Questions for the CGEIT were updated on : Nov 19 ,2025
Which of the following is MOST helpful in determining whether an enterprise’s quality assurance
(QA) program is meeting business requirements?
D
Explanation:
Determining whether a quality assurance (QA) program meets business requirements requires an
objective evaluation of its effectiveness in delivering expected outcomes. The CGEIT Review Manual
8th Edition states that a quality audit is the most effective method to assess whether QA processes
align with business needs, as it provides a structured review of performance and compliance.
Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"A quality audit is the
most effective way to determine whether an enterprise’s quality assurance program meets business
requirements. The audit evaluates the QA processes, controls, and outcomes against defined
business objectives, identifying gaps and areas for improvement." (Approximate reference: Domain
5, Section on Quality Management and Assurance)
Performing a quality audit (option D) provides a comprehensive assessment of the QA program’s
alignment with business requirements, examining processes, metrics, and deliverables to ensure
they meet stakeholder expectations.
Why not the other options?
A . Review the quality framework: Reviewing the framework provides insight into design but does
not assess actual performance or alignment with business needs.
B . Perform a SWOT analysis: A SWOT analysis identifies strengths, weaknesses, opportunities, and
threats but is too broad and not specific to evaluating QA effectiveness.
C . Review service outage reports: Outage reports may indicate issues but are limited to specific
incidents and do not provide a holistic view of the QA program’s alignment with business
requirements.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 5: Benefits Realization, Section on Quality
Assurance and Auditing.
ISACA CGEIT Study Guide, Chapter on QA Program Evaluation.
An enterprise will be adopting wearable technology to improve business performance. Which of the
following is the BEST way for the CIO to validate IT’s preparedness for this initiative?
A
Explanation:
Adopting wearable technology requires ensuring that IT’s infrastructure, processes, and standards
can support the new initiative. The CGEIT Review Manual 8th Edition highlights that an enterprise
architecture (EA) review is the best method to validate IT’s preparedness, as it assesses the
alignment of IT capabilities with the requirements of new technologies.
Extract from CGEIT Review Manual 8th Edition (Domain 4: Strategic Management):"To validate IT’s
preparedness for adopting new technologies, the CIO should request an enterprise architecture
review. The EA review assesses whether current IT infrastructure, applications, and processes can
support the technology initiative, identifying gaps and necessary adjustments." (Approximate
reference: Domain 4, Section on Enterprise Architecture and Technology Adoption)
Requesting an enterprise architecture review (option A) ensures that the CIO evaluates IT’s technical
and operational readiness for wearable technology, including compatibility with existing systems,
scalability, and security requirements.
Why not the other options?
B . Perform a baseline business value assessment: A value assessment focuses on benefits, not IT’s
technical preparedness, which is the primary concern here.
C . Request reprioritization of the IT portfolio: Portfolio reprioritization addresses resource allocation,
not the technical readiness of IT systems.
D . Identify the penalties for noncompliance: Penalties are a risk management concern, not a direct
method to validate IT preparedness.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 4: Strategic Management, Section on Enterprise
Architecture and Technology Integration.
ISACA CGEIT Study Guide, Chapter on IT Readiness Assessment.
Which of the following is the BEST indicator of effective IT governance?
B
Explanation:
Effective IT governance ensures that IT aligns with enterprise objectives, and a key indicator is the
active involvement of executive management in IT decision-making. The CGEIT Review Manual 8th
Edition emphasizes that executive management’s engagement in IT decisions demonstrates strong
governance, as it ensures strategic alignment, accountability, and oversight.
Extract from CGEIT Review Manual 8th Edition (Domain 1: Governance of Enterprise IT):"Effective IT
governance is best indicated by the active involvement of executive management in important IT
decisions and activities. This engagement ensures that IT initiatives are aligned with business
objectives, risks are managed appropriately, and value is delivered to the enterprise." (Approximate
reference: Domain 1, Section on Governance Roles and Responsibilities)
Executive management’s involvement (option B) reflects a governance structure where IT is
integrated into strategic planning, ensuring decisions support business goals and foster
accountability at the highest levels.
Why not the other options?
A . Regulatory authorities have given a favorable report on IT controls: While a favorable regulatory
report indicates compliance, it is a narrow measure and does not encompass the broader aspects of
governance, such as strategic alignment or value delivery.
