Isaca Updated CGEIT Exam Questions and Answers by avery

A vision statement should be the primary input when developing IT strategy, because it is a concise and clear expression of the enterprise’s desired future state and direction, and it reflects the enterprise’s mission, values, and goals12. A vision statement can help to guide and inspire the IT function to align its activities and resources with the business needs and expectations, and to deliver value and innovation to the enterprise. A vision statement can also help to communicate and monitor the IT strategy and objectives, and measure the IT performance and outcomes12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 23-24.

The primary basis for establishing categories within an information classification scheme should be the business impact, because it reflects the level of importance and sensitivity of the information to the organisation and its stakeholders. The business impact can be assessed by considering the potential consequences of unauthorised disclosure, modification, or loss of availability of the information. The higher the business impact, the higher the level of protection required for the information. For example, information that could cause severe damage to the organisation’s reputation, operations, or finances if compromised should be classified as Top Secret1, whereas information that is intended for public release should be classified as Public2. The information security policy should provide guidance on how to classify information based on the business impact, but it is not the primary basis for establishing categories. The information architecture and industry standards may also influence the classification scheme, but they are not as relevant as the business impact.

The best way to provide the board with an indication of progress of the IT initiatives is to conduct a portfolio management review. A portfolio management review is a process that involves evaluating and reporting on the performance, status, and outcomes of the IT projects, programs, and services that are part of the IT portfolio. The IT portfolio is a collection of IT investments that are aligned with the enterprise’s strategic objectives and expected to produce substantial value. A portfolio management review can help the board to assess and communicate the progress of the IT initiatives, as well as to identify and address any issues or risks that may affect their success. A portfolio management review can also help the board to ensure that the IT portfolio is balanced, optimized, and aligned with the business needs and priorities. IT Portfolio Management: A Comprehensive Guide | Smartsheet provides an overview of IT portfolio management and its benefits.

 A balanced scorecard is a tool that a CIO would use to present the overall view of IT performance to the board of directors, because it is a framework that translates the enterprise’s vision and strategy into a set of performance measures that cover four perspectives: financial, customer, internal business process, and learning and growth12. A balanced scorecard can help to communicate and monitor the IT strategy and goals, and align the IT activities and resources with the business needs and expectations. A balanced scorecard can also provide a balanced and comprehensive view of the IT performance and value delivery, and highlight the strengths, weaknesses, opportunities, and threats for improvement12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 43-44.