Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCISADomainsGovernance and Management of IT
CISAFree — No Signup

Governance and Management of IT

Practice CISA Governance and Management of IT questions with full explanations on every answer.

111questions

Start practicing

Governance and Management of IT — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CISA Domains

Governance and Management of ITInformation Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceProtection of Information AssetsInformation System Auditing Process

Practice Governance and Management of IT questions

10Q20Q30Q50Q

All CISA Governance and Management of IT questions (111)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A large enterprise recently experienced a data breach due to an insider threat. The IT governance committee is reviewing the incident and considering measures to prevent recurrence. Which of the following is the BEST course of action to address the root cause?

2

A multinational corporation is adopting a hybrid cloud strategy. The IT governance board must decide on a framework to ensure alignment with business objectives and regulatory compliance. Which framework is MOST appropriate?

3

An organization's IT strategy must be aligned with business strategy. Which of the following is the PRIMARY benefit of this alignment?

4

A financial institution is evaluating its IT governance structure. Which of the following roles is BEST suited to ensure independent oversight of IT investments?

5

An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?

6

An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?

7

A company's IT governance policy requires that all critical systems have a documented business continuity plan (BCP). During an audit, an IT auditor finds that the BCP for a critical financial system has not been updated in three years. Which of the following is the BEST recommendation?

8

Which of the following is the PRIMARY purpose of an IT governance framework?

9

An organization has implemented a new IT service management (ITSM) tool. The IT manager wants to measure the effectiveness of incident management. Which metric is MOST appropriate?

10

Which TWO of the following are key responsibilities of an IT steering committee?

11

Which THREE of the following are components of a typical IT governance framework?

12

Which TWO of the following are benefits of implementing an IT governance framework?

13

Scenario: A mid-sized manufacturing company has recently experienced a significant IT outage that halted production for 8 hours. The root cause was a failed firmware update on a core switch that was performed outside the change management process by a senior network engineer who claimed the update was urgent to patch a critical vulnerability. The company has a well-documented change management policy that requires all changes to be reviewed by the change advisory board (CAB) before implementation, except for emergency changes which require post-implementation review within 48 hours. The engineer did not follow the emergency change process; he implemented the update directly. The IT director wants to prevent such incidents in the future. Which of the following is the BEST action?

14

Scenario: A healthcare organization is implementing a new electronic health records (EHR) system. The project has been delayed due to scope creep and resource constraints. The project sponsor is pressuring the project manager to accelerate the timeline by skipping user acceptance testing (UAT) and going live immediately. The organization has a governance policy that requires all IT projects to complete UAT before deployment. The project manager is concerned about quality and patient safety. Which of the following is the BEST course of action?

15

An organization's IT department implemented a new change management process that requires all changes to be approved by a change advisory board (CAB). A critical security patch needs to be deployed within 2 hours to address an active zero-day vulnerability. The change request was submitted but the CAB is not scheduled to meet for another 24 hours. What is the BEST course of action?

16

During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?

17

An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of using a framework like COBIT?

18

An IT manager is reviewing the service level agreements (SLAs) for a cloud-based email service. The SLA guarantees 99.9% uptime per month. The service experienced an outage of 45 minutes in a 30-day month. Did the service meet the SLA?

19

Which TWO of the following are key components of an IT governance framework?

20

Which THREE of the following are commonly recognized benefits of implementing a formal IT service management (ITSM) framework such as ITIL?

21

You are the IT governance lead at a multinational corporation with a complex IT environment spanning multiple business units. The company has recently experienced a series of minor security incidents where unauthorized access was gained through unused user accounts that were not disabled after employees left the organization. Additionally, there have been delays in provisioning access for new hires, leading to productivity losses. The IT department currently uses a manual process for access management, with each business unit maintaining its own user lists. The company has a policy that requires access reviews every quarter, but these are often missed or performed superficially. The CIO has asked you to recommend a solution that addresses these issues while ensuring compliance with regulations such as GDPR and SOX. Which of the following is the BEST course of action?

22

Which TWO of the following are key responsibilities of an IT steering committee?

23

Based on the exhibit, which control is most likely missing to prevent this type of event?

