Good Enterprise Governance Needs CGEIT: My Journey to Pass the Exam

“ISACA's Certified in the Governance of Enterprise IT (CGEIT) certification is framework agnostic and the only IT governance certification for the individual. CGEIT can put you in the role of a trusted advisor to your enterprise!”

I earned ISACA’s CRISC and CISM certifications in 2019 and 2020, respectively. I always feel a professional obligation to give back to ISACA global community through sharing my lessons learned after passing each exam – hopefully providing practical guidelines will be beneficial to professionals who are preparing to obtain these industry-recognized credentials worldwide. This post will be somewhat different than my previous ones, as I am linking my journey to pass the Certified in the Governance of Enterprise IT (CGEIT) exam with the strategic value that Governance of Enterprise IT (GEIT) provides all together in two parts:

There are approximately 6,000 professionals who hold the Certified in the Governance of Enterprise IT^® (CGEIT^®) credential worldwide. Despite the relatively small number of CGEIT-certified professionals worldwide, CGEIT-certified professionals bring great value to enterprises, such as enhancing the strategic value they bring to organizations and empowering experts to handle the IT governance of an entire organization. CGEIT is designed for professionals in organizations who participate in directing, managing and supporting the governance of IT. CGEIT-holders bring the knowledge and experience needed to align IT with business strategies and goals, manage IT investments to maximize return on investment, and strive for excellence in IT operations and governance while minimizing risk.

The updated CGEIT exam was started in July 2020, and the new job practice addresses new trends, emerging technologies and changing business needs, accounting for the latest governance industry practice. The CGEIT job practice focuses on information governance and big data and accounts for data privacy. The updated CGEIT exam validates knowledge and expertise in four work-related domains as follows:

Domain 1: Governance of Enterprise IT (40%)

Domain 2: IT Resources (15%)

Domain 3: Benefits Realization (26%)

Domain 4: Risk Optimization (19%)

How I Prepared for the CGEIT Exam:
My preparation time for the CGEIT exam was relatively short; I chose self-study as it was more convenient for me, which is like my CISM strategy in terms of duration and approach. While the preparation for the exam is not easy due to the high volume and intensity of study materials, the key resources that you need to pass the exam are:

• CGEIT Exam Candidate Guide 
• CGEIT Planning Guide
• CGEIT Review Manual 8th Edition
• CGEIT Review Questions, Answers & Explanations (QAEs) Manual 5th Edition
• COBIT 2019 framework
• The Risk IT Framework, 2^nd Edition
• The Val IT Framework 2.0
• Referenced materials

I started with the CGEIT official review manual from ISACA and read it twice cover-to-cover. After the first read, I practiced the QAEs manual and revisited the incorrect answers. Then I studied all of VAL IT, RISK IT, and COBIT frameworks. Afterward, I started the second round of CGEIT study and practiced QAEs until I reached a high score while clearing all the gaps in alignment with the job practices.

The following general tips may be helpful to build your strategy accordingly:

• Learning by objectives through planning, studying and measuring consistently is the key factor to your exam journey success. You must prepare well in advance and set aside the study time and obtain the resources you need.
• Preparation for CGEIT is all about understanding the big picture and wearing the hat of a senior leader in an enterprise (i.e., CIO).
• A good starting point is to try the official sample exam.
• Take notes, including adding the reference notes whenever needed, and keep your plan sheet and dashboard up to date on daily basis.
• Focus on comprehension, not memorizing concepts.
• You need to know the CGEIT job practices very well.
• Practice the CGEIT Review Questions, Answers & Explanations as much as you can. You should be able to justify why you answered correctly as well as why the other answers are incorrect. Remember: Practice makes perfect.
• Getting +80% of the total QAEs correct is a good indicator for exam readiness for go/no-go exam decisions while +90% provides subjective confidence to choose exam date more specifically.
• At this point, you can book your exam in advance, so you stay on schedule. You can only reschedule your exam 48 hours before the booked date and time slot if needed.
• Review study gaps from the CGEIT Review Manual and the QAEs continuously in a consistent manner and check available resources such as books, blogs and security magazines to bridge these gaps.
• Keep your schedule in check, and study at various time slots of the day and week. If you feel tired, don’t try to study at all for that day.
• Relax the day before the exam and don’t study too much. Minor review is fine. Good sleep the night before is a critical success factor.
• On the exam day, you must be paying attention to time from question #1 to question #150 and read each question and its options carefully while accounting for time per question. Flag it if not confident and move on. Review what you flagged if you managed to have enough time.

After I confirmed that I passed the CGEIT exam, I prepared my application, then submitted it immediately to ISACA’s CGEIT Certification Working Group. Luckily, I did not wait long until I received: “Congratulations! … Granted certification as a Certified Governance of Enterprise IT (CGEIT).” The journey should not stop here!

Good Governance Needs CGEIT: Why and How?
Governance tends to be one of the most neglected aspects in businesses today. Effective IT governance is the single most important predictor of the value an enterprise generates from IT. Despite this fact, not everyone feels comfortable discussing this complex area.

Many enterprises misunderstand and underestimate EGIT’s purpose and value. The value consists of achieving business benefits throughout the full economic lifecycle of investment decisions while optimizing risk and resources. It can be best defined as the total lifecycle benefits, net of related costs that are adjusted for risk for the time value of money. The following definition can summarize the CGEIT landscape:

• Benefits realization: achieving the benefits that the enterprise sets out based on stakeholder needs and eliminating initiatives or assets that are underperforming or unnecessary to the business.
• Risk optimization: the enterprise makes informed decisions to ensure that risk exposure does not exceed the risk appetite
• Resource optimization: achieved through applying resources at the right time, place and level of effort and without waste or underutilization.

For better GEIT comprehension and successful implementation, two well-known frameworks are fundamental to think about and must be understood:

1. Value IT: answers two fundamental questions:

• Strategic: Are we doing the right things?
• Value: Are we getting the benefits?

2. COBIT: answers another two fundamental questions:

• Architectural: Are we doing them the right way?
• Delivery: Are we getting them done well?

Good enterprise governance is a necessity in today’s fast-paced enterprise ecosystems, which are about evaluating, directing and monitoring enterprise strategic options, and striking a proper balance between risk, resources, benefits, value creation and preservation and stakeholder expectations.

From an implementation perspective, adopting GEIT dictates large-scale fundamental changes enablement across the enterprise, and this requires a serious commitment from the enterprise’s executive management and the boards of directors. Furthermore, having qualified personnel available to lead the GEIT implementation is a critical success factor for mature enterprise governance.

CGEIT is beneficial by several measures. It covers complex subjects holistically across business and IT, and most certainly it enables you to think strategically, utilize and optimize resources and risk, deliver value to the business, account for regulatory considerations, improve business processes maturity, and help enterprises to understand what IT investments make sense to the business for today and tomorrow. Ultimately, the enterprise’s IT and business units will operate with higher efficiency and optimum effectiveness resulting in greater reliability and trust in, and value from, information systems. CGEIT is a framework of frameworks.

Lastly, in my opinion, the new CGEIT exam did a good job for me in terms of assessing deep knowledge and expertise in EGIT practices in real business situations. My advice while preparing for such a tough exam is to be curious about all aspects of good enterprise governance practices, ideally and in their real-world applications. If you are passionate about what you are doing, reaching the desired destination will be a natural byproduct of such a journey. I wish you well in your preparations.