following jobs is PRIMARILY responsible for data asset
security?

A. Data analyst
B. Data owner
C. Database administrator
D. Security architect

Answer: B

43. An enterprise resource planning (ERP) change is underway at a major

organization with branches in a number of countries. The IT department
learns that the company's branches in a country with the largest influence on
the company are being sold. What is the NEXT ACTION to take?

A. Make changes to the ERP installation budget and plan.

B. Re-allocate project money and cancel the ERP transformation.
C. Carry on with the ERP migration as planned.
D. Update the ERP business case and re-evaluate the ROI.

Answer: D

44. Supply chain management has established a supplier policy that

necessitates the use of numerous technology providers. What is the most
effective strategy to assure the policy's success?

A. Ensure that the vendor selection process is consistent with the

security policy.
B. Determine and choose suppliers based on price.
C. Enterprise architecture (EA) and procurement strategies should be
in sync.
D. A master service agreement should be implemented.

Answer: C

45. The CIO of a company discovers that a competitor's payroll server has
been infected with ransomware. What should the CIO do first to prepare for
the prospect of business data being ransomed?

A. Request a targeted risk assessment.

B. Demand that key risk indicators (KRIs) be developed.
C. Create a policy to deal with ransomware.
D. Data from the company should be backed up to a secure location.

Answer: A

46. An organization has made the strategic choice to cut operating costs for
the coming year, and it is taking advantage of cost savings provided by an
external cloud service provider. Which of the following should be the
primary concern of the IT steering committee?

A. Updating the business risk profile

B. Changing the company's balanced scorecard
C. Changing the charter of the IT steering committee
D. Calculating the existing solution's cost
Answer: A

47. Which of the following IT governance elements BEST addresses the

potential intellectual property issues of a cloud service provider having a
database in another country?

A. Continuity planning
B. Security architecture
C. Contract management
D. Data management

Answer: C

48. What is the best strategy for an IT governance board to define artificial
intelligence (AI) adoption behaviour standards?

A. Direct the creation and approval of an ethical use policy.

B. Review and update the data privacy policy to ensure it meets
industry requirements.
C. Ethics topics should be included in on-boarding and awareness
training.
D. In vendor agreements and contracts, include particular ethics
clauses.

Answer: A

49. An IT governance committee wants to make sure that the enterprise data
policy includes a clear explanation of the "data owner." Which of the
following is the best way to identify who owns data stored in an external
cloud?
 A. The risk manager who is in charge of safeguarding cloud-based data
B. The person in charge of a company who is most affected by data
loss
C. The vendor who uses online forms to send data to the organization.
D. The contract manager is in charge of monitoring the cloud
provider's security.

Answer: A

50. Who among the following is best qualified to assess the potential benefits
of an IT-enabled investment?

A. Chief information officer

B. External IT auditor
C. Portfolio management officer
D. Business sponsor

Answer: A

51. The PRIMARY aim of implementing an IT strategic planning process

should be which of the following?

A. Using a corporate plan to achieve a set of objectives

B. Translating business needs into IT initiatives
C. Identifying the advantages of IT installations
D. Getting the most out of IT resources to boost innovation

Answer: B

52. Which of the following is THE MOST IMPORTANT factor in a

successful enterprise architecture (EA) implementation?

A. Managing the Change Challenge

B. Establishing key performance indicators (KPIs)
C. Making tools for data modelling
D. Investing in IT at a lower price
Answer: B

53. To prevent the danger of reputational damage from employees using

social media inappropriately outside of work, the enterprise's social media
strategy should PRIMARY emphasize on:

A. putting in place a social media-based assessment of processes

B. developing policies on social media.
C. putting in place precautionary controls
D. ensuring that management approves each use of social media

Answer: B

54. Which of the following is the MAIN advantage of conveying IT strategy

across the organization?