24

A mid-sized company is implementing a new IT service management (ITSM) tool to improve incident management. The IT manager wants to ensure that the tool aligns with ITIL best practices. The company has a dedicated service desk team that handles about 200 incidents per week. The IT manager is considering whether to implement a self-service portal for users to submit incidents and check status, or to continue using email-based incident reporting. The service desk team is concerned that a self-service portal might reduce their direct interaction with users and potentially lead to less personalized support. However, the IT manager believes that a portal could improve efficiency and tracking. The company's IT governance framework requires that any major IT investment be approved by the steering committee and that there be a clear business case. The IT manager has prepared a business case but the steering committee wants to ensure that the solution is aligned with ITIL and that it addresses key incident management processes. Which of the following is the most appropriate next step for the IT manager?

25

Arrange the steps to perform a risk assessment in the correct order.

26

Order the steps for performing a data backup in the correct sequence.

27

Match each COBIT 5 domain to its description.

28

Match each log type to its typical content.

29

A company is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?

30

An organization has experienced several security incidents due to unauthorized changes to production systems. Which governance mechanism should be strengthened?

31

A multinational corporation is evaluating its IT governance structure. The board wants to ensure that IT investments are prioritized based on risk and value. Which framework component is MOST critical?

32

A small business lacks formal IT governance. What is the FIRST step to establish governance?

33

An IT department is struggling with project delays and budget overruns. Which governance practice would be MOST effective?

34

A financial institution is required by regulators to demonstrate that IT controls are effective. Which of the following provides the BEST evidence?

35

An organization wants to ensure that IT performance is measured against strategic goals. Which tool is BEST suited?

36

A company has multiple business units with conflicting IT priorities. Which governance body should resolve this?

37

An organization's IT strategy is not aligned with business strategy due to lack of communication. Which of the following would BEST improve alignment?

38

An IT governance framework should include which TWO key components? (Select exactly two.)

39

An organization is implementing IT governance based on COBIT. Which THREE of the following are enablers? (Select exactly three.)

40

A large enterprise is assessing its IT governance maturity. Which THREE of the following are indicators of a mature governance process? (Select exactly three.)

41

Refer to the exhibit. Based on the governance status report, which component should be addressed as a priority?

42

Refer to the exhibit. The organization is planning to achieve the target level. What is the MOST appropriate action?

43

Refer to the exhibit. Which perspective shows the greatest deviation from target?

44

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. Which of the following BEST demonstrates that the proposal aligns with the organization's strategic goals?

45

An organization has implemented a balanced scorecard (BSC) for IT performance measurement. Which of the following is the PRIMARY benefit of using a BSC?

46

During an IT audit, the auditor discovers that the IT strategy is not formally documented. Which of the following is the MOST significant risk associated with this finding?

47

An organization is planning to outsource its data center operations. Which of the following governance practices should be implemented to ensure proper oversight?

48

An IT governance framework has been implemented, but the board is not receiving regular reports on IT performance. Which of the following is the BEST course of action?

49

An IT audit revealed that the organization's IT steering committee has not met in the past six months. Which of the following is the MOST likely consequence of this situation?

50

An organization has decentralized IT management with each business unit making its own technology decisions. Which of the following is the BEST way to maintain enterprise-wide governance?

51

A company is implementing IT governance based on COBIT 2019. Which of the following design factors would have the GREATEST impact on the governance system design?

52

An organization's IT strategy is developed by the IT department without input from business stakeholders. Which of the following is the MOST significant risk?

53

Which TWO of the following are key components of an IT governance framework?

54

An organization is adopting COBIT 2019. Which TWO of the following are components of the governance system?

55

Which THREE of the following are indicators of mature IT governance?

56

Based on the exhibit, what is the MOST appropriate action for IT management?

57

Which of the following is a potential risk in this RACI matrix?

58

What is the MOST significant weakness in the planned remediation?

59

An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?

60

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. What is the committee's MOST important role?

61

An IT department uses a balanced scorecard to measure performance. Which metric would BEST reflect the 'customer perspective'?

62

According to COBIT 2019, which design factor is MOST critical for tailoring a governance system?

63

An organization outsources its data center operations. What is the BEST way to ensure the service provider's controls are effective?

64

An organization's IT governance framework includes a policy that all system access must be reviewed quarterly. The internal audit finds that reviews are incomplete. What is the BEST action?

65

A multinational corporation is implementing a global IT governance framework. Which of the following challenges is MOST likely to arise?

66

An IT manager is developing a governance policy for change management. Which element is MOST important to include?

67

An organization's IT governance committee is reviewing a proposal to use a public cloud provider that does not meet the organization's data encryption standards. The board has set a low risk appetite for data privacy. What is the BEST action?

68

Which TWO of the following are key components of an IT governance framework? (Choose two.)

