ISACA · CGEIT
Validates expertise in governance of enterprise IT across four domains: organizational structure and IT frameworks, resource allocation, benefits realization, and risk optimization.
Questions
598
Duration
240 minutes
Passing Score
450/800
Difficulty
ProfessionalLast Updated
Jan 2026
Use this CGEIT practice exam to prepare for Certified in the Governance of Enterprise IT (CGEIT) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 598 questions for ISACA CGEIT, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Governance of Enterprise IT (40%), IT Resources (15%), Benefits Realization (26%), and Risk Optimization (19%). Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Certified in the Governance of Enterprise IT (CGEIT) is a professional-level credential offered by ISACA that validates deep expertise in enterprise IT governance frameworks and practices. It is widely regarded as the premier—and only—framework-agnostic IT governance certification for individuals, designed to demonstrate mastery across four critical domains: Governance of Enterprise IT, IT Resources, Benefits Realization, and Risk Optimization. Since its introduction in 2007, more than 8,000 professionals worldwide have earned the CGEIT, signaling their ability to align IT strategy with organizational objectives and maximize the value of IT investments.
The certification covers a broad spectrum of governance competencies, including the design and oversight of governance frameworks, enterprise and information architecture, IT resource planning and lifecycle management, IT-enabled investment analysis, business case development, and enterprise risk management. Holders are recognized for their ability to bridge technology and business strategy—ensuring that IT functions deliver measurable business value while maintaining compliance and minimizing risk. The CGEIT is periodically updated through validation studies with global subject matter experts, and its current four-domain structure reflects the consolidation of prior content into a more streamlined, practice-relevant outline.
CGEIT is intended for seasoned IT and business professionals who operate in governance, oversight, or advisory capacities—typically those with at least five years of relevant experience. Ideal candidates include Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), Chief Technology Officers (CTOs), IT Directors, Audit Directors, IT Governance Managers, Risk and Compliance Managers, and Senior IT Managers who are responsible for shaping or executing enterprise IT governance strategies.
The certification is also well-suited for IT consultants, information security specialists, IT assurance professionals, and organizational strategic managers who advise boards or executive leadership on governance matters. It is most valuable for professionals seeking to move into or formalize their standing in C-suite and senior leadership roles where alignment of IT with business goals is a primary responsibility.
ISACA does not require any formal prerequisites to register for and sit the CGEIT exam. However, to apply for and receive the CGEIT certification after passing the exam, candidates must demonstrate a minimum of five years of work experience in managing, advising, or providing oversight in support of enterprise IT governance. This experience must span at least three of the four CGEIT domains, and a mandatory minimum of one year must be directly related to Domain 1: Governance of Enterprise IT. All qualifying work experience must fall within the ten years preceding the application date.
While no specific prior certifications are required, ISACA recommends that candidates have a solid foundation in IT strategy, risk management, and organizational governance before attempting the exam. Familiarity with established frameworks such as COBIT, ITIL, ISO/IEC 38500, or similar enterprise governance frameworks will provide important context for the exam content. Candidates have five years from their exam pass date to submit their experience application.
The CGEIT exam consists of 150 multiple-choice questions, all of which are scored, covering practical knowledge across the four job practice domains. The exam is delivered as a computer-based test and may be taken either at an authorized PSI testing center worldwide or via a remotely proctored online session, offering flexibility for candidates globally. The total exam duration is 240 minutes (four hours).
Scoring uses a scaled score system with a maximum of 800 points. The passing score is 450 out of 800. Exam registration is continuous—candidates can register at any time and schedule a testing appointment as early as 48 hours after payment. Exam fees are US$575 for ISACA members and US$760 for non-members, with a one-time US$50 application processing fee due upon certification application.
CGEIT holders consistently earn among the highest salaries in the IT profession. ISACA reports an average annual salary of US$141,000 for CGEIT-certified professionals, with 70% reporting on-the-job improvements and 22% receiving a pay increase after earning the credential. Specific roles command notable compensation: CIOs average around US$161,000, IT Directors approximately US$120,000, and CISOs around US$122,500. Certified professionals typically earn 25% more than their non-certified peers in comparable roles.
The CGEIT is widely considered a capstone credential in the IT governance space—one that unlocks access to executive, advisory, and board-level roles that require demonstrated governance expertise. It is recognized globally, with strong demand in the United States, Singapore, and other major technology markets. Unlike many technical certifications, CGEIT signals strategic leadership capability, making it a differentiator for professionals competing for CIO, CTO, IT Director, and governance consulting positions. There is no comparable framework-agnostic IT governance certification at this level, positioning CGEIT as the definitive credential for professionals whose primary responsibility is aligning enterprise IT with organizational strategy.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 598 questions.