A. Better balanced scorecard performance in IT

B. Less organizational resistance during strategy implementation
C. Strategic project delivery on time and on budget
D. IT investment optimization in support of business goals

Answer: B

55. Which of the following should be the first step in the implementation of
IT governance?

A. Determine the business drivers.

B. Assign responsibilities for decision-making.
C. Define key business performance indicators.
D. Obtain the necessary capital for your business.

Answer: C

56. A company intends to build a business intelligence (BI) solution that will
pull data from a variety of internal applications. Which of the following
presents the most difficult implementation challenge?
 A. Enterprise and BI application interface difficulties
B. Sources of data definition and mapping from applications
C. The requirement for staff training on the new BI tool
D. Large volumes of data fed from enterprise applications

Answer: D

57. Which of the following best demonstrates good IT governance?

A. Customer happiness and business value

B. Human resource optimization and cost savings
C. Identification and mitigation of IT risks
D. Comprehensive IT policies and procedures

Answer: D

58. Due to unforeseen technology issues, a strategic IT-enabled investment is

failing. What should be the first course of action for the board of directors?

A. Investing should be stopped.

B. Approve an increase in the investment budget.
C. Rethink how you choose investments.
D. Assess the business risk and options.

Answer: D

59. Which strategy is the most effective for determining an organization's

current risk appetite?

A. Interviewing senior management

B. Examining the results of recent audits
C. Taking a look at the balanced scorecard
D. Considering the use of social media

Answer: A

60. To guarantee that the process of establishing a business case for IT-
enabled investments continues to support benefits realization, the benefits
expected from investment programs must be actively managed through:

A. project life cycle.

B. obsolescence planning.
C. the economic life cycle.
D. The development life cycle of the system

Answer: D

61. 128TH QUESTION

The IT program manager does not believe risk assessments are necessary for
a new significant IT project. The manager is hesitant to work with the newly
constituted steering group and internal auditors. Because the CEO is a buddy
of a vendor and wants to adopt this vendor's latest technology, program
criteria were modified midway through the project. This decision will result
in an insufficient budget for the present IT program, which will be reported
as overspending. Following the request for a requirement change, the IT
program manager should first:

A. To cover the expanded scope, obtain additional cash from the

business owner.
B. Align IT with the business and accept the request from the
company.
C. Obtain business confirmation and a steering committee decision.
D. Report the problem to internal audit as a program variance that
needs to be looked into.

Answer: C

62. Which of the following is the most effective way to ensuring that
enterprise IT governance is followed consistently?

A. IT leadership that is both experienced and skilled

B. Processes for IT management that are established and monitored.
C. Defined key risk indicators
D. Regular review of IT policies and procedures
Answer: D

63. To assess IT resource management, it is critical to first define:

A. Procedures for reporting on the use of IT resources.

B. applicable key goals.
C. responsibility for resource management execution
D. IT strategy's guiding principles

Answer: C

64. In recent years, a large bank has conducted multiple acquisitions that
have resulted in redundant IT applications. The IT steering group has decided
to share data and connect applications in order to fit with the strategic aim of
providing integrated services to customers. In this case, which of the
following would be the MOST important to review?

A. IT strategic plan
B. Enterprise architecture
C. Balanced scorecard measures
D. IT risk register

Answer: B

65. The PRIMARY PURPOSE of an effective set of key risk indicators

(KRIs) is to:

A. calculating the risk management team's productivity

B. Getting executive buy-in for the risk program
C. Taking a look at current technology to see what capabilities it has
for risk monitoring.
D. identifying any potential negative consequences for the company in
the future

Answer: B
66. Which of the following traits best describes an IT process that is a good
candidate for outsourcing?

A. Processes that pose a higher risk to the company

B. Processes that necessitate the involvement of experts
C. Non-strategic processes that are not documented
D. Well-defined operational processes

Answer: C

67. Which method is the most effective for implementing good IT risk
management?

A. Align with risk management processes in the business.

B. Create a risk management department.
C. Adopt risk management processes.
D. Reduce the number of decision points for IT risk management.

