Isaca Updated CGEIT Exam Questions and Answers by lilia

This is because continuous testing of disaster recovery capabilities can help to evaluate and validate the effectiveness and efficiency of the disaster recovery plan, identify and address any gaps or issues, and implement any improvements or adjustments based on the lessons learned1. Continuous testing can also help to ensure that the disaster recovery plan is aligned with the current and future business needs and expectations, and that the disaster recovery team and stakeholders are familiar and prepared with their roles and responsibilities1.

B. Increased training and monitoring for disaster recovery personnel who perform below expectations. This is not the best way to enable the enterprise to accomplish the objective of improving its disaster recovery capabilities, as it only focuses on one aspect of the disaster recovery plan, which is the human factor. While training and monitoring are important for enhancing the skills and performance of the disaster recovery personnel, they are not sufficient to address the other aspects of the disaster recovery plan, such as the technology, process, and communication factors2. Moreover, increased training and monitoring may not be effective if they are not based on a clear and comprehensive assessment of the disaster recovery capabilities and outcomes.

C. Annual review and updates to the disaster recovery plan (DRP). This is not the best way to enable the enterprise to accomplish the objective of improving its disaster recovery capabilities, as it may not be frequent or timely enough to capture and respond to the changing business environment and requirements. An annual review and update may also be insufficient to test and validate the disaster recovery plan, as it may not cover all possible scenarios or situations that could occur in a real disaster3. A more agile and adaptive approach to reviewing and updating the disaster recovery plan is recommended, such as using a continuous improvement cycle or a stage-gate process4.

D. Increased outsourcing of disaster recovery capabilities to ensure reliability. This is not the best way to enable the enterprise to accomplish the objective of improving its disaster recovery capabilities, as it may introduce new risks and challenges for the enterprise, such as loss of control, dependency, compatibility, security, compliance, and cost issues5. Outsourcing some or all of the disaster recovery capabilities may also reduce the involvement and ownership of the enterprise’s internal staff and stakeholders in the disaster recovery planning process, which could affect their commitment and readiness in case of a disaster5. Outsourcing should be carefully considered and evaluated based on the specific needs and circumstances of the enterprise, and should be complemented by a robust governance and management framework5.

Organizational responsibility for IT risk management is a critical factor for the success of the program. Without clear roles and responsibilities, the program may lack accountability, coordination, communication and alignment with the business objectives. The other options are not as concerning as option A, because they do not affect the core of the program. Having risk management-related certifications is desirable, but not mandatory, for the IT risk management team. Monitoring only a few key risk indicators (KRIs) is acceptable, as long as they are relevant and meaningful for the program. Retaining IT risk training records is important, but not essential, for the program effectiveness. References := ISACA, CGEIT Review Manual, 7th Edition, Chapter 3: Benefits Realization, Section 3.2: IT Risk Management, p. 113-114.

Thebest strategic responseis todevelop and enforce IT asset life cycle policies in consultation with business units. This approach ensures that legacy systems are managed proactively and collaboratively, balancing risk management, regulatory compliance, and operational needs. Policies should define criteria for decommissioning, archival solutions, and acceptable retention practices.

Firewalls and isolation are tactical mitigations, not strategic solutions. Surcharges may discourage usage but do not resolve governance and retention challenges comprehensively.

The accountability for a business continuity program for business-critical systems is best assigned to the CIO, because the CIO is responsible for the IT strategy, operations, and resources that support the business objectives and continuity. The other options are not as suitable as the CIO, because they do not have the same level of authority, expertise, or involvement in the IT function. The enterprise risk manager oversees the overall risk management process, but does not have direct control over the IT resources and activities. The CEO is ultimately accountable for the entire organization, but delegates the responsibility for IT to the CIO. The director of internal audit provides assurance and consulting services on the effectiveness of governance, risk management, and control processes, but does not have operational responsibility for IT or business continuity. References := Business Continuity Program Roles & Responsibilities, Who Should Manage the Business Continuity Program?