Practice CISA Governance and Management of IT questions with full explanations on every answer.
Start practicing
Governance and Management of IT — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A large enterprise recently experienced a data breach due to an insider threat. The IT governance committee is reviewing the incident and considering measures to prevent recurrence. Which of the following is the BEST course of action to address the root cause?
2A multinational corporation is adopting a hybrid cloud strategy. The IT governance board must decide on a framework to ensure alignment with business objectives and regulatory compliance. Which framework is MOST appropriate?
3An organization's IT strategy must be aligned with business strategy. Which of the following is the PRIMARY benefit of this alignment?
4A financial institution is evaluating its IT governance structure. Which of the following roles is BEST suited to ensure independent oversight of IT investments?
5An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?
6An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?
7A company's IT governance policy requires that all critical systems have a documented business continuity plan (BCP). During an audit, an IT auditor finds that the BCP for a critical financial system has not been updated in three years. Which of the following is the BEST recommendation?
8Which of the following is the PRIMARY purpose of an IT governance framework?
9An organization has implemented a new IT service management (ITSM) tool. The IT manager wants to measure the effectiveness of incident management. Which metric is MOST appropriate?
10Which TWO of the following are key responsibilities of an IT steering committee?
11Which THREE of the following are components of a typical IT governance framework?
12Which TWO of the following are benefits of implementing an IT governance framework?
13Scenario: A mid-sized manufacturing company has recently experienced a significant IT outage that halted production for 8 hours. The root cause was a failed firmware update on a core switch that was performed outside the change management process by a senior network engineer who claimed the update was urgent to patch a critical vulnerability. The company has a well-documented change management policy that requires all changes to be reviewed by the change advisory board (CAB) before implementation, except for emergency changes which require post-implementation review within 48 hours. The engineer did not follow the emergency change process; he implemented the update directly. The IT director wants to prevent such incidents in the future. Which of the following is the BEST action?
14Scenario: A healthcare organization is implementing a new electronic health records (EHR) system. The project has been delayed due to scope creep and resource constraints. The project sponsor is pressuring the project manager to accelerate the timeline by skipping user acceptance testing (UAT) and going live immediately. The organization has a governance policy that requires all IT projects to complete UAT before deployment. The project manager is concerned about quality and patient safety. Which of the following is the BEST course of action?
15An organization's IT department implemented a new change management process that requires all changes to be approved by a change advisory board (CAB). A critical security patch needs to be deployed within 2 hours to address an active zero-day vulnerability. The change request was submitted but the CAB is not scheduled to meet for another 24 hours. What is the BEST course of action?
16During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?
17An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of using a framework like COBIT?
18An IT manager is reviewing the service level agreements (SLAs) for a cloud-based email service. The SLA guarantees 99.9% uptime per month. The service experienced an outage of 45 minutes in a 30-day month. Did the service meet the SLA?
19Which TWO of the following are key components of an IT governance framework?
20Which THREE of the following are commonly recognized benefits of implementing a formal IT service management (ITSM) framework such as ITIL?
21You are the IT governance lead at a multinational corporation with a complex IT environment spanning multiple business units. The company has recently experienced a series of minor security incidents where unauthorized access was gained through unused user accounts that were not disabled after employees left the organization. Additionally, there have been delays in provisioning access for new hires, leading to productivity losses. The IT department currently uses a manual process for access management, with each business unit maintaining its own user lists. The company has a policy that requires access reviews every quarter, but these are often missed or performed superficially. The CIO has asked you to recommend a solution that addresses these issues while ensuring compliance with regulations such as GDPR and SOX. Which of the following is the BEST course of action?
22Which TWO of the following are key responsibilities of an IT steering committee?
23Based on the exhibit, which control is most likely missing to prevent this type of event?
24A mid-sized company is implementing a new IT service management (ITSM) tool to improve incident management. The IT manager wants to ensure that the tool aligns with ITIL best practices. The company has a dedicated service desk team that handles about 200 incidents per week. The IT manager is considering whether to implement a self-service portal for users to submit incidents and check status, or to continue using email-based incident reporting. The service desk team is concerned that a self-service portal might reduce their direct interaction with users and potentially lead to less personalized support. However, the IT manager believes that a portal could improve efficiency and tracking. The company's IT governance framework requires that any major IT investment be approved by the steering committee and that there be a clear business case. The IT manager has prepared a business case but the steering committee wants to ensure that the solution is aligned with ITIL and that it addresses key incident management processes. Which of the following is the most appropriate next step for the IT manager?
