View CGEIT Exam Questions

Q: 1

The FIRST step in aligning resource management to the enterprise's IT strategic plan would be to

Options

Discussion

CalmReviewer3895 Feb 26, 2026 8:37 am

C or B but I'm picking C. You need to do a gap analysis to see where your current resources fall short against what the IT strategic plan needs. Can't really assign roles (B) until you've figured out what's missing, I think. Anyone disagree with that logic?

ThoughtfulLearner3896 Feb 17, 2026 2:41 am

Feels like B comes before anything else since you need roles set. Option B

Mia G. Feb 28, 2026 8:28 pm

Yeah, C. Can't really start assigning roles (B) or mapping out a RACI (A) before you know what's missing compared to what the strategy asks for. Gap analysis is always step one when aligning to a plan, at least in ISACA world. Pretty sure that's the intent here.

Ryan K. Feb 17, 2026 2:20 pm

I see why folks are debating B and C, but it's got to be C. You need to run a gap analysis first to figure out the difference between what resources you have and what the IT strategic plan actually needs. Assigning roles or building RACI charts doesn't really make sense until you've done that assessment. Pretty standard ISACA logic in my experience. Agree?

ChrisG Feb 20, 2026 8:44 am

It's C. Had something like this in a mock and gap analysis was always the first action since you need to figure out where your resources fall short vs the IT strategic plan before making any assignments or building a RACI. Assigning roles or thinking about outsourcing doesn't make sense until you know the gaps, pretty sure that's what ISACA wants here. Anyone see it differently?

Mason Mar 4, 2026 11:56 am

These ISACA questions always trip folks up with the sequencing, but it's gotta be C here.

Piya A. Feb 12, 2026 5:34 am

B or C but I think C is right. You need a gap analysis before figuring out roles or making a RACI, since you have to know what's missing compared to the IT strategy. Outsourcing (D) is tempting if you're thinking about cost savings but it's not step one. Open to pushback if someone's seen different in recent exam prep.

Quinn Feb 26, 2026 8:36 am

saw pretty similar problem in my exam. in a practice set, it was definitely C on that one.

Piya Mar 2, 2026 5:15 pm

C/D? C probably, since gap analysis comes first but D could trip people up. Outsourcing feels too soon though.

Hannah D. Feb 26, 2026 5:43 pm

Its C here. You can’t assign roles (B) or do a RACI (A) until you know what you’re missing, so gap analysis has to come first. Outsourcing (D) is way later in the process. Pretty sure this is the sequence I’ve seen in official guidance-let me know if anyone disagrees.

Be respectful. No spam.

Correct Answer:

Explanation

The foundational step in aligning resource management with the IT strategic plan is to understand the disparity between the current resource capabilities and the future resource requirements dictated by that plan. This process is known as a gap analysis. It systematically identifies shortfalls or surpluses in skills, infrastructure, and applications needed to achieve strategic objectives. The output of this analysis provides the essential data to formulate a resource plan, which will then guide subsequent actions such as assigning roles, defining responsibilities, and evaluating sourcing strategies. Without first identifying the "gap," any resource management activities would lack strategic direction.

Why Incorrect

A. A RACI chart is a detailed implementation tool used to clarify roles, which is premature before the required resources and tasks are identified through a gap analysis.

B. Assigning roles and responsibilities is a component of executing a resource plan, which can only be developed after understanding the resource gaps.

D. Identifying outsourcing opportunities is a potential strategy to address a resource gap; the gap must be identified first before solutions can be considered.

References

1. ISACA. (2020). CGEIT Review Manual

8th Edition. Domain 2: IT Resources Optimization

Section 2.2

IT Resource Planning. The manual states that after understanding the strategic direction

"A gap analysis can then be performed to identify the differences between the current and desired future states. This analysis helps in creating a roadmap for acquiring

developing

and managing the necessary IT resources."

2. ISACA. (2018). COBIT 2019 Framework: Governance and Management Objectives. APO07 Managed Human Resources. The process description for APO07.01 includes "Identify the skills and competencies required to meet the enterprise’s objectives." This implies a comparison (gap analysis) between required and existing skills as a primary step.

3. De Haes

& Van Grembergen

W. (2015). Enterprise Governance of Information Technology: Achieving Alignment and Value

Featuring COBIT 5. Springer International Publishing. Chapter 3

"IT Governance Mechanisms

" discusses strategic alignment

noting that a crucial early activity is assessing the current state of IT resources against strategic requirements to identify gaps that need to be addressed. (DOI: 10.1007/978-3-319-14547-1)

Q: 2

An enterprise has had the same IT governance framework in place for several years. Currently, large and small capital projects go through the same architectural governance reviews. Despite repeated requests to streamline the review process for small capital projects, business units have received no response from IT. The business units have recently escalated this issue to the newly appointed GO. Which of the following should be done FIRST to begin addressing business needs?

Options

Discussion

Grace Feb 18, 2026 2:03 pm

Option C this time. Gotta assess the impact before making changes to governance, especially with long-standing frameworks. That way you know what you're getting into and avoid creating bigger issues accidentally. Pretty sure that's the expected ISACA logic here, but open if someone sees otherwise.

Sanjay Feb 12, 2026 7:27 am

C , B feels like a distractor since explaining governance doesn't fix the issue. Impact assessment is usually ISACA's first move, right?

Jordan Feb 19, 2026 7:23 am

Pretty sure C here, that's ISACA's usual order. Assessment first so any changes are justified and risks are clear.

CalmTester8321 Feb 28, 2026 9:02 pm

B shows up a ton in the official guide and recent practice exams for first steps like this. Definitely review that section if you're prepping, it helps lock down these sequencing questions.

NehaM Feb 12, 2026 1:11 am

Why do you think D would be better than C to start with? ISACA questions like this usually expect assessment first.

Avery J. Feb 26, 2026 6:44 am

C is the one I’d choose here.

Sam J. Feb 17, 2026 11:25 am

A is wrong, C. Had something like this in a mock and ISACA goes with impact assessment first before making framework changes. Assigning a team or explaining governance comes after you actually know what could break or improve. You guys agree with C?

Luke E. Feb 26, 2026 10:27 pm

C fits ISACA's usual approach since you always assess impact before making governance changes. That's what the official guide and sample test questions reinforce too. Pretty sure that's the logic here, but open to other views if someone interpreted it differently.

Ravi K. Mar 1, 2026 12:46 pm

I think C but sometimes these "first" questions get me, since D is about just jumping to action. ISACA logic usually wants us to assess impact before changing anything though. Not 100% sure, but C feels safer. Disagree?

ZoeV Feb 15, 2026 9:31 pm

C vs D? D is tempting since fixing it fast sounds good, but ISACA practice always pushes impact assessment first (C) to avoid unintended consequences. Pretty sure C is what they're looking for here, unless I'm missing something obvious.

Be respectful. No spam.

Correct Answer:

Explanation

The most appropriate first step for the Chief Governance Officer (CGO) is to conduct a formal assessment of the proposed change. Before modifying a long-standing governance framework, it is crucial to understand the full implications. This impact assessment will evaluate the potential benefits, such as increased business agility and reduced administrative overhead, against the potential risks, such as architectural misalignment or increased security vulnerabilities from a less rigorous review. This data-driven approach provides a sound basis for decision-making, ensures the change aligns with enterprise objectives and risk appetite, and demonstrates a structured, responsible response to the business units' concerns.

Why Incorrect

A. Create a central repository for the business to submit requests.

This addresses the mechanics of submitting requests but fails to address the substance of the current, escalated issue, which is the lack of response to a specific process improvement.

B. Explain the importance of the IT governance framework.

This is a defensive action that dismisses the valid business concern about inefficiency. Effective governance requires listening to and addressing stakeholder needs, not justifying the status quo.

D. Assign a project team to implement necessary changes.

This action is premature. A project team cannot be tasked with implementation until the scope, risks, and benefits of the change have been assessed and a decision has been made.

References

1. ISACA

CGEIT Review Manual

8th Edition (2020). Domain 1

Task Statement 1.5

"Ensure that the GEIT framework is periodically reviewed

updated

and relevant

" emphasizes the need to evaluate proposed changes based on shifts in business needs. The first step in this evaluation is to understand the impact of any potential update to the framework.

2. ISACA

COBIT 2019 Framework: Introduction and Methodology (2018). Section 4.2

"Goals Cascade

" explains how stakeholder needs must be translated into enterprise goals. The business unit's request is a stakeholder need

and before acting

governance must assess how a change would impact the achievement of enterprise goals.

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). The governance objective EDM01

"Ensured Governance Framework Setting and Maintenance

" includes the practice EDM01.03

"Monitor the system of internal control." This involves evaluating the effectiveness and efficiency of controls

which is precisely what the business units are questioning. Assessing their proposal is a key part of this monitoring and maintenance activity.

Q: 3

Which of the following should be the FIRST step in planning an IT governance implementation?

Options

Discussion

Ben S. Feb 16, 2026 2:40 pm

C. saw a similar scenario in my last mock. BIA gives the actual numbers you need when comparing site costs to risk. KRIs and scenarios help but don't map dollars as directly. Pretty confident here but open to other takes.

Noah T. Feb 26, 2026 1:40 pm

Option D, encountered exactly similar question in my exam and the answer was the same. Always start with identifying business drivers first.

AvaE Feb 27, 2026 10:16 am

D, is right. You always need to identify business drivers first so you know what the governance should focus on. Everything else like KPIs and roles only make sense once you have that context. Pretty sure ISACA expects this logic, unless I'm missing something.

Zoe Mar 1, 2026 12:57 pm

A is wrong, D. Always gotta find out what drives the business before anything else, even funding or KPIs come after. IT governance only makes sense if it lines up with those drivers. Pretty sure that's how ISACA structures this, but open to other views.

Ishaan C. Feb 22, 2026 4:39 pm

You always have to start by identifying business drivers before you can do anything else in IT governance. Can't define KPIs or push for funding if you don't know what you're trying to achieve. So D is the logical first move. Pretty sure about that but let me know if you see it differently!

Ravi Mar 2, 2026 6:18 am

CarefulMentor2841 Feb 17, 2026 2:49 pm

I could see picking C here since defining KPIs feels like it should come first, to measure success from the start. But on review, that's probably a trap since you can't define relevant KPIs before you know the business drivers. Still, I'd initially lean toward C myself in an actual exam setting unless clarified.

