Isaca Certification CGEIT Syllabus Exam Questions Answers

An information classification framework would be the most helpful to an enterprise that wants to standardize how sensitive corporate data is handled, because it provides a systematic and consistent way to identify, label, and protect the data according to its level of sensitivity and the impact of its exposure. An information classification framework helps to define the criteria and methods for classifying data into different categories, such as public, internal, confidential, or secret1. It also helps to specify the roles and responsibilities, policies and procedures, standards and expectations, and tools and techniques for handling data securely and appropriately throughout its life cycle2. An information classification framework also helps to comply with the legal and regulatory requirements, and to reduce the risks, costs, and complexity associated with data management3.

References := Information classification – How to do it according to ISO 27001, Create a well-designed data classification framework, Information classification framework diagram.

 According to the CGEIT exam guide, the organization’s risk profile is a representation of the current and potential risks that the organization faces, as well as the likelihood and impact of those risks. The risk profile helps to inform the risk management strategy, policies and processes, as well as the risk appetite and tolerance of the organization. When an enterprise enters into a new market that brings additional regulatory compliance requirements, the first thing that should be done is to update the organization’s risk profile to reflect the new sources, types and levels of risk that the enterprise may encounter. This will help to identify and assess the compliance risks, as well as to plan and implement appropriate risk responses and controls. The other options are not the first things that should be done, as they are more related to the execution and monitoring of compliance, rather than the identification and assessment of compliance risks. References: CGEIT Exam Candidate Guide, page 15. CGEIT Certification, How to Develop a Risk Profile

 Information retention policies are the most important to review, because they define the rules and procedures for retaining, disposing, and destroying information in accordance with the legal, regulatory, and business requirements. Information retention policies can help the enterprise to comply with the personal data protection regulations, and to ensure the privacy, security, and availability of the employee data in production systems12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 57-58.

The BEST time to identify metrics to measure the performance of an IT-enabled investment is during business case development. A business case is a document that provides the rationale and justification for initiating a project or investment1. It includes information such as the objectives, scope, benefits, costs, risks, assumptions, and success criteria of the proposed project or investment2. Identifying metrics to measure the performance of an IT-enabled investment during business case development can help to:

Define the expected outcomes and value of the investment3

Establish a baseline and targets for comparison and evaluation4

Align the investment with the strategic goals and objectives of the enterprise5

Communicate and demonstrate the benefits and impacts of the investment to stakeholders

Monitor and control the progress and performance of the investment throughout its lifecycle References :=

Business Case Development - Project Management Institute1

How to Write a Business Case - ProjectManager.com2

How to Measure the Value of an IT Investment - TechSoup3

Maximizing IT Performance: 11 Metrics and KPIs to Monitor - Whatfix4

Top 10 Essential IT Metrics & KPIs - Apptio5

17 Metrics For Evaluating The Success Of Tech Projects And … - Forbes

8 Portfolio Performance Metrics Investors Should Understand - Navexa