C . The chief information security officer (CISO) reports to a board member: The CISO’s reporting
structure is a specific governance element but not the best indicator of overall IT governance
effectiveness, as it focuses only on security.
D . IT management is proactive in reporting IT project status to executive management: Proactive
reporting is a good practice but is a subset of governance activities, less critical than executive
management’s direct involvement in decision-making.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 1: Governance of Enterprise IT, Section on
Governance Roles and Executive Involvement.
ISACA CGEIT Study Guide, Chapter on IT Governance Indicators.
An executive management team has determined the need to implement an IT governance
framework, beginning with the maturity assessment process. The PRIMARY purpose for maturity
assessment is to:
D
Explanation:
A maturity assessment evaluates the current state of IT governance processes to identify gaps in
capability that need improvement. The CGEIT Review Manual 8th Edition states that the primary
purpose of a maturity assessment is to identify capability gaps to guide governance framework
enhancements.
Extract from CGEIT Review Manual 8th Edition (Domain 1: Governance of Enterprise IT):"The primary
purpose of a maturity assessment is to identify gaps in IT governance capabilities, such as processes,
skills, or controls, relative to desired maturity levels. This enables the enterprise to prioritize
improvements and enhance governance effectiveness." (Approximate reference: Domain 1, Section
on Maturity Assessment)
Identifying gaps in capability (option D) focuses on assessing the maturity of governance processes
and determining where enhancements are needed to achieve desired outcomes.
Why not the other options?
A . Benchmark IT performance: Benchmarking compares performance, not capability maturity.
B . Identify gaps in performance: Performance gaps are a secondary outcome, while capability gaps
are the primary focus.
C . Support impact analysis: Impact analysis is not the primary purpose of maturity assessments.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 1: Governance of Enterprise IT, Section on
Governance Maturity Assessment.
ISACA CGEIT Study Guide, Chapter on IT Governance Maturity.
Which of the following should be considered FIRST when migrating data to a cloud environment?
C
Explanation:
Migrating data to a cloud environment requires a clear understanding of the information architecture
to ensure data is organized, accessible, and secure. The CGEIT Review Manual 8th Edition notes that
information architecture is the first consideration to align data migration with enterprise needs.
Extract from CGEIT Review Manual 8th Edition (Domain 4: Strategic Management):"When migrating
data to a cloud environment, the first consideration is the information architecture, which defines
how data is structured, stored, and accessed. This ensures that the migration supports business
processes and complies with governance requirements." (Approximate reference: Domain 4, Section
on Cloud Migration Strategy)
Considering the information architecture (option C) ensures that the cloud environment supports the
enterprise’s data needs, security policies, and integration requirements.
Why not the other options?
A . Disaster recovery plan (DRP): DRP is important but follows architecture design to ensure recovery
aligns with data organization.
B . Skills matrix: Skills are a resource consideration, not the first step in data migration.
D . Data structure: Data structure is a component of information architecture, which is the broader
consideration.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 4: Strategic Management, Section on Information
Architecture and Cloud.
ISACA CGEIT Study Guide, Chapter on Cloud Migration Planning.
Which of the following is MOST important to have in place to ensure a business continuity plan (BCP)
can be executed?
A
Explanation:
A business continuity plan (BCP) relies on clear roles and responsibilities to ensure effective
execution during a disruption. The CGEIT Review Manual 8th Edition emphasizes that defined roles
are the most critical component for BCP success, as they ensure accountability and coordination.
Extract from CGEIT Review Manual 8th Edition (Domain 3: Risk Optimization):"The most important
element for executing a business continuity plan is the definition of roles and responsibilities. Clear
roles ensure that all stakeholders know their duties during a disruption, enabling rapid and
coordinated response." (Approximate reference: Domain 3, Section on Business Continuity Planning)
Defined roles (option A) are essential to ensure that the BCP is actionable, with individuals assigned
to specific tasks, such as communication, recovery, or coordination.
Why not the other options?
B . Replicated systems: Systems are important but useless without people to manage them during a
crisis.
C . A risk register: A risk register identifies risks but does not ensure BCP execution.