Alex D. Feb 28, 2026 6:39 am

A is wrong, C. KRIs help track risk trends, but BIA actually assigns financial values to downtime so you can align DR site costs with real business impact. Scenario-based is tempting but doesn't directly quantify dollars at risk. Pretty sure it's C unless I'm missing something subtle.

Aaron Mar 4, 2026 7:35 am

Yeah, D makes sense. Without identifying business drivers first, you might end up setting KPIs or assigning roles that totally miss the point of what the business actually needs. Pretty sure ISACA always puts business alignment at step one, but correct me if you've seen it otherwise.

Neha Feb 15, 2026 6:37 pm

C/D? I see similar questions on practice tests, and official ISACA guides always start with business drivers.

Be respectful. No spam.

Correct Answer:

Explanation

The foundational and primary step in planning any IT governance implementation is to identify and understand the business drivers. These drivers—such as market pressures, regulatory requirements, or strategic objectives—dictate the "why" behind the initiative. A clear understanding of business drivers ensures that the governance framework is directly aligned with the enterprise's strategic goals and addresses its most critical needs. All subsequent planning activities, including defining performance indicators, securing funding, and assigning responsibilities, are contingent upon this initial alignment with the business's core purpose and direction.

Why Incorrect

A. Assigning decision-making responsibilities is a critical component of a governance framework, but it can only be done effectively after the goals and scope, which are derived from business drivers, have been established.

B. Obtaining necessary business funding requires a compelling business case. This case must demonstrate how the governance initiative will support and add value to the business, which is articulated by first identifying the business drivers.

C. Defining key business performance indicators (KPIs) is essential for measuring success, but these metrics must be linked to business goals, which are formulated in response to the identified business drivers.

References

1. ISACA. (2020). CGEIT Review Manual

8th Edition. Section 1.3

Governance Implementation

Phase 1: What Are the Drivers? This section explicitly states that the first phase of the implementation life cycle is to "Identify current business and IT-related issues

or 'pain points

' and triggers

and create a desire to change at executive management levels." This is synonymous with identifying business drivers.

2. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. Page 29

Figure 3.1

"COBIT Goals Cascade." The cascade

which is the mechanism for aligning IT with enterprise goals

begins with "Stakeholder Drivers and Needs

" reinforcing that understanding these drivers is the starting point for governance.

3. ISACA. (2018). COBIT 2019 Framework: Governance and Management Objectives. Page 19

Section 3.1

"Governance and Management Objectives." The entire framework is designed to help enterprises achieve their objectives

which are derived from stakeholder needs and business drivers. The process starts with understanding these drivers to set appropriate goals.

Q: 4

An enterprise has made the strategic decision to reduce operating costs for the next year and is taking advantage of cost reductions offered by an external cloud service provider. Which of the following should be the IT steering committee's PRIMARY concern?

Options

Discussion

Arjun Q. Feb 23, 2026 10:35 am

I don't think D is the main concern. B makes more sense since any strategic move like cloud adoption brings new risks, so updating the risk profile is key. D feels like a trap for operational focus. Anyone disagree?

Chloe V. Feb 14, 2026 8:42 am

B here. Moving to cloud impacts the overall risk environment, so updating the risk profile matches the governance focus of the committee. I think that’s what they’d care about most, but open if someone sees a stronger case for D.

Sofia N. Feb 11, 2026 11:47 pm

Logan Feb 16, 2026 6:31 am

Updating the risk profile makes sense since using a new cloud provider brings different risks. B is what I've seen in similar practice questions and in the official guide suggestions. Pretty sure that's right but wouldn't hurt to review the official blueprint just in case.

CuriousNeteng1403 Feb 21, 2026 3:01 pm

B, Risk profile needs to reflect new cloud risks, so that's usually the committee's priority here.

Chris Y. Feb 18, 2026 11:19 am

I don’t think it’s B. D.

Grace X. Feb 22, 2026 12:34 pm

Saw something similar show up in my last practice, B was the pick there as well.

Parker Mar 4, 2026 11:20 am

D imo since cost calculation feels like the most immediate thing when reducing expenses, especially from a cloud shift. Saw exam samples push this angle, but maybe I'm missing that governance lens. Official guide might have more on steering committee priorities?

Jordan L. Feb 16, 2026 9:42 am

Guessing B makes the most sense, since shifting to cloud changes your risk environment and that's a key governance thing for the steering committee. D is tempting but that's more operational. Seen this phrased similarly in practice sets too. Agree?

Parker Mar 2, 2026 6:27 am

Nah, I don't think it's D. B is the better fit here since moving to the cloud changes the risk landscape, so updating the business risk profile is what the committee should focus on first. D looks like an operational step trap.

Be respectful. No spam.

Correct Answer:

Explanation

The IT steering committee's primary function is to ensure the alignment of IT with business strategy and to provide oversight of IT-related risk. Migrating services to an external cloud provider fundamentally alters the enterprise's risk landscape. This strategic shift introduces new risks (e.g., vendor viability, data security in a multi-tenant environment, regulatory compliance, exit strategies) and modifies existing ones. Therefore, the committee's foremost concern is to ensure the business risk profile is comprehensively updated to reflect this new operational model. This allows for proper risk assessment, mitigation, and alignment with the enterprise's risk appetite, which is a core governance responsibility.

