Isaca Updated CGEIT Exam Questions and Answers by zayne

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Risk Optimization domain, emphasizes proactive risk management to minimize future risks after incidents. After containing cyber events, understanding their causes is critical to prevent recurrence and reduce business exposure.

Option D: Perform a root cause analysis is the best approach. This involves investigating the underlying reasons for the cyber events (e.g., vulnerabilities, misconfigurations) to identify and remediate weaknesses. For example, a root cause analysis might reveal unpatched systems, leading to improved patch management. The manual likely references COBIT 2019’s APO12-Managed Risk, which includes root cause analysis as a key risk response activity.

Option A: Review the ISP contract is narrow and may not address the root causes of cyber events, which are often internal.

Option B: Purchase cybersecurity insurance mitigates financial impact but doesn’t prevent future incidents.

Option C: Conduct a BIA assesses impact but doesn’t identify causes, making it less immediate for risk reduction.

Double Verification: The answer aligns with COBIT’s risk management processes and the CGEIT domain’s focus on addressing incident causes. Root cause analysis is a standard ISACA practice post-incident.

ISACA CGEIT Review Manual 8th Edition, Domain 4: Risk Optimization (focus on incident response and risk mitigation).

COBIT 2019, APO12-Managed Risk.

ISACA Glossary (for definitions of root cause analysis), available at https://www.isaca.org/resources/glossary.

Developing an IT strategy to leverage AI requires a clear understanding of business needs and objectives to ensure alignment. The CGEIT Review Manual 8th Edition emphasizes that the first step in strategic IT planning is to identify and document business requirements, as these drive the development of an IT strategy that supports enterprise goals.

Extract from CGEIT Review Manual 8th Edition (Domain 4: Strategic Management):"The development of an IT strategy begins with a thorough understanding of business requirements and objectives. Documenting requirements mapped to business functions ensures that the IT strategy is aligned with enterprise goals and delivers value." (Approximate reference: Domain 4, Section on Strategic Alignment)

Documenting requirements mapped to each business function (option A) ensures that the AI strategy is tailored to specific business needs, such as improving customer experience, optimizing operations, or enhancing decision-making. This step precedes technical or operational considerations, as it establishes the foundation for the strategy.

Why not the other options?

B. Benchmark how other IT organizations are leveraging AI: Benchmarking is useful for gaining insights but is a secondary step that should follow the identification of business requirements. Without clear requirements, benchmarking may lead to irrelevant comparisons.

C. Define the IT infrastructure requirements for AI implementation: Infrastructure requirements are technical details that come after understanding business needs and defining the scope of AI use cases.

D. Define an operational level agreement (OLA) between IT and business functions: OLAs are operational agreements that support implementation, not strategy development. They are premature at this stage.

Before any strategic direction can be set for AI initiatives,assessing the current AI capabilities and infrastructureis essential. This foundational step provides a baseline of where the organization currently stands, what assets or skills it possesses, and what gaps may exist.

Subsequent actions, such as developing use cases, forming teams, or crafting policies, rely heavily on this understanding. Without a proper assessment, strategic decisions may be misaligned with the organization’s actual readiness or capabilities.

Control self-assessments (CSAs)are the best method to continuously monitor and improve IT governance activities. CSAs empower internal teams to regularly evaluate performance, identify gaps, and initiate corrective actions, ensuring ongoing compliance and alignment with governance objectives.

External audits and mappings are periodic and less dynamic, whereasCSAs offer proactive, continuous oversight.