Isaca Updated CGEIT Exam Questions and Answers by mckenzie

Before developing an IT strategic plan, it is essential to review the enterprise business plan, which defines the enterprise’s structure, governance, and operations. The enterprise business plan describes the enterprise’s vision, mission, goals, objectives, strategies, and performance measures. It also outlines the enterprise’s value proposition, market position, competitive advantage, and customer segments. The IT strategic plan should align with and support the enterprise business plan by providing a roadmap for how IT will enable and enhance the business capabilities and outcomes. The IT strategic plan should also consider the enterprise’s risk appetite and tolerance, which are defined by the enterprise’s risk management framework.

The other options are not necessarily required before developing an IT strategic plan. Aligning the enterprise vision statement with business processes is part of the IT strategic planning process, but it does not have to be done before developing the IT strategic plan. Developing an enterprise architecture (EA) framework is a separate activity that can be done in parallel or after developing the IT strategic plan. The EA framework defines how to create and use an enterprise architecture, which provides a holistic view of the organization’s business, information, and technology. Reviewing the enterprise risk tolerance level is also part of the IT strategic planning process, but it does not have to be done before developing the IT strategic plan. The risk tolerance level reflects the acceptable level of variation around a particular set of risk-based objectives.

 According to the CGEIT exam guide, the organization’s risk profile is a representation of the current and potential risks that the organization faces, as well as the likelihood and impact of those risks. The risk profile helps to inform the risk management strategy, policies and processes, as well as the risk appetite and tolerance of the organization. When an enterprise enters into a new market that brings additional regulatory compliance requirements, the first thing that should be done is to update the organization’s risk profile to reflect the new sources, types and levels of risk that the enterprise may encounter. This will help to identify and assess the compliance risks, as well as to plan and implement appropriate risk responses and controls. The other options are not the first things that should be done, as they are more related to the execution and monitoring of compliance, rather than the identification and assessment of compliance risks. References: CGEIT Exam Candidate Guide, page 15. CGEIT Certification, How to Develop a Risk Profile

The MOST effective way to ensure that IT supports the agile needs of an enterprise is to develop a robust enterprise architecture (EA). Enterprise architecture is the practice that supports organizations to understand the complexity of their own business components so they can be changed in a consistent way1. Enterprise architecture provides a framework for change, linked to both strategic direction and business value. It provides organization views to manage complexity,support continuous change, and keep the adequate level of balance between risk and innovation1. Enterprise architecture is also key to support strategic decision making, to provide guidance and guardrails to IT teams that are focused on agile delivery solutions2.

Some of the benefits of developing a robust enterprise architecture for an agile enterprise are3:

It aligns the IT objectives and activities with the business strategy and expectations

It enables faster and more effective delivery of IT solutions that meet customer needs and expectations

It reduces waste, duplication, and technical debt by promoting reuse, standardization, and integration of IT assets

It fosters innovation and experimentation by providing a clear vision, direction, and roadmap for new and emerging technologies

It enhances collaboration and communication among stakeholders by providing a common language and understanding of the organization’s architecture

Therefore, developing a robust enterprise architecture is the most effective way to ensure that IT supports the agile needs of an enterprise.

The IT strategy committee should mandate the creation of a data privacy policy next, because this would provide a formal and consistent framework for implementing and enforcing the data governance strategy and the privacy objectives related to access controls, authorized use, and data collection. A data privacy policy should define the roles and responsibilities of the data owners, stewards, custodians, and users, and specify the principles, standards, and procedures for collecting, processing, storing, sharing, and disposing of personal data in compliance with the legal and regulatory requirements12. A data privacy policy should also include the mechanisms for monitoring and auditing the data privacy practices, and for handling any data breaches or incidents12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 57-58.