Why Incorrect

A. Revising the business balanced scorecard: Revising performance metrics is a consequence of the strategic shift and updated risk profile, not the primary, initial concern for the governance body.

C. Changing the IT steering committee charter: The committee's fundamental purpose and authority do not change; only the IT delivery model they oversee changes. The charter would not typically require revision for this.

D. Calculating the cost of the current solution: This calculation is part of the due diligence and business case development that precedes the strategic decision. The question states the decision has already been made.

References

1. ISACA

CGEIT Review Manual

8th Edition. Domain 4: Risk Optimization

Task Statement R1

"Ensure that IT risk management is aligned with the enterprise risk management (ERM) framework." The manual emphasizes that a key governance role is to ensure IT-related risks are continuously identified

assessed

and managed. A move to the cloud is a significant event that necessitates a reassessment of the enterprise's risk profile.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives. Governance Objective EDM03: Ensured Risk Optimization. The purpose of this objective is to "Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance." Key practices involve evaluating and directing risk management

which requires an up-to-date and accurate understanding of the business risk profile

especially after a major sourcing change.

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives. Management Objective APO12: Managed Risk. This objective details the processes for managing risk

including APO12.02 "Analyze Risk

" which involves identifying the "potential for business impacts" from changes in the IT environment. The IT steering committee would oversee this process to ensure the overall business risk profile is updated and accurate.

Q: 5

An IT manager is trying to determine optimal IT service levels. Which of the following should be the PRIMARY consideration?

Options

Discussion

Ben Mar 4, 2026 11:56 am

Makes sense to go with C here. Cost-benefit analysis really gets at the heart of balancing business needs and expense when setting service levels. Internal rate of return and RTO are more specific metrics, but C is the broader, primary tool. Pretty sure that's how ISACA wants it framed, but open to other views.

Layla G. Feb 20, 2026 3:09 pm

Option C

Rowan Q. Feb 20, 2026 1:34 am

Option C, Saw a similar question in an exam report, and cost-benefit analysis was the key focus for service level decisions.

RyanM Feb 16, 2026 10:01 am

Sick of how ISACA always defaults to cost-benefit stuff. C here, just like every practice set.

FocusedLead2858 Feb 27, 2026 6:23 pm

Why wouldn't B (RTO) be more important if the context was disaster recovery? Just curious because sometimes exam questions shift focus depending on business continuity versus general service delivery.

Daniel P. Mar 1, 2026 5:42 am

C is the best fit. Cost-benefit analysis is what ISACA normally considers primary when figuring out optimal anything for IT services. I think D could be tempting if they asked for maximizing efficiency only, but pretty confident it's C for this question. Disagree?

Ben X. Mar 2, 2026 5:03 pm

C here

Daniel B. Mar 3, 2026 3:21 pm

C vs D here, but had a similar question in a mock and C was flagged as the right call. Cost-benefit analysis is usually how ISACA expects you to approach 'optimal' anything. Not 100 percent sure if D might sneak in on some questions though. Agree?

ThoughtfulNeteng5463 Feb 27, 2026 11:29 am

Which official ISACA resource or practice test best explains the difference between these options for service level decisions?

Layla Feb 25, 2026 7:29 pm

C/D? I get why C (cost-benefit analysis) is the expected answer since it’s about balancing cost versus value, which is textbook ISACA. But sometimes they sneak in D (resource utilization analysis) if they’re hinting at performance optimization, not just business alignment. Pretty sure they want C for PRIMARY consideration, but not totally ruling out D.

Be respectful. No spam.

Correct Answer:

Explanation

Determining optimal IT service levels is fundamentally an economic decision that balances business needs against the cost of service delivery. A cost-benefit analysis is the primary method for this, as it systematically evaluates the value (benefit) a specific service level provides to the business versus the resources and financial investment (cost) required to achieve and maintain it. Higher service levels (e.g., 99.999% uptime) are progressively more expensive. The "optimal" level is the point where the business value derived justifies the expenditure, ensuring that IT resources are aligned with enterprise objectives and not over-provisioned at an unjustifiable cost.

Why Incorrect

A. Internal rate of return: This is a specific capital budgeting metric to evaluate the profitability of an investment, not the primary framework for setting ongoing operational service levels.

B. Recovery time objective (RTO): RTO is a critical component of a service level agreement (SLA) related to business continuity, but it does not encompass all aspects needed to determine the overall optimal service level.

D. Resource utilization analysis: This analysis measures operational efficiency. While it informs the cost side of the equation, it does not determine the required service level from a business value perspective.

References

1. ISACA

CGEIT Review Manual

8th Edition (2020). Domain 2: IT Resources Optimization

Task Statement 2.4: "Ensure that IT services and service levels are defined

managed and monitored." The manual emphasizes that service levels must be based on business requirements and that a cost-benefit analysis is essential to ensure the cost of providing a service does not exceed the value it delivers to the business.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective APO09: Managed Service Agreements. Practice APO09.01

"Identify IT services and service level options

" involves defining a service catalog and establishing service levels based on business requirements

capabilities

and a cost-benefit analysis for different service level options. This directly links the determination of service levels to a cost-benefit trade-off.

Q: 6

Which of the following BEST enables an enterprise to determine an appropriate retention policy for its information assets?

Options

Discussion

Daniel X. Feb 27, 2026 10:04 pm

Option B is it. Measures need to be meaningful and accepted by stakeholders, otherwise you get no real engagement or follow-through. A looks tempting (benchmarking helps), but unless your audience buys in, improvement just doesn’t happen. Saw something similar before, pretty confident B is correct but happy to hear if anyone sees it differently.

Robin Feb 23, 2026 2:19 am

Option A

Emma R. Feb 15, 2026 10:31 am

Option A

Mason H. Feb 14, 2026 3:04 pm

B or D? Storage and processing needs (B) seem like they'd matter because you can't retain what doesn't fit, but maybe that's just a distraction. Still, external customer requirements (D) make sense too if you're bound to contracts. Probably leaning B here, unless I'm missing a compliance angle.

PracticalNeteng7578 Feb 14, 2026 5:29 am

Gotta be A. Only business and compliance really drive the length of retention in practice.

Cameron U. Feb 16, 2026 11:27 pm

A not B. Business and compliance requirements directly set the rules for how long you have to keep info, while storage needs or backup options just support those policies. Seen this come up in practice tests and the trap is picking B because it sounds practical.

Ajay K. Feb 25, 2026 9:16 am

Business and compliance requirements (A) always take priority since policy needs to meet legal, regulatory, and operational needs. Storage limits or customer contracts come later. Pretty sure A is right here but happy if someone disagrees.

Jamie O. Feb 21, 2026 4:36 pm

Its A (business + compliance always set policy, not just storage or customer contracts). Saw similar Q on practice.

Ajay Feb 18, 2026 2:50 pm

Not sure I buy A here. Business storage and processing needs (B) seem pretty important since you can't keep data forever if you don't have the space or resources. Maybe missing something basic, but B looks solid to me.

Luke L. Feb 20, 2026 5:17 pm

Be respectful. No spam.

Correct Answer:

Explanation

An information retention policy's primary purpose is to ensure that information assets are managed throughout their life cycle in a way that supports business objectives while adhering to external obligations. Business requirements dictate how long data is needed for operational, analytical, or historical purposes to generate value. Simultaneously, compliance requirements, which include laws (e.g., GDPR, SOX), regulations, and contractual agreements, mandate specific minimum and sometimes maximum retention periods. These two drivers—business need and compliance—form the foundational basis for determining appropriate retention schedules, balancing utility, risk, and cost.

Why Incorrect

B. Business storage and processing needs: These are operational and technical constraints that influence how a policy is implemented (e.g., storage costs), not the fundamental rules of what to retain and for how long.

C. Backup and restoration capabilities: These are technical mechanisms for data protection and recovery. The retention policy dictates the backup strategy, not the other way around.

D. External customer data retention requirements: This is too narrow. While a component of compliance, it ignores internal business needs and other legal requirements for non-customer data like employee, financial, or intellectual property records.

References

1. ISACA

CGEIT Review Manual

8th Edition (2020): Domain 2: IT Resource Optimization

Section 2.3

Information/Data. The manual explains that the information life cycle

including retention and disposal

must be managed according to business

legal

and regulatory requirements. Knowledge statement K2.4.2

"Knowledge of data/information life cycle management

" directly supports that retention periods are based on these criteria.

2. ISACA

COBIT® 2019 Framework: Governance and Management Objectives (2018): The management objective APO14 Managed Data includes the practice APO14.07 Manage data storage and archiving. This practice explicitly states the need to "Define and implement policies and procedures for data storage and archiving to meet business and compliance requirements." (p. 139).

3. ISACA

COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution (2018): Design Factor 3

"Compliance requirements

" is identified as a key factor in designing a governance system. This guide emphasizes that legal and regulatory requirements are primary inputs for I&T-related policies

including those for data retention (p. 23).

Q: 7

Which of the following should be established FIRST so that data owners can consistently assess the level of data protection needed across the enterprise?

Options

Discussion

Leo Feb 25, 2026 12:45 am

D . You need a data classification policy before anything else or the other controls (risk mgmt, retention, encryption) won’t be consistent. If you haven’t defined what’s confidential, how can owners know what protection is needed? Pretty sure D is the foundation here, but open to pushback.

JackL Feb 18, 2026 4:27 pm

Its B for me, since a data risk management program is how owners learn to assess threats and needed protections. I get the argument for D but risk management feels more actionable. Not 100 percent though, open to other thoughts.

Mason B. Feb 21, 2026 10:30 am

Yeah, D for sure. You need a data classification policy first or else there's no standard way for data owners to know how sensitive anything is. Everything else like risk management or encryption relies on that baseline. Pretty confident, but if someone thinks B makes more sense let me know.

Sanjay K. Feb 14, 2026 9:14 am

Option C clear and logical question statement makes this one pretty straightforward.

Zoe Feb 15, 2026 1:03 pm

I don’t think it’s D. B makes more sense to me since having a risk management program helps owners know what threats to look for first. Saw a similar question on a practice test and they went with B. Agree?

Sanjay W. Feb 21, 2026 7:59 am

D , that's the baseline step before anything else like risk or encryption can be applied.

Taylor T. Feb 27, 2026 8:56 pm

Maybe B. I keep thinking a data risk management program is the first big step since you need to assess potential threats before getting into policies. Not totally sure though, the question's wording is a bit tricky. Anyone disagree?

Ethan S. Feb 17, 2026 7:27 am

A I think defining objectives to achieve the goals is where you'd start, since you need that clarity before anything else. Makes sense in terms of aligning efforts right from the beginning. Could be wrong but that's my take, anyone disagree?

Grace U. Feb 27, 2026 4:09 pm

Maybe D makes more sense here. Data classification policy usually comes before risk management because you need to know what type of data you have before you can figure out the risks or decide retention/encryption. B is tempting but it's a bit of a trap in this context I think. Anyone see a reason to pick B over D?

Ava Feb 12, 2026 6:33 pm

I see why most go with D, but I'm thinking B here. Wouldn't you need a data risk management program so owners know what type of threats and exposures to assess before applying any standards? Policy alone might not be enough in weird edge cases where regulatory risk isn't defined yet. I think B fits first if they're worried about risk exposure upfront. Open to other viewpoints if I missed something.

Be respectful. No spam.

Correct Answer:

Explanation

A data classification policy is the foundational element required to consistently assess data protection needs. This policy establishes a framework for categorizing data based on its sensitivity, criticality, and value to the enterprise (e.g., Public, Confidential, Restricted). By creating a standardized set of criteria, the policy enables data owners to make uniform and objective decisions about the appropriate level of security controls, such as access rights and encryption, that must be applied. All other data protection activities, including risk management and the implementation of specific controls, are dependent on this initial classification.

Why Incorrect

A. Data encryption program: This is a specific security control. The decision on what data to encrypt and the strength of encryption required is determined after the data has been classified.

B. Data risk management program: A risk management program assesses threats and vulnerabilities, but it requires data classification as a primary input to determine the business impact of a potential data compromise.

C. Data retention policy: This policy defines how long data is kept. While important for governance, it is typically informed by the data's classification, not the other way around.

References

1. ISACA

CGEIT Review Manual

8th Edition

2020. Domain 2: IT Resources

Task Statement 2.3

"Ensure that IT resources are identified and classified based on their criticality and importance to the enterprise." The supporting text explains that classification is a prerequisite for applying appropriate controls and protection measures.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives

2018. Management Objective APO14: Managed Data

Practice APO14.02

"Define and maintain data and information architecture." This practice includes activities for establishing a data classification scheme to ensure data is managed according to its value and sensitivity.

3. ISACA

CGEIT Review

Questions

Answers & Explanations Manual

5th Edition

2020. The rationale for similar questions emphasizes that data classification is the first step in a data management program

as it provides the basis for determining handling requirements

controls

and protection levels.

Q: 8

Which of the following is PRIMARILY achieved through performance measurement?

Options

Discussion

Avery S. Mar 1, 2026 10:19 am

B. saw similar question in a practice set and transparency is the main thing you get first from performance measurement.

Kevin Feb 27, 2026 11:29 am

Option B

Morgan R. Feb 16, 2026 3:22 am

So why wouldn't D be considered primarily achieved here? I remember a similar question where benefit realization was tied directly to performance metrics, since it's all about tracking if goals are met. Is transparency really the main thing, or is it more about seeing the value added?

Ryan Mar 2, 2026 1:42 am

B, not A. Transparency comes first when you start measuring performance, everything else follows from that.

Amelia R. Mar 3, 2026 12:54 pm

I don't think it's A here. Process improvement happens because of what you learn from the measures, but transparency is the first thing you get when you start tracking and reporting performance. See this kind of wording in lots of ISACA practice exams.

Meera Feb 16, 2026 8:57 am

B . Performance measurement is really about making things visible to everyone, so transparency fits best here.

Riley Mar 3, 2026 9:40 pm

B , transparency is what you get first from performance measurement. D's tempting but that's more of a later result.

Ryan P. Feb 24, 2026 2:33 am

I get why B is key here. Measuring performance makes things visible first, which leads to transparency before you can actually improve anything or realize benefits. Pretty sure that's what ISACA expects, but open to other takes.

Anita K. Feb 26, 2026 7:11 am

B , but if the prompt said "direct improvement" instead, A might fit better. Wording really changes these.

Ethan A. Feb 27, 2026 5:13 pm

B for sure. Transparency is what you get right away from performance measurement, as it lets everyone see what’s going on. Process improvement and benefit realization come after, once you have that clear view. Pretty sure that’s what ISACA is testing here, but let me know if you see it differently.

Be respectful. No spam.

Correct Answer:

Explanation

The primary achievement of performance measurement within an IT governance framework is to create transparency. By systematically collecting, analyzing, and reporting on performance metrics (e.g., KPIs), an organization provides stakeholders with clear, factual, and understandable information about the performance of IT against agreed-upon goals. This transparency is the foundational element that enables accountability and supports informed decision-making. While this information is subsequently used to drive process improvement, ensure benefit realization, and manage cost efficiency, these are secondary outcomes that depend on the initial transparency provided by the measurement process itself.

Why Incorrect

A. Process improvement: This is a corrective action or strategic initiative undertaken as a result of analyzing performance data; it is not the primary achievement of the measurement act itself.

C. Cost efficiency: This is a specific performance goal or a category of metrics that can be measured, not the overarching outcome of the entire performance measurement process.

D. Benefit realization: This is a strategic objective that performance measurement helps to track and validate. The measurement provides the data, but realizing benefits is a separate, subsequent activity.

References

1. ISACA

COBIT 2019 Framework: Governance and Management Objectives

2018. The management objective MEA01 Managed Performance and Conformance Monitoring explicitly states its purpose is to "Collect

validate and evaluate... performance and conformance metrics... to ensure that they are sufficient to drive the achievement of goals and provide transparency of performance and conformance..." (p. 195). This directly links performance monitoring with creating transparency as a primary purpose.

2. ISACA

CGEIT Review Manual

8th Edition

2020. Domain 4

Task 4.4 (Monitor and Report on IT Performance) emphasizes that reporting performance to stakeholders provides them with the necessary visibility to take appropriate action. This visibility is synonymous with transparency

which is described as a key outcome of the monitoring and reporting process

enabling other governance activities. (Chapter 4

Section: "IT Performance Monitoring and Reporting").

3. De Haes

& Van Grembergen

W. (2015). Enterprise Governance of Information Technology: Achieving Alignment and Value

Featuring COBIT 5. Springer International Publishing. In Chapter 3

the authors discuss the IT balanced scorecard as a performance measurement system. They state

"The communication of the measures through the scorecard... ensures that the strategy is transparent and translated into comprehensible and actionable measures for the whole organization." (p. 67). This highlights transparency as a direct result of performance measurement and communication. (DOI: 10.1007/978-3-319-14547-1)

Q: 9

Which of the following is the BEST way for a CIO to assess the consistency of IT processes against industry benchmarks to determine where to focus improvement initiatives?

Options

Discussion

Luna Feb 27, 2026 10:46 pm

I get why D looks tempting since audit results are concrete, but maturity models (A) directly compare process levels to industry standards. That lets the CIO benchmark consistently. Pretty sure A is what they're looking for here unless it's about compliance specifically.

Drew I. Feb 14, 2026 5:34 pm

FocusedLead4555 Feb 17, 2026 3:23 pm

A , capability maturity models are used exactly for benchmarking processes to industry standards. D is more for compliance checks but doesn't really help you compare against industry benchmarks. Pretty confident on this, let me know if you see it differently.

FocusedLearner7299 Mar 1, 2026 12:57 am

A seen this type of question show up in recent exam reports.

Sara U. Feb 22, 2026 1:23 pm

D tbh

Ravi R. Feb 24, 2026 3:40 pm

Pretty sure it's A for best way. Capability maturity models are designed for benchmarking process consistency, D is tempting but more about controls review not industry baselines. Feel free to disagree but that's what I've seen in other practice sets.

Grace O. Feb 12, 2026 4:40 am

Doesn't A assume the maturity model is actually calibrated to recent industry benchmarks, or is that not always the case in practice?

Karan Feb 13, 2026 7:30 am

Luna G. Feb 20, 2026 3:12 am

Wouldn't D (process audit results) show if current IT processes are actually being followed and highlight real consistency issues? I get maturity models are good for industry comparison, but actual audit findings seem super concrete. What do you think?

Priya Feb 28, 2026 5:10 am

A imo

Be respectful. No spam.

Correct Answer:

Explanation

A capability maturity model (CMM) is the most suitable tool for this purpose. It provides a structured framework and a standardized scale (e.g., levels 0-5) to assess the current state ("as-is") of IT processes. This allows for a direct comparison against industry best practices and benchmarks, which are often mapped to these maturity levels. By identifying the gap between the current and desired maturity levels, the CIO can effectively pinpoint weaknesses and strategically prioritize improvement initiatives to enhance process consistency and performance. This approach offers a holistic and comparative view that is essential for strategic planning.

Why Incorrect

B. Evaluating the current balanced scorecard is incorrect because a BSC primarily measures performance against an organization's internal strategic objectives, not external industry process benchmarks.

C. Reviewing key performance measures is insufficient as KPMs/KPIs are specific metrics that may lack the comprehensive, structured framework needed for a holistic process capability assessment against industry standards.

D. Reviewing IT process audit results is incorrect because audits focus on compliance with policies and the effectiveness of controls, rather than benchmarking process maturity for strategic improvement.

References

1. ISACA

COBIT 2019 Framework: Introduction and Methodology

2018. Chapter 6

"COBIT Performance Management (CPM)

" details the process capability levels based on CMMI

which are used to "support process improvement by identifying strengths and weaknesses and the implications thereof." This model is explicitly designed for benchmarking.

2. ISACA

CGEIT Review Manual

8th Edition

2020. Domain 4: IT Resource Optimization

Task 4.4

"Monitor and report on IT resource performance

" discusses the use of maturity and capability models to assess processes and identify opportunities for improvement against established benchmarks.

3. De Haes

& Van Grembergen

W. (2009). An exploratory study into IT governance implementations and its impact on business/IT alignment. Information Systems Management

26(2)

123-137. This academic paper discusses the use of COBIT's maturity models as a key tool for organizations to assess their IT governance processes and benchmark them

forming a basis for improvement initiatives (p. 126). DOI: https://doi.org/10.1080/10580530902794786

Q: 10

After experiencing poor recovery times following a catastrophic event, an enterprise is seeking to improve its disaster recovery capabilities. Which of the following would BEST enable the enterprise to accomplish this objective?

Options

Discussion

DirectArchitect2162 Feb 28, 2026 10:23 pm

Makes sense to go with A here. Continuous testing plus fixing what's found is the only option that actually improves recovery times.

Morgan N. Feb 15, 2026 6:54 am

A . Only continuous testing combined with implementing lessons learned (A) directly addresses the poor recovery times by targeting actual weaknesses, not just shifting responsibility or updating plans on a schedule. Outsourcing (D) could improve reliability in some contexts, but if your DR plan/process itself has flaws those will follow, even with a vendor. Unless the scenario mentioned a total lack of in-house expertise, A is the best way to make measurable improvements. If there's a policy that mandates outsourcing regardless of internal maturity, maybe D flips it, but that's rare.

Sara B. Feb 25, 2026 5:34 am

A . Continuous DR testing with lessons learned is the only way to really spot recovery issues and get measurable improvement. Annual reviews help, but aren't enough if timing and readiness matter. I think CGEIT official guide emphasizes this too, but open to other takes.

Alex X. Feb 14, 2026 12:29 pm

A imo, saw a similar question on a practice. Continuous testing is what ISACA usually expects here.

Ryan M. Feb 19, 2026 9:41 pm

Option A makes sense. Continuous testing plus acting on lessons learned is how you actually get better at DR and fix the slow recovery issues. Outsourcing or annual reviews don't address gaps fast enough, I think. Agree?

Anita T. Feb 27, 2026 3:41 am

Makes sense to pick A here. Continuous testing and actually acting on lessons learned is what really bumps up DR effectiveness-not just outsourcing or yearly reviews. Pretty sure that's what's meant by "best enable" for improving recovery times. If anyone disagrees, happy to hear your angle.

Arjun C. Mar 1, 2026 2:35 pm

Maybe D here. Outsourcing disaster recovery could give you more reliable and possibly quicker recovery since you're relying on experts, rather than just testing current processes. I know A is a common pick for ISACA but D seems to directly target the reliability issue in some scenarios. Not positive, open to other views.

Jack N. Feb 17, 2026 10:22 pm

I don’t think it’s D. A. In similar exam scenarios, continuous DR testing plus acting on lessons learned actually improves recovery time, not just shifting responsibility like outsourcing. Pretty sure that's what ISACA wants for 'best enable' here, but open to other takes.

Parker J. Feb 18, 2026 2:26 pm

A is the move here. Consistent DR testing plus updating based on what you find will actually close gaps, not just cover them up. Pretty sure that's what exam wants for "best" enable.

Leo O. Mar 1, 2026 6:08 am

Probably D here. If recovery times are the main issue, outsourcing DR could get you more reliable infrastructure right away.

Be respectful. No spam.

Correct Answer:

Explanation

The most effective way to improve disaster recovery (DR) capabilities, especially after a demonstrated failure like poor recovery times, is through a cycle of testing and refinement. Continuous testing validates the disaster recovery plan (DRP) against real-world conditions, identifies specific points of failure or bottlenecks, and measures performance. The critical second step, implementing "lessons learned," ensures that weaknesses discovered during testing (or a real event) are systematically addressed. This iterative process transforms the DRP from a static document into a dynamic and proven capability, directly targeting the root causes of the poor performance.

Why Incorrect

B. Increased training and monitoring for disaster recovery personnel who perform below expectations

This is too narrow. It assumes the failure was solely due to human error, ignoring potential flaws in the plan, technology, or resource allocation.

C. Annual review and updates to the disaster recovery plan (DRP)

An annual review is a necessary but insufficient activity. It is often a theoretical exercise and lacks the practical validation needed to uncover the specific issues that caused poor recovery times in an actual event.

D. Increased outsourcing of disaster recovery capabilities to ensure reliability

Outsourcing shifts responsibility but does not inherently guarantee improvement. The enterprise remains accountable, and the outsourced solution would still require rigorous testing and management to be proven effective.

References

1. ISACA

CGEIT Review Manual

8th Edition. Domain 4: IT Resource Optimization. The manual emphasizes that business continuity and disaster recovery plans must be regularly tested to ensure they are effective and that the enterprise can recover within the defined recovery time objectives (RTOs). The process of reviewing test results and post-incident reports to identify and implement improvements ("lessons learned") is a fundamental principle of a mature governance program. (Specifically

see concepts within Task 4.6: Ensure that IT-enabled business continuity plans are integrated with the enterprise business continuity plan).

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives. The management objective DSS04 Managed Continuity directly supports the correct answer. Practice DSS04.05 Plan and test managed continuity states the need to "Test the continuity plans on a regular basis to exercise the plans and identify deficiencies... Update the plans based on the results of the tests

reviews and changes in the business and IT environment." This highlights the essential link between testing and implementing corrective actions.

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives. Practice DSS04.08 Conduct post-resumption review further reinforces the concept of learning from events. It advises to "Assess the effectiveness of the response to an incident or disaster after the enterprise has returned to a business-as-usual state. Identify lessons learned and required improvements to the business continuity plan..." This directly aligns with the scenario of improving capabilities after a catastrophic event.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE