Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 341:

  Which of the following is the GREATEST driver of ethical decision making in an IT enterprise?

  A. Corporate culture
  B. Process and control environment
  C. Code of conduct
  D. Training and awareness programs
  A. Corporate culture

  ---

  Corporate culture is the most influential driver of ethical decision-making. It shapes the behavior, attitudes, and values of individuals and determines whether ethical frameworks like codes of conduct and training programs are truly effective in practice. While control environments and training reinforce behavior, the culture sets the tone from the top, influencing whether ethics are embraced or bypassed. CGEIT Review Manual: Domain 1 ?Governance of Enterprise IT COBIT 2019: Governance System Component ?Culture, Ethics and Behavior.

• Question 342:

  Which of the following should a new CIO do FIRST to set the strategic direction for IT?

  A. Develop well-defined business cases that include strategic outcomes.
  B. Remap stakeholder analysis and desired expectations.
  C. Review existing enterprise strategic objectives.
  D. Redesign detailed RACI charts of the IT function.
  C. Review existing enterprise strategic objectives.

  ---

  The first thing that a new CIO should do to set the strategic direction for IT is to review the existing enterprise strategic objectives. The enterprise strategic objectives are the high- level goals and priorities that guide the organization's vision, mission, and value creation. The CIO should understand the current state and desired state of the enterprise, as well as the opportunities, challenges, and risks that it faces. The CIO should also assess how IT supports and enables the enterprise strategic objectives, and identify any gaps, issues, or areas for improvement. The other options are not the first thing that a new CIO should do to set the strategic direction for IT. Developing well-defined business cases that include strategic outcomes is part of the IT investment management process, which involves selecting, prioritizing, approving, and funding IT projects and initiatives that deliver value to the enterprise. Remapping stakeholder analysis and desired expectations is part of the stakeholder engagement process, which involves identifying, communicating, and managing the needs and expectations of the internal and external stakeholders of IT. Redesigning detailed RACI charts of the IT function is part of the IT organizational design process, which involves defining and assigning the roles, responsibilities, authorities, and accountabilities of the IT staff and units. References: According to the CGEIT Review Manual 2022, "The first step in developing an IT strategy is to understand the enterprise strategy. This involves analyzing the enterprise vision, mission, goals, objectives, value drivers, critical success factors, and SWOT (strengths, weaknesses, opportunities and threats)." According to the ISACA article on How to Develop an Effective IT Strategy, "The first step in developing an effective IT strategy is to understand your organization's business strategy. This will help you align your IT goals with your business goals and ensure that your IT investments support your business objectives." According to the CIO article on How to create an effective IT strategy, "The first step in creating an effective IT strategy is to understand what your business is trying to achieve. Thismeans reviewing your business strategy and identifying the key drivers of value and competitive advantage for your organization."

• Question 343:

  Which of the following is the BEST method for making a strategic decision to invest in cloud services?

  A. Prepare a business case.
  B. Prepare a request for information (RFI),
  C. Benchmarking.
  D. Define a balanced scorecard.
  A. Prepare a business case.

  ---

  A business case is the best method for making a strategic decision to invest in cloud services, as it provides a structured and comprehensive analysis of the costs, benefits, risks, and value proposition of the proposed investment. A business case can help justify the need for cloudservices, compare different options and alternatives, and align the investment with the enterprise's strategy and objectives. A request for information (RFI) is a document that solicits information from potential vendors or suppliers, but it does not provide a decision-making framework. Benchmarking is a process of comparing the performance or practices of an enterprise with those of others, but it does not evaluate the feasibility or desirability of cloud services. A balanced scorecard is a tool that measures and monitors the performance of an enterprise or a business unit against strategic goals and objectives, but it does not assess the viability or suitability of cloud services. References: CGEIT Review Manual (Digital Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.1: IT Investment Management Overview, Page 97 : CGEIT Review Manual (Digital Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.4: IT Investment Management Process, Page 104 : How to Write a Business Case: Template and Examples

• Question 344:

  When developing an IT strategic plan that supports an enterprise's business goals which of the following should be done FIRST?

  A. Ensure that IT drives business goals
  B. Analyze benchmarking data
  C. Understand the current vision
  D. Perform a business impact analysis (BIA)
  C. Understand the current vision

  ---

  According to the ISACA CGEIT Exam Candidate Guide, one of the tasks under the domain of Strategic Alignment is to "understand the current vision and direction of the enterprise and identify how IT can best support it." This task should be done first when developing an IT strategic plan that supports an enterprise's business goals, because it provides the basis for aligning IT with the business strategy and priorities. By understanding the current vision and direction of the enterprise, the IT strategic plan can identify the gaps, opportunities, and challenges that need to be addressed by IT, as well as the expected outcomes and benefits that IT can deliver to the enterprise. The other options are not the best actions to perform first in this scenario. Ensuring that IT drives business goals, analyzing benchmarking data, and performing a business impact analysis (BIA) are all useful steps or methods for developing an IT strategic plan, but they are not the starting point. They should be done after understanding the current vision and direction of the enterprise, based on the alignment and integration of IT with the business strategy and goals. References: 1: https://www.isaca.org/-/media/info/cgeit/cgeit-exam-candidate-guide.pdf 2: https://www.cascade.app/blog/it-strategic-plan 3: https://www.projectmanager.com/blog/it-governance-frameworks-definitions

• Question 345:

  Which of the following provides the MOST comprehensive insight into the effectiveness of IT?

  A. IT balanced scorecard
  B. IT strategy
  C. Return on investment (ROI)
  D. Key risk indicators (KRIs)
  A. IT balanced scorecard

  ---

  An IT balanced scorecard (BSC) is a framework that measures and manages the performance and value of IT in relation to the enterprise's strategy, goals, and objectives. An IT BSC provides the most comprehensive insight into the effectiveness of IT, because it covers four perspectives that reflect the key aspects of IT: financial, customer, internal process, and learning and growth. For each perspective, an IT BSC defines objectives, measures, targets, and initiatives that align with the enterprise's vision and mission. An IT BSC also helps to balance the short-term and long-term outcomes of IT, as well as the leading and lagging indicators of IT performance. According to ISACA's article on The IT Balanced Scorecard1, "the IT BSC is a powerful tool for demonstrating the contribution of IT to the business, communicating IT performance in business terms, and aligning IT with business strategy." Furthermore, according to ISACA's CGEIT Domain 1: Framework for the Governance of Enterprise IT2, "the IT BSC is a widely used framework for measuring and managing the performance of IT resources in relation to enterprise goals." Therefore, an IT BSC is the best way to provide a comprehensive insight into the effectiveness of IT.

• Question 346:

  Which of the following is necessary for effective risk management in IT governance?

  A. Risk evaluation is embedded in the management processes.
  B. IT risk management is separate from enterprise risk management (ERM).
  C. Local managers are solely responsible for risk evaluation.
  D. Risk management strategy is approved by the audit committee.
  A. Risk evaluation is embedded in the management processes.

  ---

  Effective risk management in IT governance requires that risk evaluation is embedded in the management processes of the organization. This means that risk evaluation is not a separate or isolated activity, but rather an integral part of the planning, execution, monitoring, and reporting of IT activities and initiatives. Embedding risk evaluation in the management processes can help: Identify and assess the potential threats and opportunities that may affect the achievement of IT and business objectives. Align the IT risk appetite and tolerance with the enterprise risk appetite and tolerance. Prioritize and allocate the resources and actions to address the risks based on their impact and likelihood. Monitor and report the risk performance and outcomes in relation to the IT value drivers and benefits. Embed the risk culture and awareness across the organization. References: According to the CGEIT Review Manual 2022, "Risk evaluation should be embedded in management processes. Risk evaluation should be performed as part of planning, executing, monitoring and reporting activities." According to the ISACA article on Risk Management: A Driver for Value Creation, "Risk management should be embedded into all business processes. It should be part of strategic planning, project management, change management, performance management, etc." According to the NIST article on Staging Cybersecurity Risks for Enterprise Risk Management and Governance, "Embedding cybersecurity risk management into enterprise risk management (ERM) processes can help organizations better understand their cybersecurity risks, prioritize them based on their potential impact on business objectives, and allocate resources accordingly."

• Question 347:

  The responsibility for the development of a business continuity plan (BCP) is BEST assigned to the:

  A. business risk manager.
  B. business owner.
  C. chief executive officer (CEO).
  D. IT systems owner.
  B. business owner.

