Module 2 — IT Governance & Management of IT
Comprehensive Study Guide with 100+ Interactive MCQs · Based on ISACA CISA Review Manual 2025
📑 Table of Contents
IT Governance Frameworks & Structures
What is IT Governance?
IT Governance is the system by which the current and future use of IT is directed and controlled. It involves evaluating and directing the use of IT to support the organization and monitoring this use to achieve plans.
🎯 CISA Key Point: IT governance ensures IT investments support business objectives, with accountability at the board and executive level — NOT just the IT department.
COBIT 2019 Framework
COBIT (Control Objectives for Information and Related Technologies) is the primary IT governance framework referenced in CISA. COBIT 2019 replaced COBIT 5.
| Component | Description |
|---|---|
| Governance Domain (EDM) | Evaluate, Direct, Monitor — Board-level decisions on goals & risk appetite |
| Management Domain (APO) | Align, Plan, Organise — Translates strategy into action plans |
| Management Domain (BAI) | Build, Acquire, Implement — IT project delivery |
| Management Domain (DSS) | Deliver, Service, Support — Day-to-day IT operations |
| Management Domain (MEA) | Monitor, Evaluate, Assess — Performance & compliance monitoring |
COBIT 2019 Design Factors: Enterprise strategy, enterprise goals, risk profile, I&T-related issues, threat landscape, compliance requirements, IT adoption, enterprise size.
Focus Areas: IT governance, DevOps, cybersecurity, cloud, data, digital transformation, agile.
ITIL (IT Infrastructure Library)
ITIL 4 is a framework for IT service management (ITSM). While COBIT focuses on governance, ITIL focuses on service delivery.
- Service Value System (SVS): Guiding principles, governance, service value chain, practices, continual improvement
- Four Dimensions: Organizations & people, Information & technology, Partners & suppliers, Value streams & processes
- 34 Practices replace the previous 26 processes
ISO/IEC 38500 — IT Governance Standard
International standard for corporate governance of IT. Six principles:
- Responsibility — individuals/groups understand responsibilities
- Strategy — IT strategy supports organizational strategy
- Acquisition — IT acquisitions made for valid reasons
- Performance — IT fit for purpose and performance monitored
- Conformance — IT complies with laws and regulations
- Human Behaviour — IT policies respect human behaviour
Governance vs. Management
| Governance | Management |
|---|---|
| Board/executive responsibility | Management responsibility |
| Evaluate, direct, monitor | Plan, build, run, monitor |
| Sets direction & accountability | Executes within set direction |
| Strategic | Operational/tactical |
IT Strategic Planning & Alignment
Strategic Alignment
IT strategic alignment ensures IT investments and initiatives support the overall business strategy. The IS auditor evaluates whether IT plans align with business goals.
🎯 Key Audit Focus: Does the IT strategic plan derive from the business strategic plan? Is there a formal process for updating IT strategy when business strategy changes?
IT Strategic Planning Process
- Understand the business strategy and objectives
- Assess current IT capabilities (SWOT, gap analysis)
- Define IT vision and target state
- Develop IT initiatives and roadmap
- Establish performance metrics (KPIs, KGIs)
- Obtain senior management/board approval
- Monitor and review alignment regularly
Business Case for IT Investments
A business case justifies IT investments. Key components the auditor reviews:
- Problem/opportunity definition
- Options analysis (including "do nothing")
- Cost-benefit analysis (ROI, NPV, IRR, payback period)
- Risk assessment
- Benefits realization plan
- Assumptions and constraints
IT Investment Portfolio Management
Organizations manage IT as a portfolio of investments, categorized as:
| Category | Purpose |
|---|---|
| Run | Keep existing IT systems running (operational) |
| Grow | Expand and improve existing capabilities |
| Transform | Innovation and competitive differentiation |
Balanced Scorecard (BSC)
The Balanced Scorecard translates strategy into performance measures across four perspectives:
- Financial: ROI, cost reduction
- Customer: Satisfaction, service quality
- Internal Process: Process efficiency, cycle time
- Learning & Growth: Staff skills, innovation
IT-specific BSC (Val IT) applies these perspectives to IT value delivery.
Val IT Framework
Val IT (ISACA) focuses on IT value delivery — ensuring IT investments create business value. Three domains:
- Value Governance (VG): Governance over IT value
- Portfolio Management (PM): Portfolio of IT-enabled investments
- Investment Management (IM): Individual investment business cases
IT Policies, Standards & Procedures
Policy Hierarchy
| Level | Description | Authority |
|---|---|---|
| Policy | High-level mandatory statements of intent | Board / Senior Management |
| Standard | Specific mandatory requirements supporting policies | Management |
| Procedure | Step-by-step instructions for implementing standards | IT / Operations |
| Guideline | Recommended (non-mandatory) best practices | IT / Operations |
| Baseline | Minimum security configuration requirements | Security/IT teams |
Essential IT Policies (Exam Favorites)
- Acceptable Use Policy (AUP): Governs how IT assets may be used
- Information Security Policy: Foundation for all security controls
- Access Control Policy: Who can access what resources
- Change Management Policy: How changes to IT systems are authorized
- Data Classification Policy: How data is classified and handled
- BYOD Policy: Personal devices in corporate environments
- Remote Work Policy: Secure remote access guidelines
- Incident Response Policy: Response to security incidents
Policy Lifecycle
- Identify need / trigger (regulatory, risk, incident)
- Draft policy with input from stakeholders
- Review by legal, compliance, HR, IT
- Approval by appropriate authority level
- Communication and training to staff
- Enforcement and monitoring
- Periodic review and update (typically annual)
⚠️ Audit Note: Policies must be formally approved, communicated to all staff, and regularly reviewed. An outdated policy or one that staff are unaware of is a control weakness.
IT Organizational Structures & HR Management
IT Organizational Models
| Model | Characteristics | Pros/Cons |
|---|---|---|
| Centralized | Single IT department serves entire organization | Cost-efficient; may be slow to respond locally |
| Decentralized | Each business unit has own IT | Responsive; duplication of effort, inconsistency |
| Federated | Central IT sets standards; BU IT handles local needs | Balance of control & flexibility |
Key IT Roles & Responsibilities
- CIO (Chief Information Officer): Responsible for IT strategy and alignment with business
- CISO (Chief Information Security Officer): Information security strategy and oversight
- CTO (Chief Technology Officer): Technology direction and R&D
- CDO (Chief Data Officer): Data governance and analytics
- IT Steering Committee: Oversight body of IT investments and priorities — typically includes business and IT leadership
Segregation of Duties (SoD)
Critical control: no single person should have end-to-end control of a process. Key IT SoD examples:
- Programmers should NOT have access to production systems
- Systems analysts should NOT perform programming
- Computer operators should NOT perform security administration
- Users should NOT perform computer operations
- IS auditors should NOT have operational IT responsibilities
🎯 CISA Hot Topic: Compensating controls (management review, logs, reconciliation) are required when SoD is not feasible, especially in small organizations.
IT Human Resource Management
- Job descriptions: Clear roles and responsibilities
- Skills assessment: Gap analysis for training needs
- Background checks: Pre-employment screening
- Security awareness training: Mandatory for all staff
- Succession planning: Key person dependencies
- Mandatory vacations / job rotation: Fraud detection controls
- Termination procedures: Immediate revocation of access
IT Risk Management
Risk Management Concepts
| Term | Definition |
|---|---|
| Threat | Potential cause of an unwanted incident |
| Vulnerability | Weakness that can be exploited by a threat |
| Risk | Likelihood × Impact of a threat exploiting a vulnerability |
| Control/Safeguard | Measure that reduces risk |
| Residual Risk | Risk remaining after controls are applied |
| Inherent Risk | Risk before any controls are applied |
| Risk Appetite | Amount of risk an org is willing to accept |
| Risk Tolerance | Acceptable variation around risk appetite |
Risk Management Frameworks
- NIST RMF (SP 800-37): Categorize → Select → Implement → Assess → Authorize → Monitor
- ISO 31000: Principles, Framework, Process for risk management
- COBIT Risk IT: Risk governance, appetite, culture, response
- COSO ERM: Enterprise Risk Management integrated framework
- FAIR: Factor Analysis of Information Risk (quantitative)
Risk Response Strategies (The 4 Ts)
| Response | Description | When Used |
|---|---|---|
| Terminate (Avoid) | Stop the activity causing the risk | Risk too high, cannot control |
| Treat (Mitigate) | Implement controls to reduce likelihood/impact | Most common response |
| Transfer | Insurance, outsourcing, contracts | Risk too costly to mitigate internally |
| Tolerate (Accept) | Accept residual risk within appetite | Cost of control > potential loss |
Risk Assessment Methods
- Qualitative: High/Medium/Low ratings; uses expert judgment; faster but subjective
- Quantitative: Numerical values (ALE = ARO × SLE); more objective but data-intensive
- Semi-quantitative: Assigns numeric scales to qualitative ratings
Key quantitative formulas:
- SLE (Single Loss Expectancy) = Asset Value × Exposure Factor
- ALE (Annual Loss Expectancy) = SLE × ARO (Annual Rate of Occurrence)
- Cost-benefit of control: ALE before − ALE after − Annual Control Cost
Risk Register
A risk register documents identified risks and tracks them. Key fields: Risk description, Category, Owner, Likelihood, Impact, Risk rating, Controls, Residual risk, Action plan, Review date.
IT Performance Management & Metrics
Performance Measurement Hierarchy
| Metric Type | Description |
|---|---|
| KGI (Key Goal Indicators) | Measure outcomes — did we achieve our goal? (lagging indicators) |
| KPI (Key Performance Indicators) | Measure performance of processes (leading indicators) |
| KRI (Key Risk Indicators) | Early warning signals that risk may exceed appetite |
| CSF (Critical Success Factors) | Things that must go right for objectives to be achieved |
Service Level Agreements (SLAs)
SLAs define agreed service levels between IT and the business. Key elements:
- Service description and scope
- Service hours and availability targets (e.g., 99.9%)
- Performance targets (response time, throughput)
- Incident response and resolution times
- Reporting requirements
- Penalties for non-compliance
- Escalation procedures
🎯 Audit Note: OLA (Operational Level Agreement) is between IT teams internally. UC (Underpinning Contract) is with external suppliers. Both support the SLA.
IT Benchmarking
Comparing IT performance against industry peers or best practices. Types:
- Internal: Compare against own historical performance
- Competitive: Compare against direct competitors
- Functional: Compare specific functions across industries
- Best-in-class: Compare against industry leaders
IT Scorecard / Dashboard
Provides management visibility into IT performance. Effective dashboards include traffic light (RAG) status, trend data, exception reporting, and alignment to business outcomes.
IT Compliance & Regulatory Requirements
Key Regulations & Standards
| Standard/Regulation | Scope |
|---|---|
| SOX (Sarbanes-Oxley) | US public companies; financial reporting controls (Section 302, 404) |
| GDPR | EU data privacy regulation; personal data protection |
| HIPAA | US healthcare; protected health information (PHI) |
| PCI-DSS | Payment card industry; credit card data security |
| ISO 27001 | Information security management system (ISMS) |
| NIST Cybersecurity Framework | Identify, Protect, Detect, Respond, Recover |
| BASEL III | Banking; operational risk and capital requirements |
Compliance Program Components
- Regulatory inventory and applicability assessment
- Compliance policies and procedures
- Controls mapping to regulatory requirements
- Compliance monitoring and testing
- Training and awareness programs
- Reporting to management and regulators
- Remediation tracking for non-compliance
SOX Section 404 — IT General Controls
SOX 404 requires management assessment and external auditor attestation of internal controls over financial reporting. Critical IT General Controls (ITGCs):
- Access controls to financial systems
- Program change controls
- Computer operations controls
- Segregation of duties in financial applications
⚠️ CISA Exam Focus: IS auditors play a key role in SOX compliance — evaluating ITGCs, identifying deficiencies, and distinguishing between control deficiencies, significant deficiencies, and material weaknesses.