Answer: C

68. The board of directors of a company has ordered the CIO to implement
measures to make the IT department more environmentally conscious. Which
of the following should be the CIO's FIRST step in ensuring that IT demands
remain aligned with the board's requirements?

A. Create a business case for an IT initiative that is ecologically

friendly.
B. Examine the viability of ecologically friendly IT efforts.
C. Incorporate new environmentally conscious goals into existing IT
objectives.
D. Create a staff awareness education plan focused on IT
environmental responsibility.

Answer: D

69. An IT steering committee is worried that the technologies of a company

have become outdated. Which of the following is the most effective modem
technology investment strategy?

A. Reduce steady-state spending and increase modernization and

upgrades spending.
B. Require training and development for evolving technologies in the
IT human resource management plan.
C. Create a new investment category for innovation, which will serve
as a new approach to track investment decisions.
D. Redefine the target architecture to define new technologies that can
be incorporated into the infrastructure.

Answer: D

70. Which of the following is the BEST approach for a CIO to improve the
alignment of IT and business security risk management?

A. Conduct a trend analysis using security investment levels and

business initiatives as a starting point.
B. Establish a process in which IT and the business collaborate on risk
assessment and mitigation prioritization.
C. Examine benchmark reports to acquire a better understanding of the
organization's security investments in comparison to those of
competitors.
D. Facilitate combined workshops on risk assessment approaches for
IT and the business.

Answer: B

71. Which of the following is the most accurate indication of IT governance

efficiency in a company?

A. Resource utilization
B. Residual risk
C. Value delivery
D. Project delivery

Answer: C
72. The MOST essential factor for the associated risk responses after doing a
gap analysis of IT risks and controls capacity is that they are:

A. The audit committee has been notified.

B. assessed for severity of impact.
C. Executive management has given their approval.
D. The IT balanced scorecard has been updated.

Answer: B

73. The CIO is concerned that recent IT-enabled investments haven't taken
advantage of Enterprise Architecture.
Which of the following would be the most helpful in addressing these
challenges and enforcing enterprise architecture leveraging?
A. Adopt a framework for enterprise architecture that is well-known
around the world.
B. Form a team to keep the enterprise architecture up to date on a
regular basis.
C. Publish and train on the enterprise architecture document.
D. At major milestones, a review of the enterprise architecture should
be required.

Answer: C

74. The CEO of a corporation is worried that risk events that are not directly
related to emergency incidents are not regularly addressed at the C-suite
level. Which of the following is the most effective strategy for the CEO to
ensure that risk events receive adequate time and attention?

A. Require the creation of a risk management procedure for capturing

risks.
B. Include the discussion of key enterprise risk as an agenda item at
board meetings.
C. Set performance goals that are focused on reducing enterprise risks.
D. Instruct managers to take responsibility for the risks that have been
identified in their departments.
Answer: B

75. More than one-third of the organization's main IT employees plans to

retire over the next 12 months, according to a survey report obtained by IT
senior management.
Which of the following governance actions is the MOST necessary to prepare
for this possibility?

A. Examine the motivators for key IT personnel.

B. Evaluate lower-level staff as succession candidates .
C. Engage HR in the hiring of new employees.
D. Demand that a succession plan be created.

Answer: B

76. The volume of false positives in risk reports has overwhelmed the risk
committee. What action would be the most effective in this situation?

A. Change the reporting format.

B. Conduct a risk assessment.
C. Adjust IT balanced scorecard.
D. Evaluate key risk indicators.

Answer: B

77. A new regulatory requirement that may affect IT-enabled business

activities was recently brought to the attention of a CIO. Which of the
following should the CIO do first when determining how to respond to the
new requirement?

