CGEIT Domain 4: Risk Optimization


Risk optimization falls under the fourth domain of the ISACA’s Certified in the Governance of Enterprise IT (CGEIT) exam and constitutes 24% of the overall objectives of the exam. This domain ensures that the framework for IT risk management is in place to identify, evaluate, monitor, mitigate, and communicate IT-related business risk. In addition, risk optimization ensures that the IT risk management framework is in alignment with an enterprise risk management (ERM) framework. The following sections elaborate the essential concepts that candidates must understand to take the CGEIT exam and expect an elite score.

What Topics Are Covered in This Domain?

This domain covers seven task statements and 14 knowledge statements. A thorough understanding of each topic is indispensable for CGEIT candidates. Below are detailed descriptions of these concepts:

Task Statements:

  1. Ensure that comprehensive IT risk management processes are established to identify, analyze, mitigate, manage, monitor, and communicate IT risk.
  2. Ensure that legal and regulatory compliance requirements are addressed through IT risk management.
  3. Ensure that IT risk management is aligned with the enterprise risk management (ERM) framework.
  4. Ensure that there is appropriate senior level management sponsorship for IT risk management.
  5. Ensure that IT risk management policies, procedures, and standards are developed and communicated.
  6. Ensure the identification of key risk indicators (KRIs).
  7. Ensure timely reporting and proper escalation of risk events and responses to appropriate levels of management.

Knowledge Statements:

  1. Knowledge of the application of risk management at the strategic, portfolio, program, project and operations levels.
  2. Knowledge of risk management frameworks and standards (for example, RISK IT, the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management—Integrated Framework (2004) [COSO ERM], International Organization for Standardization (ISO) 31000).
  3. Knowledge of the relationship of the risk management approach to legal and regulatory compliance.
  4. Knowledge of methods to align IT and (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Fakhar Imam. Read the original post at: