The foundational step in aligning resource management with the IT strategic plan is to understand the disparity between the current resource capabilities and the future resource requirements dictated by that plan. This process is known as a gap analysis. It systematically identifies shortfalls or surpluses in skills, infrastructure, and applications needed to achieve strategic objectives. The output of this analysis provides the essential data to formulate a resource plan, which will then guide subsequent actions such as assigning roles, defining responsibilities, and evaluating sourcing strategies. Without first identifying the "gap," any resource management activities would lack strategic direction.

A. A RACI chart is a detailed implementation tool used to clarify roles, which is premature before the required resources and tasks are identified through a gap analysis.

B. Assigning roles and responsibilities is a component of executing a resource plan, which can only be developed after understanding the resource gaps.

D. Identifying outsourcing opportunities is a potential strategy to address a resource gap; the gap must be identified first before solutions can be considered.

1. ISACA. (2020). CGEIT Review Manual

8th Edition. Domain 2: IT Resources Optimization

Section 2.2

IT Resource Planning. The manual states that after understanding the strategic direction

"A gap analysis can then be performed to identify the differences between the current and desired future states. This analysis helps in creating a roadmap for acquiring

developing

and managing the necessary IT resources."

2. ISACA. (2018). COBIT 2019 Framework: Governance and Management Objectives. APO07 Managed Human Resources. The process description for APO07.01 includes "Identify the skills and competencies required to meet the enterprise’s objectives." This implies a comparison (gap analysis) between required and existing skills as a primary step.

3. De Haes

S.

& Van Grembergen

W. (2015). Enterprise Governance of Information Technology: Achieving Alignment and Value

Featuring COBIT 5. Springer International Publishing. Chapter 3

"IT Governance Mechanisms

" discusses strategic alignment

noting that a crucial early activity is assessing the current state of IT resources against strategic requirements to identify gaps that need to be addressed. (DOI: 10.1007/978-3-319-14547-1)

The most appropriate first step for the Chief Governance Officer (CGO) is to conduct a formal assessment of the proposed change. Before modifying a long-standing governance framework, it is crucial to understand the full implications. This impact assessment will evaluate the potential benefits, such as increased business agility and reduced administrative overhead, against the potential risks, such as architectural misalignment or increased security vulnerabilities from a less rigorous review. This data-driven approach provides a sound basis for decision-making, ensures the change aligns with enterprise objectives and risk appetite, and demonstrates a structured, responsible response to the business units' concerns.

A. Create a central repository for the business to submit requests.

This addresses the mechanics of submitting requests but fails to address the substance of the current, escalated issue, which is the lack of response to a specific process improvement.

B. Explain the importance of the IT governance framework.

This is a defensive action that dismisses the valid business concern about inefficiency. Effective governance requires listening to and addressing stakeholder needs, not justifying the status quo.

D. Assign a project team to implement necessary changes.

This action is premature. A project team cannot be tasked with implementation until the scope, risks, and benefits of the change have been assessed and a decision has been made.

1. ISACA

CGEIT Review Manual

8th Edition (2020). Domain 1

Task Statement 1.5

"Ensure that the GEIT framework is periodically reviewed

updated

and relevant

" emphasizes the need to evaluate proposed changes based on shifts in business needs. The first step in this evaluation is to understand the impact of any potential update to the framework.

2. ISACA

COBIT 2019 Framework: Introduction and Methodology (2018). Section 4.2

"Goals Cascade

" explains how stakeholder needs must be translated into enterprise goals. The business unit's request is a stakeholder need

and before acting

governance must assess how a change would impact the achievement of enterprise goals.

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). The governance objective EDM01

"Ensured Governance Framework Setting and Maintenance

" includes the practice EDM01.03

"Monitor the system of internal control." This involves evaluating the effectiveness and efficiency of controls

which is precisely what the business units are questioning. Assessing their proposal is a key part of this monitoring and maintenance activity.

The foundational and primary step in planning any IT governance implementation is to identify and understand the business drivers. These drivers—such as market pressures, regulatory requirements, or strategic objectives—dictate the "why" behind the initiative. A clear understanding of business drivers ensures that the governance framework is directly aligned with the enterprise's strategic goals and addresses its most critical needs. All subsequent planning activities, including defining performance indicators, securing funding, and assigning responsibilities, are contingent upon this initial alignment with the business's core purpose and direction.

A. Assigning decision-making responsibilities is a critical component of a governance framework, but it can only be done effectively after the goals and scope, which are derived from business drivers, have been established.

B. Obtaining necessary business funding requires a compelling business case. This case must demonstrate how the governance initiative will support and add value to the business, which is articulated by first identifying the business drivers.

C. Defining key business performance indicators (KPIs) is essential for measuring success, but these metrics must be linked to business goals, which are formulated in response to the identified business drivers.

