CGEIT certification exam Domain 4: Risk optimization
The Certified in Governance of Enterprise IT, or CGEIT, is an IT governance certification offered by ISACA. The certification exam received a recent overhaul that changes not only the number of domains in the exam, but also a fair amount of exam content and how it is presented to the certification exam candidate.
This article will detail Domain 4 of the CGEIT certification exam and explore the changes that will affect the 2020 job practice as and the sub-topics of the domain. For those familiar with previous job practices, this term sub-topic may seem completely new to you. But don’t worry: all will be explained.
Recent changes to CGEIT
Several changes to the CGEIT certification exam have kicked in, starting in July 2020. These changes are:
- The CGEIT certification exam has shifted its focus from task statements to topic/knowledge areas (or sub-topics) in the outline of exam specifications. The new exam outline contains secondary task statements/activities in each of the four domains of knowledge that allow the candidate to apply the knowledge.
- The sub-topics provide better organized knowledge and task statements in the domains.
- What was once five domains is now four, with the former Domain 5 being spread amongst the remaining domains.
- Domain 4 formerly had an exam content weight of 26% in previous exam versions. This domain now has a weight of 19%.
- The domain called Strategic Management did not make it to the CGEIT exam outline (job practice). Instead, this domain has been spread throughout the other domains.
- The knowledge statements have been rewritten throughout. This is to account for current technology. Some have been combined to avoid redundancies.
- These changes are intended to enhance the exam preparation experience and the changes provide for a better context in which to apply the knowledge.
You will probably find that the most obvious change to the certification exam is the appearance of sub-topics. These sub-topics, or content areas, will help to better focus and organize the exam. The sub-topics for Domain 4 are:
- Risk strategy
- Risk management
Just as subtopics are used as signposts to guide the exam candidate, I will likewise use them to guide you through this article.
Domain 4 objective
The objective of this domain is to ensure that the appropriate IT risk frameworks are in place and aligned with standards to identify, evaluate, analyze, manage, mitigate, monitor and communicate regarding IT business risk as an essential part of the enterprise IT governance environment.
IT risk is affected by the same factors that business risk is affected by, which are management, geographical, risk appetite, geopolitical and industry-specific factors. It is imperative to consider IT risk in the wider business context.
Risk frameworks and standards
This secondary task covers the following risk management frameworks and standards:
- ISACA Risk IT Framework
- Factor Analysis of Information Risk (FAIR)
- COSO ERM Integrated Framework
- ISO 31000 Risk Management Series
- ISO 20000-1:2018: Information technology – Service management – Part 1: Service management system requirements
- ISO 20000-2:2019: Information technology – Service management – Part 2: Guidance on the application of service management systems
- Project Management Body of Knowledge (PMBOK)
- ISO/IEC 27005:2018: Information technology – Security techniques – Information security risk management
- ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements
- ISO/IEC 27002:2013: Information technology – Security techniques – Code of practice for information security controls
Risk IT Framework
The guiding framework for Risk IT is the ISACA Risk IT Framework. This framework is aligned with the COBIT Framework and helps enterprises make risk-aware IT decisions that are appropriate for the enterprise.
COBIT 5 for Risk
This COBIT information risk view provides risk-specific guidance for ISACA information risk professionals as it relates to COBIT. COBIT 5 provides practical guidance through two different perspectives:
- Risk function perspective
- Risk management perspective
COSO ERM Framework
COS ERM Framework provides an outline of objectives and components that have a direct relationship between each other. This relationship is presented in the form of a cube.
ISO 31000:2018 Principles and Guidelines on Implementation of Risk Management
This is a family of risk management-related standards that are applicable through the entire lifespan of an enterprise, as well as various activities.
Octave is a threat and vulnerability assessment framework that has an objective of aiding in information security risk evaluations.
Other risk management standards and frameworks
- ISO/IEC 20000
- ISO/IEC 27000-series
- ISO/IEC 31010:2019
- NIST Special Publication 800-37 Revision 2
- NIST Special Publication 800-30 Revision 1
- NIST Special Publication 800-39
Enterprise risk management
Other than IT risk, enterprises are faced with:
- Strategic risk
- Environmental risk
- Credit risk
- Market risk
- Operational risk
- Compliance risk
Risk appetite and risk tolerance
- Exactly what it says on the label!
IT-enabled capabilities, processes, and services
- The relationship of the risk management approach to business resiliency
Business risk, exposures and threats
- Risk categories
- Risk scenarios
- Opportunities and risk
- Types of business risk, exposures and threats that can be addressed using IT resources
Risk management life cycle
- IT risk analytics, monitoring and reporting
- Risk management information system
- Locked-down operations
- Decision support, risk analytics and reporting
- Risk response strategies related to IT in the enterprise
- Methods to establish key risk indicators
- Methods to monitor effectiveness of response strategies and/or controls
- Segregation of duties
- Stakeholder analysis and communication techniques
- Methods to track, manage and report the status of identified risk
Risk assessment methods
- Qualitative risk assessment
- Quantitative risk assessment
- Combining qualitative and quantitative methods – toward probabilistic risk assessment
- Practical guidance on analyzing risk
The CGEIT certification exam has undergone a facelift of sorts to update the exam material with the latest technology, a restructuring of the focus of the exam from task and knowledge statements to topic/knowledge areas, and a shift from IT governance to information governance and big data.
Domain 4 had a slight drop in its content weight, from 26% to 19%. This does not mean this domain is skimpy on exam material! Despite its weight, there is more content in this domain than in any of the others.
CGEIT Exam Content Outline, ISACA
ISACA, “CGEIT Review Manual, 8th Edition,” 2020