A. Active efforts should be updated to meet the new requirements.

B. Consult the board of directors for advice on the new requirement.
C. Confirm there are adequate resources to mitigate compliance
requirements .
D. To fully comprehend the requirements, consult with legal and risk
specialists.
Answer: C

78. Which of the following is the MOST EFFECTIVE strategy to deal with
concerns about outsourcing an IT process?

A. Manage service levels.

B. Examine the framework for IT governance.
C. Perform a risk assessment.
D. Implement a business continuity plan.

Answer: A

79. Which of the following approaches is the BEST for assisting a company
in preparing for IT-enabled investments?

A. IT process mapping
B. Task management
C. Service level management
D. Enterprise architecture

Answer: A

80. For the first time, the procurement department has asked IT to enable
third-party vendors remote access. Which of the following is the most
effective way for IT to respond to the request?

A. Provide third-party vendors with log-on credentials.

B. Create a policy for remote access.
C. Create a system for remote access.
D. Analyze risks and propose a solution.

Answer: D

81. To ensure that IT supports repeatable business processes, the MOST

essential part of an IT governance structure is:
 A. earned value management.
B. risk management.
C. quality management.
D. resource management.

Answer: C

82. An organization enters into a long-term contract with an outsourcing

partner. When is the best time for the organization to plan for contract
termination?

A. planning for the contract as part of business continuity.

B. issues surface in the contractual relationship.
C. either party decides to terminate the contract.
D. developing the initial contract.

Answer: B

83. When making changes to the IT strategy, which of the following should
the CIO evaluate FIRST?

A. Has the enterprise architecture's impact been assessed?

B. Has the investing portfolio undergone any changes?
C. Has the risk metric for IT been changed?
D. Have key stakeholders been consulted?

Answer: B

84. As a result of a substantial and drastic shift in enterprise business

strategy, an IT team is having trouble satisfying new demands placed on the
department. Which of the following is the best course of action for the CIO to
take in this situation?

A. Reassess the IT risk appetite.

B. Align the business strategy with the IT strategy.
C. Non-value-added processes should be outsourced.
D. Examine your present IT strategy.
Answer: B

85. To fulfill business needs, an organization's IT infrastructure must be

updated. Which of the following will give you the most valuable information
when making IT investment decisions?

A. Risk assessment report

B. Enterprise architecture
C. Business user satisfaction metrics
D. Audit findings

Answer: D

86. A worldwide corporation is in the midst of a downturn and is rapidly

losing market share. IT senior management is revaluating the business's
fundamental activities, including IT, as well as the resource implications.
Management has made the decision to concentrate on the domestic market
and to shut down international operations. The retention of the most capable
employees is a crucial issue in resource management. THESE ARE THE
BEST WAYS TO ACHIEVE THIS:

A. Employees are ranked across the company depending on their pay.

B. ranking employees across the enterprise based on length of service.
C. retaining just skilled employees from the local market
D. Examining current goal-based performance evaluations across the
organization.

Answer: B

87. The FIRST and MOST IMPORTANT goal of IT resource planning in an

organization should be to:

A. finalize service level agreements for IT.

B. determine IT outsourcing options.
C. assess the risk posed by IT resources
D. maximize value received from IT.
Answer: D

88. When a company discovers that a new privacy rule was recently released
to safeguard customers in the case of a data breach involving personally
identifiable information (PII). The first step for the IT risk management team
should be to:

A. establish the new regulation's risk tolerance.

B. assign a risk owner for the new regulation.
C. Identify whether the new regulation poses a new risk.
D. analyze the new regulation's risk appetite

Answer: B

89. Senior management is concerned about an increase in the enterprise's

cybersecurity risk. Which of the following would be the MOST useful in
developing an early warning system to assess which possible dangers should
be escalated to senior management?

A. Patch management logs

B. Key performance indicators (KPIs)
C. A risk appetite statement
D. Agreed-upon risk thresholds

Answer: D

90. In terms of security, an organization has a zero-tolerance policy. This

policy is causing a lot of email attachments to be blocked, which is causing a
lot of problems for the company. Which of the following should be the
FIRST governance action in resolving the email problem?

