CGEIT Domain 1: Governance of Enterprise IT [updated 2021]
Those working in enterprise IT responsible for managing, directing and supporting governance of IT have the option of gaining certifications to help advance their career. A leading certification for these information security professionals is Certified in Governance of Enterprise IT, or CGEIT. Hosted by ISACA, candidates hoping to earn this certification are required to pass an exam covering four CGEIT domains of knowledge.
This article will detail the first of the CGEIT domains, Governance of Enterprise IT, and will explore the recent changes to the CGEIT certification exam and its three sub-topics — governance framework, technology governance and information governance.
Who is CGEIT for?
CGEIT is a certification for information security professionals in enterprise IT that want to distinguish their governance of enterprise IT knowledge and skills from the pack. More simply, this certification is for those that want to become certified in the governance of enterprise IT to help bring enterprise IT governance into an organization.
Recent changes to CGEIT
Several changes to the CGEIT certification exam have kicked in, beginning in July 2020. These changes are:
- CGEIT has shifted its focus from task statements to topic/knowledge areas (or sub-topics) in the outline of exam specifications. The new exam outline contains secondary task statements/activities in each of the four domains of knowledge that allow the candidate to apply the knowledge.
- The sub-topics provide better organized knowledge and task statements in the domains.
- The domain called Strategic Management did not make it to the CGEIT exam outline (job practice). Instead, this domain has been spread throughout the other domains.
- The knowledge statements have been rewritten throughout. This is to account for current technology, and some have been combined to avoid redundancies.
- These changes are intended to enhance the exam preparation experience and the changes provide for a better context in which to apply the knowledge.
The biggest change to CGEIT is the addition of sub-topics to the exam domains. Below are the three subtopics of the Governance of Enterprise IT Domain, which will be the signposts for the majority of the rest of this article:
- Governance framework
- Technology governance
- Information governance
Some names of the domains of the certification exam have changed. For example, what was formerly Domain 1, “Framework for the governance of enterprise IT” is now known as “Governance framework.”
As with past versions of CGEIT, all of the domains are weighted in terms of the percentage of the certification exam that the domain’s knowledge accounts for. Due to the elimination of a previously existing domain, Domain 1’s respective weight has increased substantially from 15% to 40%. Looks like we can see where the Strategic Management domain was folded into.
Governance of enterprise IT (GEIT) refers to ensuring and enabling information technology and related support and enabling enterprise strategy, as well as realization of enterprise objectives. GEIT also enables compliance with the enterprise’s regulatory obligations. Given this, GEIT is an important part of a comprehensive enterprise governance program.
As mentioned earlier, a recent change to CGEIT is the addition of secondary task statements, which are located within the sub-topics of each domain. Below is a breakdown of the secondary tasks:
1. Components of a governance framework
The components of a governance framework are:
- Enterprise governance: Transparency, accountability, security. Enterprise governance covers corporate and business governance.
- Governance of enterprise IT arrangements
- Governance and management roles, activities and relationships
- Business drivers related to IT governance
- Components of the governance system: COBIT is an information governance and management framework that focuses on the whole enterprise. This framework is ever-changing and is woven throughout this domain.
2. Organization structures, roles and responsibilities
3. Strategy development
4. Legal and regulatory compliance
5. Organizational culture
6. Business ethics
Technology governance refers to the collective processes, tools and methodologies that allows an organization to align IT services, environment and infrastructure with the business’s strategy and goals. The secondary tasks it covers are:
- Governance strategy alignment with enterprise objectives
- Strategic planning process
- Stakeholder analysis and engagement
- Communication and awareness strategy
- Enterprise architecture
- Policies and standards
Information governance refers to the specification of both the decision rights and framework of accountability in order to ensure appropriate behavior regarding the creation, valuation, use, archiving, storage and deletion of information. Activities involved in Information governance include:
- Communicating information policies, strategies, standards, metrics and architecture
- Tracking and enforcement of compliance with regulations and conformations to information policies, procedures, standards and architecture
- Tracking, overseeing and sponsoring information management program delivery
The secondary tasks of this domain are:
- Information architecture
- Information asset life cycle
- Information ownership and stewardship
- Information classification and handling
Certification exams are known to change over time and the CGEIT certification exam Is no exception. Its recent overhaul includes a fairly substantial amount of changes from the 2013 job outlook such as folding one of the domains into the other(s) and adopting the use of secondary tasks to better focus application of knowledge, as well as being rewritten to express a more current state of technology.
Please note that while the number of domains has indeed dropped, candidates will be responsible for no less knowledge than they were before.
CGEIT Exam Content Outline, ISACA
ISACA, “CGEIT Review Manual, 8th Edition,” 2020