69

An organization is implementing COBIT 2019. Which TWO of the following are governance enablers? (Choose two.)

70

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

71

Based on the exhibit, which metric would be LEAST relevant to the 'Customer' perspective?

72

An auditor finds that access reviews have not been completed for two quarters. What is the MOST significant risk?

73

Based on the exhibit, what is the default retention period for data?

74

An organization is implementing a new IT governance framework. Which of the following is the BEST approach to ensure alignment between IT strategy and business goals?

75

During a risk assessment, an IS auditor identifies that the IT department has not performed a business impact analysis (BIA) for critical systems. Which of the following is the MOST significant risk?

76

An organization has a policy requiring all employees to complete annual information security awareness training. Which of the following is the BEST way to verify compliance with this policy?

77

A company outsources its data center operations to a third-party provider. Which of the following is the MOST important control to include in the outsourcing contract?

78

An IS auditor is reviewing the balanced scorecard for IT. Which of the following metrics BEST aligns with the 'customer perspective'?

79

An IT manager submits a request to change the firewall configuration during business hours. According to best practices for change management, what should be done FIRST?

80

A business continuity plan (BCP) includes a tabletop exercise once a year. An IS auditor finds that the exercise only involves IT staff. Which of the following is the BEST recommendation?

81

An organization's data classification policy defines 'Confidential' data as requiring encryption at rest. An IS auditor discovers that a database containing customer personal information is not encrypted. What is the auditor's BEST course of action?

82

Which of the following is the PRIMARY purpose of an IT strategy committee?

83

Which TWO of the following are key components of an IT governance framework? (Choose two.)

84

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

85

Which TWO of the following are common objectives of an IT balanced scorecard? (Choose two.)

86

Based on the exhibit, what is the MOST likely security risk?

87

An organization uses the policy shown. Which of the following is an omission in the policy?

88

Based on the log, what is the MOST likely root cause of the backup failure?

89

A large financial institution is evaluating the effectiveness of its IT governance framework. The board has requested a review to ensure alignment with business objectives and regulatory requirements. Which of the following is the MOST important factor for the board to consider when assessing the IT governance framework?

90

An organization is developing its IT strategy to align with the overall business strategy. The business strategy emphasizes rapid market expansion through digital products. Which of the following IT strategies would BEST support this business goal?

91

A multinational corporation has defined its risk appetite as 'moderate' for IT investments. The IT steering committee is evaluating a new project with potential high returns but also significant cybersecurity risks. The project's risk profile is assessed as 'high' by the risk management team. What should the committee do FIRST?

92

A company is considering restructuring its IT department from a centralized to a decentralized model to give business units more autonomy. What is a PRIMARY governance risk associated with this move?

93

An organization has a policy requiring annual information security awareness training for all employees. During a recent audit, it was found that 20% of employees had not completed the training. What is the BEST course of action for the IT governance committee?

94

An IT department uses a balanced scorecard (BSC) to measure performance. The financial perspective shows that IT costs are within budget, but customer satisfaction scores are declining. The learning and growth perspective indicates low employee engagement. Which action should the IT governance committee prioritize?

95

A company plans to outsource its data center operations to a cloud service provider. What is the MOST important governance consideration for the board before finalizing the contract?

96

A healthcare organization must comply with HIPAA regulations regarding patient data privacy. The IT department has implemented technical controls, but the compliance officer discovers that some employees are sharing passwords. What is the BEST governance response?

97

Which TWO of the following are primary objectives of IT governance as defined by COBIT 5?

98

Which THREE of the following are components of the COBIT 2019 governance system?

99

Which TWO of the following are benefits of establishing an IT steering committee?

100

A multinational manufacturing company with operations in 20 countries has historically allowed each regional division to manage its own IT systems independently. Recently, the company experienced a significant data breach originating from a region with weaker security controls, leading to financial losses and reputational damage. The board has mandated stronger IT governance to prevent future incidents. The CIO proposes implementing a global IT governance framework with centralized policy enforcement. However, regional directors argue that local regulations and business needs require autonomy. The governance committee must decide on a course of action that balances risk and business flexibility. Which of the following approaches is the MOST appropriate?

101

A retail company is merging with a competitor. The IT departments of both organizations have different IT governance structures: Company A uses a centralized model with strict change management, while Company B uses a decentralized model with autonomous business unit IT. The CIO has been tasked with integrating the IT functions post-merger. The board expects cost synergies and improved service levels. The integration team is facing resistance from Company B's business heads who fear loss of agility. The CIO needs to propose a governance model for the merged entity. Which approach would BEST meet the board's expectations while addressing resistance?