A. Introduce a procedure for handling exceptions.

B. Recommend that the zero-tolerance policy be signed off on by the
business.
C. Direct the development of an email usage policy.
D. Obtain senior management input based on the risk that has been
 identified.

Answer: C

91. Which of the following is the MOST critical to establish in order to

ensure that an IT dashboard effectively communicates the present state of IT
to senior management?

A. IT spend against budget

B. An IT risk awareness program
C. Emerging threat analysis reporting
D. Key performance indicators (KPIs)

Answer: D

92. Which of the following would a CIO use to present the board of directors
with a holistic view of IT performance?

A. Key risk indicators (KRIS)

B. Key performance indicators (KPIs)
C. Balanced scorecard
D. Maturity model

Answer: D

93. An independent consultant was recruited to undertake an ad hoc audit of

an organization's information security office, with the results being submitted
to the IT governance committee and the board of directors. Before the audit
begins, which of the following is the MOST IMPORTANT information to
present to the consultant?

A. Acceptance of the risks and opportunities associated with the audit

B. The security office's procedures and framework
C. The security office's organizational structure
D. The scope and stakeholders of the audit

Answer: D
94. To guarantee that IT risk is managed consistently; IT governance must
establish the following:

A. risk management framework.

B. risk management committee to identify IT-related risks.
C. a balanced scorecard that takes into account IT risks
D. To ensure compliance, use a risk management reporting tool.

Answer: B

95. In the IT investment process, which of the following should come first?

A. Analyze IT investments using historical data.

B. Choose IT projects that will help the company achieve its goals.
C. Assess each project’s impact on the enterprise’s investment plan.
D. Analyze the investment's risks and advantages for each IT project.

Answer: C

96. The BEST person to be in charge of a business continuity plan for

business-critical systems is:

A. chief executive officer.

B. chief information officer.
C. enterprise risk manager.
D. director of internal audit.

Answer: B

97. Which of the following is the MOST IMPORTANT factor to consider

when creating a training program to help IT staff enhance their capacity to
adapt to business needs?

A. Capability maturity model

B. Annual performance evaluations
C. Cost-benefit analysis
 D. Skills competency assessment

Answer: D

98. Which of the following is the MOST critical to improve from a

governance standpoint in a business that is rapidly developing cloud
technology?

A. Configuration management processes to ensure availability goals

are maintained.
B. Dashboard reporting for IT projects to capture new risks, threats,
and situations.
C. Plan for data reorganization to guarantee that the architecture can
handle future modifications.
D. Processes for capturing organizational and project changes are
known as change management.

99. An organization wants to move its IT infrastructure to the cloud, but it

has no prior expertise with the technology. To limit the danger of IT service
outages when deploying this new technology, which of the following should
be done first?

A. To conduct the move, use an expert IT professional.

B. Implement key performance indicators (KPIs).
C. Changes in the Enterprise architecture (EA) should be reflected.
D. Consider your alternatives for sourcing.

Answer: B

100. The IT risk committee should first consider the following when
conducting a risk assessment in support of a new regulatory requirement:

A. The enterprise's risk profile

B. IT systems' readiness to deal with the threat
C. disturbance in typical business activities.
D. The financial burden of achieving compliance.
Answer: A

101. Despite being new to the cloud environment, an organization has

decided to deploy some business applications to the public cloud. What is the
most critical thing the CIO can do to assure the initiative's success?

A. Ensure the cloud provider complies with international standards.

B. Make a vulnerability and threat assessment mandatory.
C. In the provider contract, request a right-to-audit clause.
D. Examine the framework for vendor management.

Answer: A

102. The CIO has been asked to add an Internet of Things (IoT) component
in the IT plan to support the company's digital transformation. Which of the
following should be taken into account first?

