Isaca Updated CGEIT Exam Questions and Answers by oliwia

Outcome measures are indicators that measure the results or impacts of a strategy, program, or project on the intended beneficiaries or stakeholders1. The primary objective of building outcome measures is to monitor whether the chosen strategy is successful in achieving its goals and objectives, and to evaluate its effectiveness and efficiency2. Outcome measures can also help to communicate the value and benefits of the strategy to the relevant audiences, and to identify areas for improvement or adjustment3. Outcome measures are different from output measures, which measure the activities or products that are delivered by the strategy, but not necessarily their effects or outcomes4. References :=

• Outcome Measures - an overview | ScienceDirect Topics
• Outcome Measurement | The Australian Institute of Family Studies
• Outcome Measurement: A Guide for Nonprofit Organizations | Imagine Canada
• Doing Quantitative Research with Outcome Measures

 Senior management regularly reviewing the IT portfolio is the best IT governance practice to support IT and enterprise strategic alignment, because it helps to ensure that the IT investments are aligned with the business strategy and goals, and that they deliver value to the enterprise. An IT portfolio is a collection of IT projects, programs, services, and assets that support the business objectives and processes of an organization1. Senior management regularly reviewing the IT portfolio helps to prioritize, monitor, and evaluate the IT investments based on their performance, benefits, costs, and risks2. It also helps to identify and address any gaps, issues, or opportunities for improvement in the IT portfolio2. Senior management regularly reviewing the IT portfolio also helps to communicate and collaborate with the IT department and other stakeholders, and to provide guidance and direction for the IT strategy and governance2.

References := IT Portfolio Management: A Simplified Guide | Planview, IT Governance – How to align IT and business strategy?

An independent assessment is a review by a third party of an authorization decision, a product, a service, or a system to verify its quality, functionality, compliance, or performance. An independent assessment can help identify and mitigate potential risks, errors, or defects before they cause problems or failures. An independent assessment can also provide an objective and unbiased opinion on the suitability and effectiveness of a solution for a specific purpose or context.

By requiring an independent assessment of solutions prior to implementation, the enterprise can ensure that the solutions meet the functional requirements and specifications, as well as the security and privacy standards and policies. This can prevent issues such as the malfunctioning of role-based access control, which could compromise the confidentiality, integrity, and availability of sensitive data. An independent assessment can also help evaluate the compatibility and interoperability of solutions with existing systems and processes, and provide recommendations for improvement or optimization.

Some examples of independent assessment methods are:

• Independent verification and validation (IV&V): A process that checks whether a system meets its defined requirements and specifications, and whether it fulfills its intended purpose and functions.
• Independent technical review (ITR): A process that evaluates the technical aspects of a system, such as its design, architecture, performance, reliability, security, usability, maintainability, and scalability.
• Independent security assessment (ISA): A process that assesses the security posture of a system, such as its vulnerability to threats, its compliance with security standards and regulations, its implementation of security controls and measures, and its response to security incidents.

Qualitative analysis is a method that uses subjective judgments and opinions to assess plausible risk scenarios that could result in reputational risk to the enterprise. Qualitative analysis can help identify the sources, causes, and impacts of reputational risk, as well as the likelihood and severity of such risk. Qualitative analysis can also involve stakeholder feedback, surveys, interviews, focus groups, and expert opinions to evaluate the reputation of the enterprise and its IT functions.

The other options are not the most likely methods to assess plausible risk scenarios that could result in reputational risk to the enterprise. Controls gap analysis is a method that compares the existing controls with the required controls to identify any deficiencies or weaknesses that could expose the enterprise to risk. Controls gap analysis can help improve the effectiveness and efficiency of IT processes and services, but it does not directly assess the reputational risk scenarios. Quantitative analysis is a method that uses numerical data and mathematical models to measure and evaluate risk scenarios. Quantitative analysis can help estimate the financial impact and probability of risk events, but it may not capture the intangible and subjective aspects of reputational risk. SWOT analysis is a method that evaluates the strengths, weaknesses, opportunities, and threats of an organization or a project. SWOT analysis can help identify the internal and external factors that affect the performance and success of the organization or the project, but it does not specifically assess the reputational risk scenarios.

For more information on qualitative analysis and reputational risk, you can refer to these web sources:

• Qualitative Risk Analysis: What it is and how to implement it
• Reputational Risk Management: A Framework for Measurement
• Reputational Risk Management in IT Outsourcing: A Case Study