1. ISACA. (2020). CGEIT Review Manual

8th Edition. Section 1.3

Governance Implementation

Phase 1: What Are the Drivers? This section explicitly states that the first phase of the implementation life cycle is to "Identify current business and IT-related issues

or 'pain points

' and triggers

and create a desire to change at executive management levels." This is synonymous with identifying business drivers.

2. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. Page 29

Figure 3.1

"COBIT Goals Cascade." The cascade

which is the mechanism for aligning IT with enterprise goals

begins with "Stakeholder Drivers and Needs

" reinforcing that understanding these drivers is the starting point for governance.

3. ISACA. (2018). COBIT 2019 Framework: Governance and Management Objectives. Page 19

Section 3.1

"Governance and Management Objectives." The entire framework is designed to help enterprises achieve their objectives

which are derived from stakeholder needs and business drivers. The process starts with understanding these drivers to set appropriate goals.

The IT steering committee's primary function is to ensure the alignment of IT with business strategy and to provide oversight of IT-related risk. Migrating services to an external cloud provider fundamentally alters the enterprise's risk landscape. This strategic shift introduces new risks (e.g., vendor viability, data security in a multi-tenant environment, regulatory compliance, exit strategies) and modifies existing ones. Therefore, the committee's foremost concern is to ensure the business risk profile is comprehensively updated to reflect this new operational model. This allows for proper risk assessment, mitigation, and alignment with the enterprise's risk appetite, which is a core governance responsibility.

A. Revising the business balanced scorecard: Revising performance metrics is a consequence of the strategic shift and updated risk profile, not the primary, initial concern for the governance body.

C. Changing the IT steering committee charter: The committee's fundamental purpose and authority do not change; only the IT delivery model they oversee changes. The charter would not typically require revision for this.

D. Calculating the cost of the current solution: This calculation is part of the due diligence and business case development that precedes the strategic decision. The question states the decision has already been made.

1. ISACA

CGEIT Review Manual

8th Edition. Domain 4: Risk Optimization

Task Statement R1

"Ensure that IT risk management is aligned with the enterprise risk management (ERM) framework." The manual emphasizes that a key governance role is to ensure IT-related risks are continuously identified

assessed

and managed. A move to the cloud is a significant event that necessitates a reassessment of the enterprise's risk profile.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives. Governance Objective EDM03: Ensured Risk Optimization. The purpose of this objective is to "Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance." Key practices involve evaluating and directing risk management

which requires an up-to-date and accurate understanding of the business risk profile

especially after a major sourcing change.

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives. Management Objective APO12: Managed Risk. This objective details the processes for managing risk

including APO12.02 "Analyze Risk

" which involves identifying the "potential for business impacts" from changes in the IT environment. The IT steering committee would oversee this process to ensure the overall business risk profile is updated and accurate.

Determining optimal IT service levels is fundamentally an economic decision that balances business needs against the cost of service delivery. A cost-benefit analysis is the primary method for this, as it systematically evaluates the value (benefit) a specific service level provides to the business versus the resources and financial investment (cost) required to achieve and maintain it. Higher service levels (e.g., 99.999% uptime) are progressively more expensive. The "optimal" level is the point where the business value derived justifies the expenditure, ensuring that IT resources are aligned with enterprise objectives and not over-provisioned at an unjustifiable cost.

A. Internal rate of return: This is a specific capital budgeting metric to evaluate the profitability of an investment, not the primary framework for setting ongoing operational service levels.

B. Recovery time objective (RTO): RTO is a critical component of a service level agreement (SLA) related to business continuity, but it does not encompass all aspects needed to determine the overall optimal service level.

D. Resource utilization analysis: This analysis measures operational efficiency. While it informs the cost side of the equation, it does not determine the required service level from a business value perspective.

1. ISACA

CGEIT Review Manual

8th Edition (2020). Domain 2: IT Resources Optimization

Task Statement 2.4: "Ensure that IT services and service levels are defined

managed and monitored." The manual emphasizes that service levels must be based on business requirements and that a cost-benefit analysis is essential to ensure the cost of providing a service does not exceed the value it delivers to the business.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective APO09: Managed Service Agreements. Practice APO09.01

"Identify IT services and service level options

" involves defining a service catalog and establishing service levels based on business requirements

capabilities

and a cost-benefit analysis for different service level options. This directly links the determination of service levels to a cost-benefit trade-off.

An information retention policy's primary purpose is to ensure that information assets are managed throughout their life cycle in a way that supports business objectives while adhering to external obligations. Business requirements dictate how long data is needed for operational, analytical, or historical purposes to generate value. Simultaneously, compliance requirements, which include laws (e.g., GDPR, SOX), regulations, and contractual agreements, mandate specific minimum and sometimes maximum retention periods. These two drivers—business need and compliance—form the foundational basis for determining appropriate retention schedules, balancing utility, risk, and cost.

B. Business storage and processing needs: These are operational and technical constraints that influence how a policy is implemented (e.g., storage costs), not the fundamental rules of what to retain and for how long.

C. Backup and restoration capabilities: These are technical mechanisms for data protection and recovery. The retention policy dictates the backup strategy, not the other way around.

D. External customer data retention requirements: This is too narrow. While a component of compliance, it ignores internal business needs and other legal requirements for non-customer data like employee, financial, or intellectual property records.

1. ISACA

CGEIT Review Manual

8th Edition (2020): Domain 2: IT Resource Optimization

Section 2.3

Information/Data. The manual explains that the information life cycle

including retention and disposal

must be managed according to business

legal

and regulatory requirements. Knowledge statement K2.4.2

"Knowledge of data/information life cycle management

" directly supports that retention periods are based on these criteria.

2. ISACA

COBIT® 2019 Framework: Governance and Management Objectives (2018): The management objective APO14 Managed Data includes the practice APO14.07 Manage data storage and archiving. This practice explicitly states the need to "Define and implement policies and procedures for data storage and archiving to meet business and compliance requirements." (p. 139).

3. ISACA

COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution (2018): Design Factor 3

"Compliance requirements

" is identified as a key factor in designing a governance system. This guide emphasizes that legal and regulatory requirements are primary inputs for I&T-related policies

including those for data retention (p. 23).

A data classification policy is the foundational element required to consistently assess data protection needs. This policy establishes a framework for categorizing data based on its sensitivity, criticality, and value to the enterprise (e.g., Public, Confidential, Restricted). By creating a standardized set of criteria, the policy enables data owners to make uniform and objective decisions about the appropriate level of security controls, such as access rights and encryption, that must be applied. All other data protection activities, including risk management and the implementation of specific controls, are dependent on this initial classification.

A. Data encryption program: This is a specific security control. The decision on what data to encrypt and the strength of encryption required is determined after the data has been classified.

B. Data risk management program: A risk management program assesses threats and vulnerabilities, but it requires data classification as a primary input to determine the business impact of a potential data compromise.

C. Data retention policy: This policy defines how long data is kept. While important for governance, it is typically informed by the data's classification, not the other way around.

1. ISACA

CGEIT Review Manual

8th Edition

2020. Domain 2: IT Resources

Task Statement 2.3

"Ensure that IT resources are identified and classified based on their criticality and importance to the enterprise." The supporting text explains that classification is a prerequisite for applying appropriate controls and protection measures.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives

2018. Management Objective APO14: Managed Data

Practice APO14.02

"Define and maintain data and information architecture." This practice includes activities for establishing a data classification scheme to ensure data is managed according to its value and sensitivity.

3. ISACA

CGEIT Review

Questions

Answers & Explanations Manual

5th Edition

2020. The rationale for similar questions emphasizes that data classification is the first step in a data management program

as it provides the basis for determining handling requirements

controls

and protection levels.

The primary achievement of performance measurement within an IT governance framework is to create transparency. By systematically collecting, analyzing, and reporting on performance metrics (e.g., KPIs), an organization provides stakeholders with clear, factual, and understandable information about the performance of IT against agreed-upon goals. This transparency is the foundational element that enables accountability and supports informed decision-making. While this information is subsequently used to drive process improvement, ensure benefit realization, and manage cost efficiency, these are secondary outcomes that depend on the initial transparency provided by the measurement process itself.

A. Process improvement: This is a corrective action or strategic initiative undertaken as a result of analyzing performance data; it is not the primary achievement of the measurement act itself.

C. Cost efficiency: This is a specific performance goal or a category of metrics that can be measured, not the overarching outcome of the entire performance measurement process.

D. Benefit realization: This is a strategic objective that performance measurement helps to track and validate. The measurement provides the data, but realizing benefits is a separate, subsequent activity.

1. ISACA

COBIT 2019 Framework: Governance and Management Objectives

2018. The management objective MEA01 Managed Performance and Conformance Monitoring explicitly states its purpose is to "Collect

validate and evaluate... performance and conformance metrics... to ensure that they are sufficient to drive the achievement of goals and provide transparency of performance and conformance..." (p. 195). This directly links performance monitoring with creating transparency as a primary purpose.

2. ISACA

CGEIT Review Manual

8th Edition

2020. Domain 4

Task 4.4 (Monitor and Report on IT Performance) emphasizes that reporting performance to stakeholders provides them with the necessary visibility to take appropriate action. This visibility is synonymous with transparency

which is described as a key outcome of the monitoring and reporting process

enabling other governance activities. (Chapter 4

Section: "IT Performance Monitoring and Reporting").

3. De Haes

S.

& Van Grembergen

W. (2015). Enterprise Governance of Information Technology: Achieving Alignment and Value

Featuring COBIT 5. Springer International Publishing. In Chapter 3

the authors discuss the IT balanced scorecard as a performance measurement system. They state

"The communication of the measures through the scorecard... ensures that the strategy is transparent and translated into comprehensible and actionable measures for the whole organization." (p. 67). This highlights transparency as a direct result of performance measurement and communication. (DOI: 10.1007/978-3-319-14547-1)

A capability maturity model (CMM) is the most suitable tool for this purpose. It provides a structured framework and a standardized scale (e.g., levels 0-5) to assess the current state ("as-is") of IT processes. This allows for a direct comparison against industry best practices and benchmarks, which are often mapped to these maturity levels. By identifying the gap between the current and desired maturity levels, the CIO can effectively pinpoint weaknesses and strategically prioritize improvement initiatives to enhance process consistency and performance. This approach offers a holistic and comparative view that is essential for strategic planning.

B. Evaluating the current balanced scorecard is incorrect because a BSC primarily measures performance against an organization's internal strategic objectives, not external industry process benchmarks.

C. Reviewing key performance measures is insufficient as KPMs/KPIs are specific metrics that may lack the comprehensive, structured framework needed for a holistic process capability assessment against industry standards.

D. Reviewing IT process audit results is incorrect because audits focus on compliance with policies and the effectiveness of controls, rather than benchmarking process maturity for strategic improvement.

1. ISACA

COBIT 2019 Framework: Introduction and Methodology

2018. Chapter 6

"COBIT Performance Management (CPM)

" details the process capability levels based on CMMI

which are used to "support process improvement by identifying strengths and weaknesses and the implications thereof." This model is explicitly designed for benchmarking.

2. ISACA

CGEIT Review Manual

8th Edition

2020. Domain 4: IT Resource Optimization

Task 4.4

"Monitor and report on IT resource performance

" discusses the use of maturity and capability models to assess processes and identify opportunities for improvement against established benchmarks.

3. De Haes

S.

& Van Grembergen

W. (2009). An exploratory study into IT governance implementations and its impact on business/IT alignment. Information Systems Management

26(2)

123-137. This academic paper discusses the use of COBIT's maturity models as a key tool for organizations to assess their IT governance processes and benchmark them

forming a basis for improvement initiatives (p. 126). DOI: https://doi.org/10.1080/10580530902794786

The most effective way to improve disaster recovery (DR) capabilities, especially after a demonstrated failure like poor recovery times, is through a cycle of testing and refinement. Continuous testing validates the disaster recovery plan (DRP) against real-world conditions, identifies specific points of failure or bottlenecks, and measures performance. The critical second step, implementing "lessons learned," ensures that weaknesses discovered during testing (or a real event) are systematically addressed. This iterative process transforms the DRP from a static document into a dynamic and proven capability, directly targeting the root causes of the poor performance.

B. Increased training and monitoring for disaster recovery personnel who perform below expectations

This is too narrow. It assumes the failure was solely due to human error, ignoring potential flaws in the plan, technology, or resource allocation.

C. Annual review and updates to the disaster recovery plan (DRP)

An annual review is a necessary but insufficient activity. It is often a theoretical exercise and lacks the practical validation needed to uncover the specific issues that caused poor recovery times in an actual event.

D. Increased outsourcing of disaster recovery capabilities to ensure reliability

Outsourcing shifts responsibility but does not inherently guarantee improvement. The enterprise remains accountable, and the outsourced solution would still require rigorous testing and management to be proven effective.

1. ISACA

CGEIT Review Manual

8th Edition. Domain 4: IT Resource Optimization. The manual emphasizes that business continuity and disaster recovery plans must be regularly tested to ensure they are effective and that the enterprise can recover within the defined recovery time objectives (RTOs). The process of reviewing test results and post-incident reports to identify and implement improvements ("lessons learned") is a fundamental principle of a mature governance program. (Specifically

see concepts within Task 4.6: Ensure that IT-enabled business continuity plans are integrated with the enterprise business continuity plan).

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives. The management objective DSS04 Managed Continuity directly supports the correct answer. Practice DSS04.05 Plan and test managed continuity states the need to "Test the continuity plans on a regular basis to exercise the plans and identify deficiencies... Update the plans based on the results of the tests

reviews and changes in the business and IT environment." This highlights the essential link between testing and implementing corrective actions.

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives. Practice DSS04.08 Conduct post-resumption review further reinforces the concept of learning from events. It advises to "Assess the effectiveness of the response to an incident or disaster after the enterprise has returned to a business-as-usual state. Identify lessons learned and required improvements to the business continuity plan..." This directly aligns with the scenario of improving capabilities after a catastrophic event.