D . Budget allocation: Funding supports BCP development but is not the most critical for execution.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 3: Risk Optimization, Section on Business
Continuity and Disaster Recovery.
ISACA CGEIT Study Guide, Chapter on BCP Execution.
Which of the following provides an enterprise with the BEST understanding of the value proposition
for employing a new cloud service?
C
Explanation:
The value proposition of a new cloud service is best understood through a financial metric like return
on investment (ROI), which quantifies the benefits relative to costs. The CGEIT Review Manual 8th
Edition highlights ROI as a key tool for evaluating the value of IT investments.
Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"Return on
investment (ROI) is a critical metric for understanding the value proposition of IT initiatives, such as
adopting a new cloud service. ROI compares the financial benefits of the initiative to its costs,
providing a clear measure of value delivered." (Approximate reference: Domain 5, Section on Value
Measurement)
Return on investment (option C) provides a comprehensive view of the cloud service’s financial
benefits, operational improvements, and strategic value, making it the best tool for understanding
the value proposition.
Why not the other options?
A . Key risk indicators (KRIs): KRIs focus on risk exposure, not value delivery.
B . Service level agreements (SLAs): SLAs define performance expectations but do not quantify
overall value.
D . Customer satisfaction surveys: Surveys measure user experience, not the full financial or strategic
value.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 5: Benefits Realization, Section on ROI and Value
Assessment.
ISACA CGEIT Study Guide, Chapter on IT Investment Evaluation.
An enterprise wants to implement metrics to monitor the performance of its IT portfolio. Whose
input is MOST important to consider when establishing these metrics?
D
Explanation:
IT portfolio performance metrics must reflect the value delivered to the business, making business
unit stakeholders’ input critical. The CGEIT Review Manual 8th Edition emphasizes that business
stakeholders are the primary source for defining metrics that align with business objectives.
Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"When establishing
metrics to monitor IT portfolio performance, the input of business unit stakeholders is most
important, as they define the business objectives and value expectations that the IT portfolio must
deliver." (Approximate reference: Domain 5, Section on Performance Metrics)
Considering the input of business unit stakeholders (option D) ensures that metrics measure
outcomes that matter to the business, such as revenue growth, customer satisfaction, or operational
efficiency.
Why not the other options?
A . Project management office (PMO): The PMO focuses on project execution, not business value
definition.
B . IT executives: IT executives provide technical input, but business stakeholders define value.
C . The chief executive officer (CEO): The CEO may set high-level goals, but business units provide
detailed requirements.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 5: Benefits Realization, Section on Portfolio
Performance Measurement.
ISACA CGEIT Study Guide, Chapter on Business Value Metrics.
Which of the following is the PRIMARY objective of a data protection impact assessment?
A
Explanation:
A data protection impact assessment (DPIA) is designed to identify and mitigate risks to data privacy.
The CGEIT Review Manual 8th Edition states that the primary objective of a DPIA is to analyze how
business processes affect data privacy, particularly for personal data.
Extract from CGEIT Review Manual 8th Edition (Domain 3: Risk Optimization):"The primary objective
of a data protection impact assessment is to identify and analyze how business processes, systems,
or projects may impact the privacy of personal data. This helps ensure compliance with data
protection regulations and mitigates privacy risks." (Approximate reference: Domain 3, Section on
Data Privacy and Compliance)
Identifying and analyzing how data privacy might be affected by business processes (option A) is the
core purpose of a DPIA, aligning with regulatory requirements like GDPR.
Why not the other options?
B . To evaluate the quality and integrity of personal data stored in an enterprise: Data quality is a
separate concern, not the focus of a DPIA.
C . To estimate the value created by personal data as it progresses through its life cycle: Value
estimation is a business analysis, not a DPIA objective.
D . To ensure key business processes and related data interfaces are documented: Documentation
may be a byproduct, but it is not the primary objective.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 3: Risk Optimization, Section on Data Protection
Impact Assessments.
ISACA CGEIT Study Guide, Chapter on Privacy and Compliance.
An enterprise’s IT department has been operating independently without regard to business
concerns, leading to misalignment between business and IT. The BEST way to establish alignment
would be to require:
A
Explanation:
Misalignment between IT and business stems from a lack of collaboration in setting goals. The CGEIT
Review Manual 8th Edition emphasizes that business involvement in defining IT goals is the best way
to ensure alignment, as it ensures IT supports business priorities.
