ISACA · CGEIT
Validates expertise in governance of enterprise IT across four domains: organizational structure and IT frameworks, resource allocation, benefits realization, and risk optimization.
Questions
598
Duration
240 minutes
Passing Score
450/800
Difficulty
ProfessionalLast Updated
Jan 2026
Use this CGEIT practice exam to prepare for Certified in the Governance of Enterprise IT (CGEIT) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 598 questions for ISACA CGEIT, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Governance of Enterprise IT (40%), IT Resources (15%), Benefits Realization (26%), and Risk Optimization (19%). Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified in the Governance of Enterprise IT (CGEIT) is a professional-level credential offered by ISACA that validates deep expertise in enterprise IT governance frameworks and practices. It is widely regarded as the premier—and only—framework-agnostic IT governance certification for individuals, designed to demonstrate mastery across four critical domains: Governance of Enterprise IT, IT Resources, Benefits Realization, and Risk Optimization. Since its introduction in 2007, more than 8,000 professionals worldwide have earned the CGEIT, signaling their ability to align IT strategy with organizational objectives and maximize the value of IT investments.
The certification covers a broad spectrum of governance competencies, including the design and oversight of governance frameworks, enterprise and information architecture, IT resource planning and lifecycle management, IT-enabled investment analysis, business case development, and enterprise risk management. Holders are recognized for their ability to bridge technology and business strategy—ensuring that IT functions deliver measurable business value while maintaining compliance and minimizing risk. The CGEIT is periodically updated through validation studies with global subject matter experts, and its current four-domain structure reflects the consolidation of prior content into a more streamlined, practice-relevant outline.
CGEIT is intended for seasoned IT and business professionals who operate in governance, oversight, or advisory capacities—typically those with at least five years of relevant experience. Ideal candidates include Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs), IT Directors, Audit Directors, IT Governance Managers, Risk and Compliance Managers, and Senior IT Managers who are responsible for shaping or executing enterprise IT governance strategies.
The certification is also well-suited for IT consultants, information security specialists, IT assurance professionals, and organizational strategic managers who advise boards or executive leadership on governance matters. It is most valuable for professionals seeking to move into or formalize their standing in C-suite and senior leadership roles where alignment of IT with business goals is a primary responsibility.
ISACA does not require any formal prerequisites to register for and sit the CGEIT exam. However, to apply for and receive the CGEIT certification after passing the exam, candidates must demonstrate a minimum of five years of work experience in managing, advising, or providing oversight in support of enterprise IT governance. This experience must span at least three of the four CGEIT domains, and a mandatory minimum of one year must be directly related to Domain 1: Governance of Enterprise IT. All qualifying work experience must fall within the ten years preceding the application date.
While no specific prior certifications are required, ISACA recommends that candidates have a solid foundation in IT strategy, risk management, and organizational governance before attempting the exam. Familiarity with established frameworks such as COBIT, ITIL, ISO/IEC 38500, or similar enterprise governance frameworks will provide important context for the exam content. Candidates have five years from their exam pass date to submit their experience application.
The CGEIT exam consists of 150 multiple-choice questions, all of which are scored, covering practical knowledge across the four job practice domains. The exam is delivered as a computer-based test and may be taken either at an authorized PSI testing center worldwide or via a remotely proctored online session, offering flexibility for candidates globally. The total exam duration is 240 minutes (four hours).
Scoring uses a scaled score system with a maximum of 800 points. The passing score is 450 out of 800. Exam registration is continuous—candidates can register at any time and schedule a testing appointment as early as 48 hours after payment. Exam fees are US$575 for ISACA members and US$760 for non-members, with a one-time US$50 application processing fee due upon certification application.
CGEIT holders consistently earn among the highest salaries in the IT profession. ISACA reports an average annual salary of US$141,000 for CGEIT-certified professionals, with 70% reporting on-the-job improvements and 22% receiving a pay increase after earning the credential. Specific roles command notable compensation: CIOs average around US$161,000, IT Directors approximately US$120,000, and CISOs around US$122,500. Certified professionals typically earn 25% more than their non-certified peers in comparable roles.
The CGEIT is widely considered a capstone credential in the IT governance space—one that unlocks access to executive, advisory, and board-level roles that require demonstrated governance expertise. It is recognized globally, with strong demand in the United States, Singapore, and other major technology markets. Unlike many technical certifications, CGEIT signals strategic leadership capability, making it a differentiator for professionals competing for CIO, CTO, IT Director, and governance consulting positions. There is no comparable framework-agnostic IT governance certification at this level, positioning CGEIT as the definitive credential for professionals whose primary responsibility is aligning enterprise IT with organizational strategy.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 598 questions.
Preview — answers shown1. A transportation company evaluates two sourcing options for its fleet management system: developing internally with existing IT staff versus contracting with a specialized fleet management software vendor. The capability is not a strategic differentiator, the company lacks internal expertise, and demand is stable. Which sourcing decision should the CIO recommend? (Select one!)
Explanation
Outsourcing to a specialized vendor is the optimal decision because fleet management is not a strategic differentiator (commodity service), the company lacks internal expertise (specialized skills needed externally), and stable demand makes outsourcing cost-effective. These factors strongly favor outsourcing. Insourcing is inappropriate when internal expertise is absent and the capability is not strategic. A hybrid model adds unnecessary complexity for a non-strategic commodity service. Delaying to build expertise internally is inefficient and costly when specialized vendors already exist.
2. An enterprise implements Val IT framework across three domains: Value Governance, Portfolio Management, and Investment Management. The CFO reviews the following scenarios: Scenario A involves VG4 (Align value management with financial planning) to integrate IT budgeting with enterprise financial cycles. Scenario B involves PM4 (Evaluate and select programs to fund) using business case scores and strategic alignment. Scenario C involves IM7 (Update operational IT services) for continuous improvement of production systems. Which statement correctly identifies the governance versus management classification? (Select one!)
Explanation
Value Governance (VG) domain activities including VG4 are governance functions that establish direction and integrate with enterprise-level financial planning at the strategic level, making Scenario A a governance activity. Portfolio Management (PM) domain activities including PM4 are also governance-level functions that evaluate and make go/no-go decisions on funding across the portfolio, making Scenario B a governance activity. Investment Management (IM) domain activities including IM7 focus on managing individual investments and operational services, which are management activities that execute governance direction, making Scenario C a management activity. Val IT clearly distinguishes between governance domains (VG, PM) that set direction and evaluate portfolios versus management domain (IM) that executes individual investment management. Not all Val IT activities are governance just because they involve financial oversight. The distinction is based on whether activities set strategic direction and evaluate portfolio-level decisions (governance) or execute and manage individual investments (management).
3. A financial institution board has established an IT Strategy Committee as a board-level subcommittee separate from the IT Steering Committee. The board chair needs to define the scope and responsibilities of the IT Strategy Committee to avoid overlap with the IT Steering Committee and maintain proper governance versus management separation. Which responsibility would be MOST appropriate for the IT Strategy Committee? (Select one!)
Explanation
The IT Strategy Committee operates at the board/governance level focusing on strategic IT direction, governance framework oversight, and advising the board on IT matters. This maintains proper separation between governance (Evaluate, Direct, Monitor) and management (Plan, Build, Run, Monitor). The IT Strategy Committee ensures business-IT strategic alignment and provides specialized IT expertise to the board for governance decisions. This is a frequently tested CGEIT concept distinguishing board-level governance from executive-level management. Individual project approvals and resource allocation are management activities performed by the IT Steering Committee at the executive level. The IT Strategy Committee provides strategic direction and oversight, not operational project decisions. Operational IT performance metrics and SLA monitoring are management activities. The board-level IT Strategy Committee should receive summarized governance metrics and strategic performance indicators, not operational details. Prioritizing initiatives and resolving resource conflicts are operational management decisions for the IT Steering Committee. The IT Strategy Committee provides strategic direction to guide these decisions but does not make them directly.
4. A multinational manufacturing company implements COBIT APO14 (Managed Data) to establish data governance following new privacy regulations. The data governance program must assign accountability for data quality, privacy, and usage. Which role is PRIMARY for data governance accountability at the operational level? (Select one!)
Explanation
Data governance establishes clear accountability through role definitions. Data owners are business executives or managers accountable for data assets within their domain, including data quality, appropriate use, access authorization, classification, and regulatory compliance. Data owners make business decisions about data and are accountable for outcomes. Database administrators and data custodians are technical roles responsible for implementing controls, managing systems, and executing technical processes as directed by data owners but are not accountable for data governance decisions. Data users consume data under policies established by data owners. This accountability structure ensures business leaders, not technical staff, make governance decisions about data that has business impact. Confusion between data ownership (accountability for governance) and data custodianship (responsibility for technical implementation) undermines governance by placing business decisions with technical staff lacking business context or misplacing accountability for compliance with those who execute rather than direct. APO14 emphasizes this distinction as fundamental to effective data governance aligning with principle that management accountability cannot be delegated to technical implementers.
5. A telecommunications company implements COBIT 2019 and must differentiate between two newly separated objectives introduced in the BAI domain. The organization has a portfolio of strategic initiatives spanning multiple years and individual projects with specific deliverables and timelines. The governance office struggles to assign responsibilities correctly between these two objectives. What is the PRIMARY distinction between BAI01 (Managed Programs) and BAI11 (Managed Projects)? (Select one!)
Explanation
BAI01 (Managed Programs) manages the strategic portfolio of programs, which are collections of related projects aimed at achieving business outcomes and benefits realization, while BAI11 (Managed Projects) manages the tactical execution of individual projects within those programs, including project startup, planning, execution, and closure. This separation was introduced in COBIT 2019 to distinguish between portfolio-level program management and individual project management activities. The distinction is not based on time duration, as both can be long or short term. Both are management objectives, not governance objectives. The distinction is not based on business versus IT leadership but rather on strategic portfolio management versus tactical project execution.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
$17.99
One-time access to this exam