A. To gather experience, ensure that first approvals are limited to tiny

IoT initiatives.
B. Ascertaining that solution providers and their IoT use cases have
been thoroughly investigated
C. Assuring that IoT can be integrated into existing income sources
D. Ensuring IoT usage in the industry has been analyzed

Answer: D

103. The IT project management office informed the steering committee that
individual business units are developing system components that might be
used by other business units. Instead, identical components are copied
throughout the organization. Which of the following committee directives
would be the most effective in preventing this duplication?

A. Examine your IT system's release management procedures.

B. Perform an assessment of change management processes.
C. Develop an Enterprise architecture.
D. Conduct stage gate reviews in order to evaluate systems.
Answer: B

104. The BEST approach to analyze an organization's IT governance

framework's effectiveness is to look at which of the following:

A. compliance to IT policy
B. application of IT standards
C. maturity of IT processes.
D. value of IT contribution.

Answer: C

105: Which of the following should be in charge of implementing an IT

balanced scorecard in a large corporation?

A. Chief information officer

B. Project management office
C. Chief risk officer
D. IT steering committee

Answer: B

106. Which of the following is the MOST IMPORTANT factor to consider

when outsourcing IT services?

A. Enterprise architecture compliance

B. Identification of core and non-core business processes
C. Adoption of a vendor selection procedure with a variety of options
D. Compatibility with current HR policies and procedures

Answer: B

107. The BEST reaction to a service provider failing to notify you of a data
security breach is to contractually require which of the following?

A. The service provider should keep track of all security breaches in a

database.
 B. Information on security incidents should only be shared with those
who need to know.
C. All service level agreements should include security-related key
performance indicators.
D. security incidents identified by the provider be reported.

108. The PRIMARY aim of adopting service level agreements (SLAs) with
an outsourced vendor should be which of the following?

A. Getting a leg up on the competition

B. Achieving operational objectives
C. Observance of regulatory requirements
D. Creating sanctions for failing to satisfy service levels

Answer: B

109. A CEO wants to create a governance framework that would make it

easier to match IT and business strategies. Which of the following should this
framework's KEY requirement be?

A. An outsourcing strategy
B. A defined enterprise architecture
C. Defined resourcing levels
D. A service delivery strategy

Answer: B

110. Which of the following mechanisms is the MOST APPROPRIATE for

assessing overall IT organizational performance?

A. IT portfolio return on investment

B. Maturity model
C. Service level metrics
D. IT balanced scorecard

Answer: D
111. Which of the following would be the best source of information for
prioritizing strategic IT improvement projects?

A. Business dependency assessment

B. Business impact analysis
C. Business process analysis
D. Business case evaluation

Answer: B

112. IT senior management has been charged with shifting the current IT
organization paradigm to a service-oriented one to satisfy the growing
demands of a newly established business unit. Which of the following is the
MOST critical factor to consider when planning for long-term IT service
delivery when the IT organization is likely to grow significantly?

A. An IT risk management process is in place.

B. The business has given its approval to the IT service delivery
model.
C. IT is able to give the organization a broad service catalog.
D. The IT department is capable of meeting corporate demands.

Answer: A

113. Which of the following should be executive management's first action in

explaining what is deemed acceptable usage of individually owned devices
for corporate business?

A. Employees should be required to read and sign a disclaimer.

B. Provide training on how to protect data on personal devices.
C. Create and promote a policy that is applicable.
D. Throughout the facilities, post awareness messaging.

Answer: B

114. Which of the following should be defined FIRST before IT key risk
indicators are created?

A. IT resource strategy
B. IT goals and objectives
C. IT key performance indicators
D. IT risk and security framework

Answer: B

115. Which of the following should be done FIRST when evaluating the
impact of a new regulatory requirement?

A. Map the regulation to business processes.

B. Analyze the new regulation's financial impact.
C. New regulatory requirements should be implemented.
D. Update any IT policies that have been impacted.

Answer: A

116. The IT department of a large corporation has discovered a new risk

management solution that will dramatically improve IT risk monitoring
processes. However, there is a belief among business leaders that the new
solution would not bring a tangible value to the company. Which of the
following is the most effective method for obtaining business support?

A. Obtain approval for a staff reduction over the following five years.
B. Provide the business with real-time risk reporting.
C. Promote the IT benefits and the streamlining of processes.
D. Describe the new solution's business value.

Answer: C

117. Which of the following will help an organization communicate IT

governance direction and goals the most effectively?

A. Skills and competencies

B. Principles and policies
 C. Business processes
D. Corporate culture

Answer: B

118. The following individuals should be in charge of keeping track of any

potential IT projects for implementing the business strategy:

A. chief operating officer (COO).

B. chief executive officer (CEO).
C. individual business units.
D. portfolio management function.

Answer: A

119. Which of the following is the MOST EFFECTIVE way for IT

management to report on the value of IT to senior management?

A. Cost-benefit analysis
B. Balanced scorecard
C. Resource assessment
D. IT process maturity level

Answer: A

120. Which of the following, if missed, has the most impact on the firm when
establishing a business case for an enterprise resource planning (ERP)
implementation?

A. Vendor selection
B. Interdependent systems
C. IT best practices
D. Salvage value of legacy hardware

Answer: A

121. Multiple business divisions inside an organization have been identified

to be using duplicate IT applications and services to meet their specific
demands. Which of the following would be the MOST beneficial in resolving
this issue?

A. Enterprise risk framework

B. Enterprise architecture
C. IT service management
D. IT project roadmap
Answer: B

122. A recent trend of excessive exceptions to established restrictions has raised concerns among senior
management. Which of the following measures should be taken to address this issue?

A. Risk awareness training

B. A control library
C. Independent audits
D. Continuous monitoring

Answer: D

123. An organization is embarking on a multi-year IT program to replace its

main accounting systems. The program management team has created a
business case for the projects and is currently establishing a roadmap for
them. Who among the following should be in charge of defining the
portfolio's optimization criteria?

A. IT steering committee
B. Program management team
C. Board of directors
D. Project management office

Answer: B

124. Which of the following would be the MOST useful for prioritizing IT
improvement activities in order to achieve targeted business results?

A. Enterprise architecture (EA)

B. IT skills matrix
 C. Budget variance analysis
D. Portfolio management

Answer: D

125. Which of the following is the most significant factors to consider while
building an IT governance framework?

A. information technology strategy.

B. framework development cost.
C. information technology risk.
D. stakeholders' support.

Answer: D

126. Which of the following would be the MOST helpful in ensuring timely
reporting of risk incidents and appropriate management responses?

A. Escalation procedures
B. Emergency response team
C. Key personnel interviews
D. Corporate directory

Answer: D

127. When evaluating the viability of bringing new IT practices and

standards into an organization's IT governance structure, it's critical to know:

A. level of outsourcing.
B. enterprise architecture.
C. culture.
D. maturity of IT processes.

Answer: B

128. Which of the following is the PRIMARY goal of performance

measurement?
 A. Transparency
B. Cost efficiency
C. Benefit realization
D. Process improvement

Answer: D

129. A large retail chain's board of directors wants to know what safeguards
are in place to protect customer credit card data from being stolen. Which of
the following should be established in order to convey helpful information
about an upcoming event?

A. Performance indicators
B. Lag indicators
C. Lead indicators
D. Risk tolerance

Answer: C

130. Which of the following BEST describes an enterprise's IT investment

operations when aligning to business goals?

A. Risk management
B. Project management
C. Procurement management
D. Portfolio management

Answer: A

131. Which of the following is enabled by portfolio management in a large

enterprise?

A. Human resource optimization

B. Value creation
C. Risk reduction
D. Performance management
Answer: C