Extract from CGEIT Review Manual 8th Edition (Domain 4: Strategic Management):"To achieve
alignment between IT and business, the business must actively participate in defining IT goals to
ensure that IT initiatives support enterprise objectives. This collaborative approach bridges the gap
between IT operations and business needs." (Approximate reference: Domain 4, Section on Business-
IT Alignment)
Requiring the business to help define IT goals (option A) fosters collaboration and ensures that IT
priorities reflect business needs, addressing the misalignment.
Why not the other options?
B . IT and business to define risks: Risk definition is important but does not directly address goal
alignment.
C . Business to fund IT services: Funding is a resource issue, not a solution to strategic misalignment.
D . IT to define business objectives: IT defining business objectives reverses the proper alignment, as
business objectives should drive IT.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 4: Strategic Management, Section on Strategic
Alignment.
ISACA CGEIT Study Guide, Chapter on Business-IT Collaboration.
Which of the following is MOST important to effectively incorporate innovation and emerging
technologies into an enterprise’s IT strategy?
C
Explanation:
Incorporating innovation and emerging technologies into the IT strategy requires a structured
process that engages both IT and business stakeholders to ensure alignment and value delivery. The
CGEIT Review Manual 8th Edition highlights that a formal innovation management process is critical
to effectively integrate new technologies.
Extract from CGEIT Review Manual 8th Edition (Domain 4: Strategic Management):"To effectively
incorporate innovation and emerging technologies, enterprises should establish a formal innovation
management process that involves IT and business stakeholders. This process ensures that new
technologies are evaluated, prioritized, and aligned with business objectives." (Approximate
reference: Domain 4, Section on Innovation Management)
Establishing a formal innovation management process that involves IT and business stakeholders
(option C) fosters collaboration, ensures strategic alignment, and drives successful adoption of
emerging technologies.
Why not the other options?
A . Implementing new technologies based on maturity roadmaps according to reputable consulting
entities: Relying on external roadmaps may not align with the enterprise’s specific needs.
B . Maintaining an IT strategy based on traditional technologies, supplemented by objectives for
innovation: This approach limits innovation by prioritizing traditional technologies.
D . Performing quarterly feedback reviews with focus groups representing the enterprise’s customer
base: Customer feedback is valuable but not the primary mechanism for strategic technology
integration.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 4: Strategic Management, Section on Innovation
and Technology Strategy.
ISACA CGEIT Study Guide, Chapter on Innovation Management.
Which of the following should be done FIRST when preparing to migrate patient records to a cloud
service provider?
A
Explanation:
Migrating patient records to a cloud provider involves sensitive data, making data governance a
critical first step to ensure compliance and security. The CGEIT Review Manual 8th Edition
emphasizes that reviewing the data governance policy is the first action to align migration with data
protection and regulatory requirements.
Extract from CGEIT Review Manual 8th Edition (Domain 3: Risk Optimization):"When migrating
sensitive data, such as patient records, to a cloud environment, the first step is to review the current
data governance policy to ensure that data classification, security, and compliance requirements are
addressed. This informs subsequent actions, such as SLAs and risk management." (Approximate
reference: Domain 3, Section on Data Governance and Cloud Migration)
Reviewing the current data governance policy (option A) ensures that the migration adheres to
policies on data privacy, security, and regulatory compliance, particularly for sensitive patient
records.
Why not the other options?
B . Update the enterprise architecture (EA): EA updates may be needed but follow governance
review to ensure alignment with data policies.
C . Revise the risk management framework: Risk framework revision is premature without
understanding governance requirements.
D . Define the service level agreement (SLA): SLAs are defined after governance and risk
considerations are addressed.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 3: Risk Optimization, Section on Data Governance
and Cloud Security.
ISACA CGEIT Study Guide, Chapter on Cloud Migration Governance.
Which of the following should be the CIO’s GREATEST consideration when making changes to the IT
strategy?
B
Explanation:
Changes to the IT strategy must consider their impact on the enterprise architecture (EA), as the EA
defines the structure and standards that enable strategy execution. The CGEIT Review Manual 8th
Edition highlights that assessing EA impact is the greatest consideration to ensure that strategic
changes are feasible and sustainable.