Enterprise Architecture & IT Architecture
Enterprise Architecture (EA)
EA describes the structure and operation of an organization, its processes, information, and technology. Key EA frameworks:
- TOGAF (The Open Group Architecture Framework): Most widely used; uses ADM (Architecture Development Method)
- Zachman Framework: Matrix of perspectives (Who, What, When, Where, Why, How) × stakeholder views
- FEAF: Federal Enterprise Architecture Framework (US Government)
- DODAF: Department of Defense Architecture Framework
EA Architecture Domains (TOGAF)
| Domain | Focus |
|---|---|
| Business Architecture | Business strategy, governance, organization, key processes |
| Data Architecture | Structure of an organization's logical and physical data assets |
| Application Architecture | Blueprint of individual applications, interactions, relationships to business processes |
| Technology Architecture | Hardware, software, middleware, network infrastructure |
IT Architecture Components
- Client-Server: Centralized server provides resources to client workstations
- N-Tier Architecture: Presentation, business logic, data tiers separated
- Service-Oriented Architecture (SOA): Loosely coupled services communicating via standard protocols
- Microservices: Small independent services; cloud-native
- Cloud Architecture: IaaS, PaaS, SaaS; public, private, hybrid, multi-cloud
The Auditor's Role in EA
IS auditors review EA to ensure IT architecture decisions align with governance requirements, security standards, regulatory compliance, and risk management. Key audit questions include: Is there an approved EA? Are deviations from the EA formally approved? Does the EA include security and privacy by design?
IT Resource Management & Sourcing
IT Resource Categories (COBIT)
- People: Staff, skills, capabilities
- Processes: Documented and optimized IT processes
- Technology: Hardware, software, infrastructure
- Information: Data assets and knowledge
Sourcing Strategies
| Strategy | Description | Risk |
|---|---|---|
| Insourcing | IT services delivered internally | High cost, skills gaps |
| Outsourcing | Third-party delivers IT services | Vendor dependency, data security |
| Offshoring | Outsourcing to foreign country | Regulatory, cultural, time-zone challenges |
| Nearshoring | Outsourcing to nearby country | Less timezone risk than offshoring |
| Cloud Sourcing | IT services via cloud providers | Shared responsibility, data residency |
| Multi-sourcing | Multiple suppliers for different services | Complex management, integration |
Third-Party / Vendor Risk Management
Critical for IS auditors. Key controls:
- Due diligence: Assessment before contracting
- Contractual protections: SLAs, right to audit clauses, data security requirements, liability provisions
- Ongoing monitoring: Performance reporting, security assessments
- SOC reports: SOC 1 (financial controls), SOC 2 (security/availability/confidentiality), SOC 3 (public SOC 2 summary)
- Exit strategy: Ensure data portability, transition plan
IT Asset Management (ITAM)
Tracking and managing IT assets throughout their lifecycle: Procurement → Deployment → Maintenance → Disposal. Key controls include asset inventory, license compliance, configuration management database (CMDB), and secure disposal (data sanitization).
Cloud Governance
Shared Responsibility Model — responsibility varies by service model:
- IaaS: Customer responsible for OS, middleware, apps, data
- PaaS: Customer responsible for apps and data
- SaaS: Customer responsible for data and access management only
Maturity Models & Quality Management
Capability Maturity Model Integration (CMMI)
| Level | Name | Characteristics |
|---|---|---|
| 1 | Initial | Unpredictable; ad hoc; "heroic" efforts |
| 2 | Managed | Projects managed; reactive; basic planning |
| 3 | Defined | Org-wide standard processes; proactive |
| 4 | Quantitatively Managed | Measured and controlled using statistics |
| 5 | Optimizing | Continuous improvement; innovation focus |
COBIT 2019 Capability Levels (Based on CMMI/ISO 15504)
COBIT uses 0-5 capability levels: 0 (Incomplete) → 1 (Performed) → 2 (Managed) → 3 (Established) → 4 (Predictable) → 5 (Optimizing)
IT Quality Management
Based on TQM and ISO 9001 principles. Key concepts:
- Quality Assurance (QA): Process-focused; prevents defects
- Quality Control (QC): Product-focused; detects defects
- Six Sigma: DMAIC (Define, Measure, Analyze, Improve, Control); 3.4 defects per million opportunities
- Total Quality Management (TQM): Organization-wide quality culture
- Lean IT: Eliminate waste in IT processes (7 wastes: defects, overproduction, waiting, non-utilized talent, transportation, inventory, motion)
- Kaizen: Continuous incremental improvement
Process Improvement Cycles
- PDCA (Deming Cycle): Plan → Do → Check → Act
- DMAIC (Six Sigma): Define → Measure → Analyze → Improve → Control
ISO Standards for IT Quality
- ISO 9001: Quality Management Systems
- ISO 27001: Information Security Management
- ISO 20000: IT Service Management (aligned with ITIL)
- ISO 31000: Risk Management
- ISO 38500: IT Governance