102

A medium-sized e-commerce company recently suffered a ransomware attack that encrypted critical databases. The IT team restored systems from backups, but the incident exposed a lack of clear roles and responsibilities for incident response. The board has asked the IT governance committee to review and improve the incident response governance. The committee notes that while there is an incident response policy, it is not regularly tested, and staff are unsure of their roles. The company also lacks a formal communication protocol for notifying stakeholders. What should the committee prioritize to strengthen governance over incident response?

103

A financial services company is migrating its core banking system to a public cloud to improve scalability and reduce costs. The project is high-risk due to regulatory compliance requirements (e.g., data residency, audit trails). The IT governance committee has reviewed the project plan and finds that the risk assessment is incomplete – it does not address the potential impact of a cloud provider outage on critical transactions. The committee must approve the project or request changes. The project manager argues that the cloud provider's SLA guarantees 99.99% uptime and that additional controls would delay the project. What should the governance committee do?

104

An organization is implementing an IT governance framework to align IT with business objectives. Which TWO of the following are primary responsibilities of the IT steering committee?

105

A medium-sized manufacturing company has a decentralized IT structure where each business unit manages its own IT budget and projects. The CEO is concerned that IT investments are not aligned with corporate strategy and that there is duplication of effort. The IT department lacks a formal project portfolio management process. The company has experienced several project failures due to poor prioritization. The CEO has asked the newly hired IT auditor to recommend an initial step to improve IT governance. The auditor should recommend:

106

A large financial institution has a well-defined IT governance framework with a clear organizational structure, policies, and processes. However, the internal audit department has identified that several IT projects are over budget and behind schedule. The project managers blame unclear requirements and scope creep. The IT governance committee meets monthly but reviews projects only at a high level. The auditor's best recommendation to improve project governance is to:

107

A multinational corporation operates in a highly regulated industry. The IT governance framework includes a risk appetite statement approved by the board. Recently, the company suffered a significant data breach due to an unpatched vulnerability that had been identified three months earlier. The IT audit found that the vulnerability was reported to the IT department but was not prioritized for remediation because it was deemed low risk by the IT operations team. The incident response plan was not activated because the breach was not initially detected. The board wants to strengthen governance to prevent recurrence. The most effective course of action for the auditor to recommend is:

108

A government agency has an IT governance framework that includes an IT strategy committee, an IT steering committee, and a project management office. Despite this, there is a lack of transparency regarding IT spending and resource allocation. The agency's annual audit found that several IT initiatives were not approved by the steering committee and were funded out of operational budgets. The CFO is frustrated because IT costs are unpredictable. The agency's chief information officer (CIO) reports to the CFO but the IT steering committee is chaired by the CIO. The auditor's best recommendation to improve governance is to:

109

Which TWO of the following are recommended practices for aligning IT strategy with business goals, according to COBIT 2019?

110

Based on the exhibit, which control deficiency is most critical for the IS auditor to address?

111

A medium-sized manufacturing company has recently deployed an ERP system to integrate its financial, supply chain, and HR processes. The IT department is small (5 staff) and reports to the CFO. The company has no formal IT governance committee; IT decisions are made by the CFO and CEO informally. During a recent audit, it was found that several critical security patches for the ERP system have not been applied, and there are no documented procedures for change management. The IT manager states that patches are applied when time permits, and changes are discussed via email. The CFO argues that the ERP is running fine and the audit findings are low risk. The IS auditor needs to recommend a course of action to improve IT governance. Which of the following is the MOST appropriate initial step?

Practice all 111 Governance and Management of IT questions

Other CISA exam domains

Information Systems Acquisition, Development and ImplementationInformation Systems Operations and Business ResilienceProtection of Information AssetsInformation System Auditing Process

Frequently asked questions

What does the Governance and Management of IT domain cover on the CISA exam?

The Governance and Management of IT domain covers the key concepts tested in this area of the CISA exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CISA domains — no account required.

How many Governance and Management of IT questions are in the CISA question bank?

The Courseiva CISA question bank contains 111 questions in the Governance and Management of IT domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Governance and Management of IT for CISA?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Governance and Management of IT questions for CISA?

Yes — the session launcher on this page draws questions exclusively from the Governance and Management of IT domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CISA domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISMCRISC