Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 291:

  Which of the following activities MUST be completed before developing an IT strategic plan?

  A. Review the enterprise business plan
  B. Align the enterprise vision statement with business processes
  C. Develop an enterprise architecture (EA) framework
  D. Review the enterprise risk tolerance level
  A. Review the enterprise business plan

  ---

  Before developing an IT strategic plan, it is essential to review the enterprise business plan, which defines the enterprise's structure, governance, and operations. The enterprise business plan describes the enterprise's vision, mission, goals, objectives, strategies, and performance measures. It also outlines the enterprise's value proposition, market position, competitive advantage, and customer segments. The IT strategic plan should align with and support the enterprise business plan by providing a roadmap for how IT will enable and enhance the business capabilities and outcomes. The IT strategic plan should also consider the enterprise's risk appetite and tolerance, which are defined by the enterprise's risk management framework. The other options are not necessarily required before developing an IT strategic plan. Aligning the enterprise vision statement with business processes is part of the IT strategic planning process, but it does not have to be done before developing the IT strategic plan. Developing an enterprise architecture (EA) framework is a separate activity that can be done in parallel or after developing the IT strategic plan. The EA framework defines how to create and use an enterprise architecture, which provides a holistic view of the organization's business, information, and technology. Reviewing the enterprise risk tolerance level is also part of the IT strategic planning process, but it does not have to be done before developing the IT strategic plan. The risk tolerance level reflects the acceptable level of variation around a particular set of risk-based objectives.

• Question 292:

  Which of the following would be MOST helpful to review when determining how to allocate IT resources during a resource shortage?

  A. IT strategic plan
  B. IT skills inventory
  C. IT organizational structure
  D. IT skill development plan
  B. IT skills inventory

  ---

  An IT skills inventory is a list of the skills, competencies, and qualifications of the IT staff in an organization. It can help to identify the current and potential capabilities of the IT workforce, as well as the gaps and needs for improvement. An IT skills inventory would be most helpful to review when determining how to allocate IT resources during a resource shortage, because it canhelp to match the right people with the right tasks, optimize the utilization and productivity of the existing IT staff, and prioritize the critical and urgent IT activities. The other options are not as helpful as an IT skills inventory for allocating IT resources during a resource shortage. An IT strategic plan is a document that defines the vision, mission, goals, and objectives of the IT function and how they align with the business strategy. It can help to guide the direction and scope of the IT activities and investments, but it does not provide detailed information on the availability and suitability of the IT resources. An IT organizational structure is a diagram that shows the hierarchy, roles, and responsibilities of the IT staff in an organization. It can help to clarify the reporting lines and communication channels of the IT function, but it does not reflect the skills and competencies of the IT staff. An IT skill development plan is a document that outlines the learning and training opportunities for the IT staff to enhance their skills and competencies. It can help to improve the performance and career progression of the IT staff, but it does not address the immediate needs and challenges of allocating IT resources during a resource shortage. References: What is an IT Skills Inventory?, How to Conduct an Effective Skills Gap Analysis, Resource allocation 101: How to manage your team's resources | Planio

• Question 293:

  What is the BEST criterion for prioritizing IT risk remediation when resource requirements are equal?

  A. Deviation from IT standards
  B. IT strategy alignment
  C. IT audit recommendations
  D. Impact on business
  D. Impact on business

  ---

  The best criterion for prioritizing IT risk remediation when resource requirements are equal is the impact on business, as it reflects the potential consequences of the IT risk on the enterprise's objectives, operations, reputation, and stakeholders. The impact on business can be measured by factors such as financial loss, operational disruption, customer dissatisfaction, regulatory violation, or reputational damage. The higher the impact on business, the higher the priority for IT risk remediation. Deviation from IT standards, IT strategy alignment, and IT audit recommendations are also important criteria for prioritizing IT risk remediation, but they are not the best criterion. Deviation from IT standards is the degree to which an IT process, system, or service does not comply with the established policies, procedures, or best practices. Deviation from IT standards can indicate a weakness or gap in IT governance or management, but it does not necessarily reflect the severity or urgency of the IT risk. IT strategy alignment is the degree to which an IT process, system, or service supports and enables the enterprise's strategy and goals. IT strategy alignment can indicate the value or importance of an IT process, system, or service, but it does not directly measure the impact of the IT risk on the business. IT audit recommendations are the suggestions or actions proposed by an IT auditor to address the findings or issues identified during an IT audit. IT audit recommendations can provide guidance and direction for IT risk remediation, but they are not a definitive or objective criterion for prioritization. References: IT Risk Management Guide for 2022 | CIO Insight; What is IT Governance, Risk, and Compliance (GRC)?; Holistic IT Governance, Risk Management, Security and Privacy: Needed for Effective Implementation and Continuous Improvement ISACA; Cyberrisk Governance: A Practical Guide for Implementation - ISACA. Learn more: 1. cioinsight.com2. securityscorecard.com3. isaca.org4. isaca.org5. cldigital.com+1 more

• Question 294:

  The BEST way for a CIO to manage the organizational impact of deploying a new enterprise-wide tool is to implement:

  A. change management.
  B. project management.
  C. risk management.
  D. resource management.
  A. change management.

  ---

  Change management is the process of planning, implementing, and managing the human side of change in an organization. Change management aims to minimize the resistance and disruption caused by a change, and maximize the adoption and benefits of the change. Deploying a new enterprise-wide tool is a significant change that affects the way people work, communicate, and collaborate. Therefore, the best way for a CIO to manage the organizational impact of this change is to implement change management practices, such as: Assessing the readiness and impact of the change on the stakeholders. Developing a communication and engagement plan to inform and involve the affected parties. Providing training and support to help the users learn and use the new tool. Measuring and monitoring the progress and outcomes of the change. Reinforcing and sustaining the change through feedback and recognition. Project management, risk management, and resource management are also important aspects of deploying a new enterprise-wide tool, but they are not sufficient to address the human side of change. Project management focuses on delivering the project on time, on budget, and on scope. Risk management identifies, analyzes, and mitigates the potential threats and opportunities associated with the project. Resource management allocates and optimizes the use of human, financial, and physical resources for the project. However, none of these processes directly deal with the behavioral and emotional aspects of change, such as overcoming resistance, building commitment, and creating a culture of change. Therefore, change management is the best way for a CIO to manage the organizational impact of deploying a new enterprise-wide tool. References: 1: What is Change Management? - Prosci 2: What is Project Management? | PMI 3: What is Risk Management? | PMI 4: What is Resource Management? | PMI

• Question 295:

  An enterprise made a significant change to its business operating model that resulted in a new strategic direction. Which of the following should be reviewed FIRST to ensure IT congruence with the new business strategy?

  A. IT risk appetite
  B. Enterprise project management framework
  C. IT investment portfolio
  D. Information systems architecture
  C. IT investment portfolio

  ---

  An IT investment portfolio is a collection of IT projects, programs, and services that are funded and implemented by an enterprise to achieve its strategic and operational objectives. An IT investment portfolio should be reviewed first to ensure IT congruence with the new business strategy, as it would help to align the IT investments with the business goals, priorities, and needs. A review of the IT investment portfolio would also help to identify and evaluate the current and planned IT initiatives, assess their costs, benefits, risks, and value, and optimize the allocation of IT resources and capabilities. The other options are not as relevant, as they are more related to the execution or delivery of IT activities, rather than the planning or direction of them. References: CGEIT Review Manual (Digital Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.1: IT Investment ManagementOverview, Page 97 : CGEIT Review Manual (Digital Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.4: IT Investment Management Process, Page 104 : The Power of IT Investment Risk Quantification and Visualization: IT Portfolio Management

• Question 296:

  Which of the following is the BEST way to manage the risk associated with outsourcing critical IT services?

  A. Ensure vendors hold information security certifications.
  B. Define controls within service level agreements (SLAs).
  C. Conduct quarterly performance reviews.
  D. Ensure exit clauses are added to the contract.
  B. Define controls within service level agreements (SLAs).

  ---

  This is because SLAs are contractual agreements that specify the expectations, responsibilities, and performance standards for both the service provider and the customer. SLAs can help to define controls that mitigate the risks of outsourcing, such as data security, quality, availability, reliability, compliance, and contingency. SLAs can also help to monitor and measure the performance and value of the outsourced services, as well as to establish mechanisms for reporting, escalation, and resolution of any issues or disputes. Some of the sources that support this answer are: 1: This source provides a comprehensive guide on how to create a social media governance plan that covers the key elements of a social media policy, compliance management, security and risk mitigation, decision-making and approval workflow, and crisis management. It mentions that SLAs are one of the tools that can help to manage the risks of outsourcing social media activities to third parties. 2: This source discusses the gaps, risks, and opportunities of social media governance in the context of Australian public communication. It suggests that SLAs are one of the best practices for developing and implementing a social media strategy that aligns with the organizational goals and values, as well as the legal and ethical obligations. 3: This source explores the benefits and challenges of outsourcing IT services in the public sector. It emphasizes the importance of SLAs for defining the scope, quality, and cost of the outsourced services, as well as for managing the performance and accountability of the service providers. 4: This source presents a framework for managing IT outsourcing risks based on ISO 31000. It recommends that SLAs should include risk-related clauses that specify the roles and responsibilities of both parties, the risk identification and assessment methods, the risk response and treatment options, and the risk monitoring and reporting mechanisms.

• Question 297:

  A strategic systems project was implemented several months ago. Which of the following is the BEST reference for the IT steering committee as they evaluate its level of success?

  A. Stakeholder satisfaction surveysB The project's net present value (NPV)
  B. The project's business case
  C. Operating metrics of the new system
  C. Operating metrics of the new system

  ---

  The best reference for the IT steering committee as they evaluate the level of success of a strategic systems project that was implemented several months ago is the project's business case. The business case is the document that outlines the rationale, objectives, benefits, costs, risks, and assumptions of the project. It also defines the expected outcomes and performance indicators that can be used to measure the project's success. By comparing the actual results of the project with the business case, the IT steering committee can determine if the project has met its intended goals, delivered its expected value, and justified its investment

• Question 298:

  To evaluate IT resource management, it is MOST important to define:

  A. responsibilities for executing resource management.
  B. applicable key goals.
  C. principles for the IT strategy.
  D. IT resource utilization reporting procedures.
  B. applicable key goals.

  ---

  According to the CGEIT exam guide, IT resource management is the process of planning, acquiring, allocating, monitoring and optimizing the IT resources of an enterprise to support its strategy, objectives and goals. To evaluate IT resource management, it is most important to define the applicable key goals that the IT resources are expected to achieve or contribute to. These key goals should be aligned with the enterprise's vision, mission and values, as well as the stakeholder needs and expectations. The key goals should also be specific, measurable, achievable, relevant and time-bound (SMART), and should be communicated and agreed upon by all relevant parties. Defining the applicable key goals will help to assess the performance, value and impact of IT resource management, as well as to identify the gaps, issues and opportunities for improvement. The other options are not as important as defining the applicable key goals, as they are more related to the implementation and execution of IT resourcemanagement, rather than its evaluation. References: CGEIT Exam Candidate Guide, page 14. CGEIT Certification, IT Resource Management

• Question 299:

  To measure the value of IT-enabled investments, an enterprise needs to identify its drivers as defined by its:

  A. technology strategy.
  B. value statements.
  C. service level agreements (SLAs).
  D. business strategy.
  D. business strategy.

  ---

  To measure the value of IT-enabled investments, an enterprise needs to identify its drivers as defined by its business strategy. The business strategy is the document that defines the vision, mission, goals, and objectives of the enterprise and how they will be achieved. It also specifies the value proposition, competitive advantage, and target market of the enterprise. The drivers ofvalue are the factors that influence or determine the value creation and delivery of the enterprise. They can include aspects such as customer satisfaction, revenue growth, cost reduction, innovation, quality, and efficiency. By identifying its drivers as defined by its business strategy, the enterprise can align its IT- enabled investments with its strategic priorities and expectations. It can also establish the criteria, metrics, and indicators for measuring and evaluating the value of IT-enabled investments in terms of their contribution to the business outcomes and performance.

• Question 300:

  A CIO observes that many information assets are hosted on legacy technology that can no longer be patched or updated. The systems are not currently in use, but business units are reluctant to decommission assets due to information retention requirements. Which of the following is the BEST strategic response to this situation?

  A. Ensure the legacy systems are behind a secure firewall
  B. Isolate the legacy systems and disconnect them from the internet
  C. Apply legacy system surcharges to the business units
  D. Develop and enforce life cycle policies in consultation with business
  D. Develop and enforce life cycle policies in consultation with business

  ---

  Thebest strategic responseis todevelop and enforce IT asset life cycle policies in consultation with business units. This approach ensures that legacy systems are managed proactively and collaboratively, balancing risk management, regulatory compliance, and operational needs. Policies should define criteria for decommissioning, archival solutions, and acceptable retention practices. Firewalls and isolation are tactical mitigations, not strategic solutions. Surcharges may discourage usage but do not resolve governance and retention challenges comprehensively. CGEIT Review Manual: Domain 2 ?IT Resources (IT Asset Management and Life Cycle) COBIT 2019: BAI09 (Manage Assets), APO01 (Manage the IT Management Framework).