Isaca Updated CGEIT Exam Questions and Answers by cecily

 An IT risk-aware culture is one that promotes a shared understanding of risk and supports the organization’s strategy, business model, operational practices, and competitive advantage1. It works to strengthen the core of an organization’s operations and protects customers, the brand, and the bottom line1. An IT risk-aware culture also involves the participation and collaboration of all stakeholders in identifying, assessing, and managing IT risks2. Therefore, the BEST evidence of an IT risk-aware culture across an enterprise is when business staff report identified IT risks. This indicates that the business staff are aware of the potential threats and impacts that IT risks can pose to the organization, and that they are willing and able to communicate and escalate them to the appropriate authorities3.

The other options are not as good as option A. While it is important to communicate IT risks to the business, publish IT risk-related policies, and ensure the resilience of the IT infrastructure, these are not sufficient to demonstrate an IT risk-aware culture across an enterprise. They are rather means to achieve the end goal of managing and mitigating IT risks. They do not necessarily reflect the level of awareness, attitude, and behavior of the organization’s employees toward risk and how risk is managed within the organization. References :=

Cultivating a Risk Intelligent Culture - Deloitte US1

Building an Effective Risk-Aware Culture - Magazine4

7 Steps to Create a Risk-Aware Culture | Treasury & Risk3

 An IT balanced scorecard (BSC) is a framework that measures and manages the performance and value of IT in relation to the enterprise’s strategy, goals, and objectives. An IT BSC provides the most comprehensive insight into the effectiveness of IT, because it covers four perspectives that reflect the key aspects of IT: financial, customer, internal process, and learning and growth. For each perspective, an IT BSC defines objectives, measures, targets, and initiatives that align with the enterprise’s vision and mission. An IT BSC also helps to balance the short-term and long-term outcomes of IT, as well as the leading and lagging indicators of IT performance. According to ISACA’s article on The IT Balanced Scorecard1, “the IT BSC is a powerful tool for demonstrating the contribution of IT to the business, communicating IT performance in business terms, and aligning IT with business strategy.” Furthermore, according to ISACA’s CGEIT Domain 1: Framework for the Governance of Enterprise IT2, “the IT BSC is a widely used framework for measuring and managing the performance of IT resources in relation to enterprise goals.” Therefore, an IT BSC is the best way to provide a comprehensive insight into the effectiveness of IT.

The CIO is responsible for the overall IT governance and ensuring that IT supports the business objectives and strategy. The CIO should also ensure that IT staff have the necessary skills and competencies to perform their roles effectively and efficiently. The CIO should address the root cause of the service disruption and take corrective actions to prevent recurrence. References := CGEIT Review Manual, 27th Edition, Domain 1: Governance of Enterprise IT, page 17-18.

 To enable the development of required IT skill sets for the enterprise, it is most important to define skill requirements based on each role within the IT department, because different roles may have different responsibilities, tasks, and expectations that require specific skills and competencies. By defining skill requirements based on each role, the enterprise can ensure that the IT staff have the appropriate knowledge, abilities, and experience to perform their roles effectively and efficiently, and to support the enterprise’s goals and objectives. According to ISACA’s CGEIT Domain 2: IT Resources1, “the enterprise should identify the skills required for each IT role and assess the current and future skill gaps.” Furthermore, according to ISACA’s article on IT Skills Gap2, “the skills gap is not a one-size-fits-all problem. It varies by industry, organization and department/role.” Therefore, defining skill requirements based on each role within the IT department is the best way to enable the development of required IT skill sets for the enterprise. References:

IT Skills Gap: Trends, Implications and Best Practices - ISACA

IT Governance: Definitions, Frameworks and Planning - ProjectManager

What is IT governance? A formal way to align IT & business strategy | CIO

CGEIT Domain 2: IT Resources