Preview — answers shown1. A healthcare organization implements COBIT BAI04 Managed Availability and Capacity for its electronic health record system. Current capacity planning uses historical utilization trends to forecast future requirements. The organization announces a merger that will double patient volume within six months. The infrastructure team requests budget approval for capacity expansion using historical growth projections. What is the PRIMARY issue with this capacity planning approach? (Select one!)
Explanation
BAI04 requires capacity planning to be proactive and aligned with current and future business requirements including strategic initiatives, business changes, and growth plans. Relying solely on historical trends when significant business changes (merger doubling patient volume) are known represents a fundamental capacity planning failure. Effective capacity planning must integrate business strategy, planned changes, and growth initiatives with technical capacity models. Historical trends are useful for baseline understanding but inadequate when major business changes alter demand patterns. Real-time monitoring provides operational data but does not address strategic planning failures. Budget approval processes are administrative and not the primary issue. Timeline concerns are secondary to the fundamental problem of using inappropriate forecasting methodology that ignores known strategic business changes.
2. A financial institution is implementing COBIT APO02 Managed Strategy. The current IT strategy document was created three years ago and executive management has announced a major shift toward digital banking services. Which activity should be performed FIRST according to APO02 management practices? (Select one!)
Explanation
APO02 management practices follow a logical sequence starting with understanding enterprise context and direction before developing strategy. Since executive management has announced a major strategic shift, the first step is to understand the new enterprise context, business objectives, and strategic direction for digital banking. Only after understanding the business context can an aligned IT strategy be developed. Defining the strategic plan cannot occur before understanding requirements. Communication comes after strategy development. Capability assessment is part of strategy development but cannot begin without understanding what capabilities are needed to support the new business direction.
3. An aerospace engineering firm evaluates IT resource capacity planning using COBIT BAI04 Managed Availability and Capacity. Current infrastructure operates at 85 percent utilization during peak periods, with performance degradation reported by users. Management must decide between scaling existing infrastructure or migrating to cloud services. Which factors should MOST influence this sourcing decision? (Select two!)
Multiple correct answersExplanation
Demand predictability determines whether fixed on-premises capacity or elastic cloud scaling better serves needs, while TCO comparison including operational, hidden, and end-of-life costs provides financial analysis for informed decisions. Staff technology preferences may inform training needs but should not drive strategic sourcing decisions. Vendor marketing materials lack objective analysis needed for governance decisions. Appearing innovative to analysts is not a valid governance-based sourcing criterion and can lead to poor investment decisions.
4. A retail company develops a Benefits Dependency Network for an omnichannel customer experience platform. The BDN identifies: Investment Objective is increase customer lifetime value by 25 percent, Benefits include improved customer satisfaction and increased repeat purchases, Business Changes require integrated customer data across channels and new cross-channel fulfillment processes. What should be identified as Enabling Changes? (Select two!)
Multiple correct answersExplanation
Enabling Changes are prerequisite changes that allow Business Changes to occur. Data governance policies must be established before customer data can be integrated across channels. Staff training enables employees to execute new cross-channel fulfillment processes. Customer satisfaction improvement targets and lifetime value methodology are measurement approaches rather than enabling changes. Revenue increase from repeat purchases is a benefit outcome, not an enabling change. The BDN structure flows: IT Enablers lead to Enabling Changes, which enable Business Changes, which deliver Benefits, which achieve Investment Objectives.
5. A global telecommunications company implements ISO/IEC 38500 as its IT governance framework. The board of directors must apply the three governance tasks (Evaluate, Direct, Monitor) across all six principles (Responsibility, Strategy, Acquisition, Performance, Conformance, Human Behavior). The board questions how to operationalize the Evaluate task specifically for the Performance principle. Which activity BEST represents the board's Evaluate responsibility for IT Performance? (Select one!)
Explanation
Under ISO 38500, the Evaluate task requires the board to judge whether IT systems and practices are performing appropriately to meet organizational needs. For the Performance principle, this means reviewing management-prepared evidence of IT system reliability, efficiency, and fitness for purpose, such as SLA metrics and performance dashboards, to assess whether performance objectives are being met. Directing implementation of specific tools represents the Direct task, not Evaluate. Daily monitoring of systems is an operational management activity, not board-level governance. Personal troubleshooting by board members violates governance-management separation. The board evaluates whether performance is adequate based on evidence; management implements, operates, and monitors on a day-to-day basis.
Certified Information Security Manager (CISM)
CISM · 1196 questions
Certified Information Systems Auditor (CISA)
CISA · 895 questions
Certified in Risk and Information Systems Control (CRISC)
CRISC · 761 questions
Certified Data Privacy Solutions Engineer (CDPSE)
CDPSE · 749 questions
IoT Fundamentals Certificate
IoT-Fund · 630 questions
IT Audit Fundamentals Certificate
IT-Audit-Fund · 627 questions
$17.99
One-time access to this exam