  ---

  IT governance is the process of ensuring that IT supports the business objectives and strategies of the enterprise, and that IT investments and resources are aligned with the enterprise's needs and priorities. When individual business units design their own IT solutions without consulting the IT department, they may create solutions that are not compatible with the existing enterprise goals, such as customer satisfaction, operational efficiency, regulatory compliance, or innovation. This can result in duplication of efforts, waste of resources, increased complexity, security risks, or missed opportunities. Therefore, it is important for IT governance to establish a clear vision, strategy, and framework for IT that guides the business units in developing andimplementing IT solutions that support the enterprise goals. Some examples of IT governance frameworks are COBIT, ITIL, and ISO/IEC 385003. References: COBIT | ISACA ITIL | AXELOS ISO/IEC 38500:2015(en), Information technology -- Governance of IT for the organization

• Question 348:

  An enterprise is planning to outsource data processing for personally identifiable information (Pll). When is the MOST appropriate time to define the requirements for security and privacy of information?

  A. When issuing requests for proposals (RFPs)
  B. After an assessment of the current information architecture.
  C. When developing service level agreements (SLAs)
  D. During the initial vendor selection process
  A. When issuing requests for proposals (RFPs)

  ---

  The requirements for security and privacy of information should be defined when issuing RFPs to ensure that potential vendors can meet the enterprise's expectations and comply with relevant regulations. This will also help the enterprise to evaluate and compare the proposals based on the predefined criteria. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.2: IT Investment Selection, Page 97-98.

• Question 349:

  The CIO of a large enterprise has taken the necessary steps to align IT objectives with business objectives. What is the BEST way for the CIO to ensure these objectives are delivered effectively by IT staff?

  A. Map the IT objectives to an industry-accepted framework.
  B. Enhance Ihe budget for training based on the IT objectives.
  C. Include the IT objectives in staff performance plans.
  D. Include CIO sign-off of the objectives as part of the IT strategic plan.
  C. Include the IT objectives in staff performance plans.

  ---

  The best way for the CIO to ensure that the IT objectives are delivered effectively by IT staff is to include the IT objectives in staff performance plans. Staff performance plans are documents that define the expectations, responsibilities, and goals for individual employees, as well as the criteria and methods for evaluating their performance. By including the IT objectives in staff performance plans, the CIO can align the IT staff's work with the business objectives, communicate the desired outcomes and behaviors, motivate and empower the IT staff, monitor and measure their progress and achievements, and provide feedback and recognition. This will help to create a culture of accountability, excellence, and continuous improvement among the IT staff, and ensure that they contribute to the value creation and delivery of IT. References: Performance Management. What is CGEIT? A certification for seasoned IT governance professionals.

• Question 350:

  Which of the following IT governance actions would be the BEST way to minimize the likelihood of IT failures jeopardizing the corporate value of an IT-dependent organization?

  A. Implement an IT risk management framework.
  B. Install an IT continuous monitoring solution.
  C. Define IT performance management measures.
  D. Benchmark IT strategy against industry peers.
  A. Implement an IT risk management framework.

  ---

  The best IT governance action to minimize the likelihood of IT failures jeopardizing the corporate value of an IT-dependent organization is to implement an IT risk management framework. An IT risk management framework is a set of policies, processes, and tools that help identify, analyze, evaluate, treat, monitor, and communicate the IT risks that may affect the achievement of the organization's objectives and goals. An IT risk management framework can help reduce the probability and impact of IT failures, such as system outages, data breaches, cyberattacks, or project delays, by implementing appropriate controls and mitigation strategies. An IT risk management framework can also help align the IT risks with the organization's riskappetite and tolerance, as well as ensure compliance with regulations and standards. What is IT Risk Management? | RSA provides an overview of IT risk management and its benefits. Installing an IT continuous monitoring solution, defining IT performance management measures, and benchmarking IT strategy against industry peers are also useful IT governance actions, but they are not the best way to minimize the likelihood of IT failures. Installing an IT continuous monitoring solution is a process that uses software tools or systems to collect, analyze, and report on IT performance and compliance data, such as availability, reliability, security, or efficiency. Installing an IT continuous monitoring solution can help detect and respond to IT failures in a timely and effective manner, as well as improve the visibility and accountability of IT operations. Defining IT performance management measures is a task that involves selecting and defining the metrics that measure the achievement of specific goals or objectives for IT processes, systems, or services. Defining IT performance management measures can help evaluate and communicate the effectiveness and efficiency of IT operations, services, and projects, as well as their contribution to business value and customer satisfaction. Benchmarking IT strategy against industry peers is a technique that involves comparing and contrasting the IT practices, capabilities, or outcomes of an organization with those of its competitors or similar organizations. Benchmarking IT strategy against industry peers can help identify and adopt best practices or innovations for IT governance and management, as well as assess the strengths and weaknesses of the organization's IT performance.