25Arrange the steps to perform a risk assessment in the correct order.
26Order the steps for performing a data backup in the correct sequence.
27Match each COBIT 5 domain to its description.
28Match each log type to its typical content.
29A company is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?
30An organization has experienced several security incidents due to unauthorized changes to production systems. Which governance mechanism should be strengthened?
31A multinational corporation is evaluating its IT governance structure. The board wants to ensure that IT investments are prioritized based on risk and value. Which framework component is MOST critical?
32A small business lacks formal IT governance. What is the FIRST step to establish governance?
33An IT department is struggling with project delays and budget overruns. Which governance practice would be MOST effective?
34A financial institution is required by regulators to demonstrate that IT controls are effective. Which of the following provides the BEST evidence?
35An organization wants to ensure that IT performance is measured against strategic goals. Which tool is BEST suited?
36A company has multiple business units with conflicting IT priorities. Which governance body should resolve this?
37An organization's IT strategy is not aligned with business strategy due to lack of communication. Which of the following would BEST improve alignment?
38An IT governance framework should include which TWO key components? (Select exactly two.)
39An organization is implementing IT governance based on COBIT. Which THREE of the following are enablers? (Select exactly three.)
40A large enterprise is assessing its IT governance maturity. Which THREE of the following are indicators of a mature governance process? (Select exactly three.)
41Refer to the exhibit. Based on the governance status report, which component should be addressed as a priority?
42Refer to the exhibit. The organization is planning to achieve the target level. What is the MOST appropriate action?
43Refer to the exhibit. Which perspective shows the greatest deviation from target?
44An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. Which of the following BEST demonstrates that the proposal aligns with the organization's strategic goals?
45An organization has implemented a balanced scorecard (BSC) for IT performance measurement. Which of the following is the PRIMARY benefit of using a BSC?
46During an IT audit, the auditor discovers that the IT strategy is not formally documented. Which of the following is the MOST significant risk associated with this finding?
47An organization is planning to outsource its data center operations. Which of the following governance practices should be implemented to ensure proper oversight?
48An IT governance framework has been implemented, but the board is not receiving regular reports on IT performance. Which of the following is the BEST course of action?
49An IT audit revealed that the organization's IT steering committee has not met in the past six months. Which of the following is the MOST likely consequence of this situation?
50An organization has decentralized IT management with each business unit making its own technology decisions. Which of the following is the BEST way to maintain enterprise-wide governance?
51A company is implementing IT governance based on COBIT 2019. Which of the following design factors would have the GREATEST impact on the governance system design?
52An organization's IT strategy is developed by the IT department without input from business stakeholders. Which of the following is the MOST significant risk?
53Which TWO of the following are key components of an IT governance framework?
54An organization is adopting COBIT 2019. Which TWO of the following are components of the governance system?
55Which THREE of the following are indicators of mature IT governance?
56Based on the exhibit, what is the MOST appropriate action for IT management?
57Which of the following is a potential risk in this RACI matrix?
58What is the MOST significant weakness in the planned remediation?
59An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?
60An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. What is the committee's MOST important role?
61An IT department uses a balanced scorecard to measure performance. Which metric would BEST reflect the 'customer perspective'?
62According to COBIT 2019, which design factor is MOST critical for tailoring a governance system?
63An organization outsources its data center operations. What is the BEST way to ensure the service provider's controls are effective?
64An organization's IT governance framework includes a policy that all system access must be reviewed quarterly. The internal audit finds that reviews are incomplete. What is the BEST action?
65A multinational corporation is implementing a global IT governance framework. Which of the following challenges is MOST likely to arise?
66An IT manager is developing a governance policy for change management. Which element is MOST important to include?
67An organization's IT governance committee is reviewing a proposal to use a public cloud provider that does not meet the organization's data encryption standards. The board has set a low risk appetite for data privacy. What is the BEST action?
68Which TWO of the following are key components of an IT governance framework? (Choose two.)
69An organization is implementing COBIT 2019. Which TWO of the following are governance enablers? (Choose two.)
70Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)
71Based on the exhibit, which metric would be LEAST relevant to the 'Customer' perspective?
72An auditor finds that access reviews have not been completed for two quarters. What is the MOST significant risk?
73Based on the exhibit, what is the default retention period for data?
74An organization is implementing a new IT governance framework. Which of the following is the BEST approach to ensure alignment between IT strategy and business goals?
75During a risk assessment, an IS auditor identifies that the IT department has not performed a business impact analysis (BIA) for critical systems. Which of the following is the MOST significant risk?
76An organization has a policy requiring all employees to complete annual information security awareness training. Which of the following is the BEST way to verify compliance with this policy?
77A company outsources its data center operations to a third-party provider. Which of the following is the MOST important control to include in the outsourcing contract?
78An IS auditor is reviewing the balanced scorecard for IT. Which of the following metrics BEST aligns with the 'customer perspective'?
79An IT manager submits a request to change the firewall configuration during business hours. According to best practices for change management, what should be done FIRST?
80A business continuity plan (BCP) includes a tabletop exercise once a year. An IS auditor finds that the exercise only involves IT staff. Which of the following is the BEST recommendation?
81An organization's data classification policy defines 'Confidential' data as requiring encryption at rest. An IS auditor discovers that a database containing customer personal information is not encrypted. What is the auditor's BEST course of action?
82Which of the following is the PRIMARY purpose of an IT strategy committee?
83Which TWO of the following are key components of an IT governance framework? (Choose two.)
84Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)
85Which TWO of the following are common objectives of an IT balanced scorecard? (Choose two.)
86Based on the exhibit, what is the MOST likely security risk?
87An organization uses the policy shown. Which of the following is an omission in the policy?
88Based on the log, what is the MOST likely root cause of the backup failure?
89A large financial institution is evaluating the effectiveness of its IT governance framework. The board has requested a review to ensure alignment with business objectives and regulatory requirements. Which of the following is the MOST important factor for the board to consider when assessing the IT governance framework?
90An organization is developing its IT strategy to align with the overall business strategy. The business strategy emphasizes rapid market expansion through digital products. Which of the following IT strategies would BEST support this business goal?
91A multinational corporation has defined its risk appetite as 'moderate' for IT investments. The IT steering committee is evaluating a new project with potential high returns but also significant cybersecurity risks. The project's risk profile is assessed as 'high' by the risk management team. What should the committee do FIRST?
92A company is considering restructuring its IT department from a centralized to a decentralized model to give business units more autonomy. What is a PRIMARY governance risk associated with this move?
93An organization has a policy requiring annual information security awareness training for all employees. During a recent audit, it was found that 20% of employees had not completed the training. What is the BEST course of action for the IT governance committee?
94An IT department uses a balanced scorecard (BSC) to measure performance. The financial perspective shows that IT costs are within budget, but customer satisfaction scores are declining. The learning and growth perspective indicates low employee engagement. Which action should the IT governance committee prioritize?
95A company plans to outsource its data center operations to a cloud service provider. What is the MOST important governance consideration for the board before finalizing the contract?
96A healthcare organization must comply with HIPAA regulations regarding patient data privacy. The IT department has implemented technical controls, but the compliance officer discovers that some employees are sharing passwords. What is the BEST governance response?
97Which TWO of the following are primary objectives of IT governance as defined by COBIT 5?
98Which THREE of the following are components of the COBIT 2019 governance system?
99Which TWO of the following are benefits of establishing an IT steering committee?
100A multinational manufacturing company with operations in 20 countries has historically allowed each regional division to manage its own IT systems independently. Recently, the company experienced a significant data breach originating from a region with weaker security controls, leading to financial losses and reputational damage. The board has mandated stronger IT governance to prevent future incidents. The CIO proposes implementing a global IT governance framework with centralized policy enforcement. However, regional directors argue that local regulations and business needs require autonomy. The governance committee must decide on a course of action that balances risk and business flexibility. Which of the following approaches is the MOST appropriate?
101A retail company is merging with a competitor. The IT departments of both organizations have different IT governance structures: Company A uses a centralized model with strict change management, while Company B uses a decentralized model with autonomous business unit IT. The CIO has been tasked with integrating the IT functions post-merger. The board expects cost synergies and improved service levels. The integration team is facing resistance from Company B's business heads who fear loss of agility. The CIO needs to propose a governance model for the merged entity. Which approach would BEST meet the board's expectations while addressing resistance?
102A medium-sized e-commerce company recently suffered a ransomware attack that encrypted critical databases. The IT team restored systems from backups, but the incident exposed a lack of clear roles and responsibilities for incident response. The board has asked the IT governance committee to review and improve the incident response governance. The committee notes that while there is an incident response policy, it is not regularly tested, and staff are unsure of their roles. The company also lacks a formal communication protocol for notifying stakeholders. What should the committee prioritize to strengthen governance over incident response?
103A financial services company is migrating its core banking system to a public cloud to improve scalability and reduce costs. The project is high-risk due to regulatory compliance requirements (e.g., data residency, audit trails). The IT governance committee has reviewed the project plan and finds that the risk assessment is incomplete – it does not address the potential impact of a cloud provider outage on critical transactions. The committee must approve the project or request changes. The project manager argues that the cloud provider's SLA guarantees 99.99% uptime and that additional controls would delay the project. What should the governance committee do?
104An organization is implementing an IT governance framework to align IT with business objectives. Which TWO of the following are primary responsibilities of the IT steering committee?
105A medium-sized manufacturing company has a decentralized IT structure where each business unit manages its own IT budget and projects. The CEO is concerned that IT investments are not aligned with corporate strategy and that there is duplication of effort. The IT department lacks a formal project portfolio management process. The company has experienced several project failures due to poor prioritization. The CEO has asked the newly hired IT auditor to recommend an initial step to improve IT governance. The auditor should recommend:
106A large financial institution has a well-defined IT governance framework with a clear organizational structure, policies, and processes. However, the internal audit department has identified that several IT projects are over budget and behind schedule. The project managers blame unclear requirements and scope creep. The IT governance committee meets monthly but reviews projects only at a high level. The auditor's best recommendation to improve project governance is to:
107A multinational corporation operates in a highly regulated industry. The IT governance framework includes a risk appetite statement approved by the board. Recently, the company suffered a significant data breach due to an unpatched vulnerability that had been identified three months earlier. The IT audit found that the vulnerability was reported to the IT department but was not prioritized for remediation because it was deemed low risk by the IT operations team. The incident response plan was not activated because the breach was not initially detected. The board wants to strengthen governance to prevent recurrence. The most effective course of action for the auditor to recommend is:
108A government agency has an IT governance framework that includes an IT strategy committee, an IT steering committee, and a project management office. Despite this, there is a lack of transparency regarding IT spending and resource allocation. The agency's annual audit found that several IT initiatives were not approved by the steering committee and were funded out of operational budgets. The CFO is frustrated because IT costs are unpredictable. The agency's chief information officer (CIO) reports to the CFO but the IT steering committee is chaired by the CIO. The auditor's best recommendation to improve governance is to:
109Which TWO of the following are recommended practices for aligning IT strategy with business goals, according to COBIT 2019?
110Based on the exhibit, which control deficiency is most critical for the IS auditor to address?
111A medium-sized manufacturing company has recently deployed an ERP system to integrate its financial, supply chain, and HR processes. The IT department is small (5 staff) and reports to the CFO. The company has no formal IT governance committee; IT decisions are made by the CFO and CEO informally. During a recent audit, it was found that several critical security patches for the ERP system have not been applied, and there are no documented procedures for change management. The IT manager states that patches are applied when time permits, and changes are discussed via email. The CFO argues that the ERP is running fine and the audit findings are low risk. The IS auditor needs to recommend a course of action to improve IT governance. Which of the following is the MOST appropriate initial step?
The Governance and Management of IT domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.
The Courseiva CISA question bank contains 111 questions in the Governance and Management of IT domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Governance and Management of IT domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included