Extract from CGEIT Review Manual 8th Edition (Domain 4: Strategic Management):"When modifying
the IT strategy, the CIO’s greatest consideration is assessing the impact on the enterprise
architecture, as the EA provides the blueprint for IT capabilities, processes, and standards.
Misalignment with EA can lead to implementation challenges and reduced effectiveness."
(Approximate reference: Domain 4, Section on Strategy and EA Alignment)
Assessing the impact to the enterprise architecture (option B) ensures that the IT strategy leverages
existing capabilities and addresses any architectural gaps, making it the most critical consideration.
Why not the other options?
A . Have key stakeholders been consulted?: Stakeholder consultation is important but secondary to
ensuring the strategy is technically feasible via EA alignment.
C . Have IT risk metrics been adjusted?: Risk metrics are adjusted as part of risk management, not the
primary concern for strategy changes.
D . Has the investment portfolio been revised?: Portfolio revision follows strategy and EA alignment
to ensure investments support the updated strategy.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 4: Strategic Management, Section on Enterprise
Architecture and Strategy.
ISACA CGEIT Study Guide, Chapter on IT Strategy Updates.
A CIO engages a consulting firm to conduct a benchmark analysis of the organization’s IT governance
framework against industry best practices. Several recommendations to improve the maturity of the
framework are identified. Which of the following should be the CIO’s NEXT course of action?
A
Explanation:
After receiving recommendations to improve the IT governance framework, the CIO must assess
their feasibility to ensure they are practical and aligned with the enterprise’s resources and goals.
The CGEIT Review Manual 8th Edition advises evaluating the feasibility of recommendations as the
next step to prioritize and plan implementation.
Extract from CGEIT Review Manual 8th Edition (Domain 1: Governance of Enterprise IT):"Following a
benchmark analysis, the CIO should evaluate the feasibility of recommendations, considering factors
such as cost, resource availability, organizational readiness, and alignment with strategic objectives.
This assessment informs the prioritization and planning of implementation efforts." (Approximate
reference: Domain 1, Section on Governance Framework Improvement)
Evaluating the feasibility of the recommendations (option A) ensures that the CIO selects
recommendations that are viable and beneficial, setting the stage for planning and approval.
Why not the other options?
B . Obtain approval from the IT steering committee to implement the recommendations: Approval is
needed but follows feasibility assessment to ensure informed decision-making.
C . Develop a plan to integrate the recommendations: Planning is premature without confirming
which recommendations are feasible.
D . Appoint a project manager to implement the recommendations: Appointing a project manager is
a later step, after feasibility and planning.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 1: Governance of Enterprise IT, Section on
Framework Benchmarking and Improvement.
ISACA CGEIT Study Guide, Chapter on Governance Framework Enhancement.
Which of the following should be the MOST essential consideration when outsourcing IT services?
A
Explanation:
Outsourcing IT services requires a clear distinction between core and non-core processes to ensure
that strategic capabilities are retained in-house while non-core activities are outsourced. The CGEIT
Review Manual 8th Edition highlights that identifying core and non-core processes is the most
essential consideration for outsourcing decisions.
Extract from CGEIT Review Manual 8th Edition (Domain 5: Benefits Realization):"The most critical
consideration in outsourcing IT services is identifying core and non-core business processes. Core
processes, which provide competitive advantage, should typically be retained, while non-core
processes can be outsourced to improve efficiency and focus on strategic priorities." (Approximate
reference: Domain 5, Section on Outsourcing Strategy)
Identification of core and non-core business processes (option A) ensures that outsourcing aligns
with the enterprise’s strategic goals and avoids compromising critical capabilities.
Why not the other options?
B . Compliance with enterprise architecture (EA): EA compliance is important but secondary to
determining what processes should be outsourced.
C . Alignment with existing human resources (HR) policies and practices: HR alignment is operational
and less critical than strategic process identification.
D . Adoption of a diverse vendor selection process: Vendor selection follows the decision to
outsource and is not the primary consideration.
Reference:
ISACA CGEIT Review Manual 8th Edition, Domain 5: Benefits Realization, Section on Outsourcing and
Core Competencies.
ISACA CGEIT Study Guide, Chapter on Strategic Outsourcing.