CGEIT Frequently Asked Questions (FAQ)

CGEIT Certification

1. Why does ISACA offer an IT governance certification?
2. Who is the CGEIT certification intended for?
3. Do CISAs and CISMs qualify for CGEIT?

1. Why does ISACA offer an IT governance certification?

Boards and executive management have long understood the need for enterprise and corporate governance. As information technology (IT) has become more important to the achievement of enterprise goals and delivery of benefits, there has been an increasing realization that governance must be extended to IT as well. IT governance is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives. ISACA recognized this shift in emphasis in 1998, and formed the IT Governance Institute (ITGI) to focus on original research, publications, resources and symposia on IT governance and related topics. To support and promote this significant body of work, ISACA and the ITGI are proud to offer a certification program for professionals charged with satisfying the IT governance needs of an enterprise.

2. Who is the CGEIT certification intended for?

The CGEIT certification is intended to recognize a wide range of professionals for their knowledge and application of IT governance principles and practices. It is designed for professionals who have a significant management, advisory and/or assurance responsibilities relating to the governance of enterprise IT. Among them are:

• Chief Executive Officer (CEO)/President
• Chief Information Officer (CIO)
• Chief Technology Officer (CTO)
• Chief Audit Executive (CAE)/Partner/Principal
• Chief Information Risk Strategist
• Chief Information Security Officer (CISO)
• Chief Security Officer (CSO)
• IT Governance Director/Manager
• IS/IT Director/Manager
• IS/IT Consultant
• IS/IT Audit Director/Manager
• IS/IT Security Director/Manager
• IS/IT Compliance Director/Manager
• Project Manager
• Business Manager
• General Manager

3. Do CISAs and CISMs qualify for CGEIT?

The CGEIT certification program recognizes the IT governance components of the CISA and CISM credentials and as such, both certifications can be used as 1-year experience waiver towards the requirements for the CGEIT certification. To see educational and experience waivers for CGEIT, go to www.isaca.org/cgeitrequirements.

Application Processing :: Exam Registration & Administration
Exam Content :: Certification Requirements

CGEIT Application Processing

1. I think I am qualified, but not sure. Any suggestions?
2. There is no way that I can summarize my career in 500 words. What should I do?
3. What is the best way to summarize my IT governance experience in the narrative?
4. My view is that IT governance involves assessing how financial resources are to be spent to maximize a business process. Would you agree?
5. I have been working in assurance or compliance related jobs my entire career. Can I qualify?
6. Does my Information Security Governance experience qualify as IT Governance experience?
7. As an IT manager, I've had experience with identifying the skill gaps of the people who work for me. Does that qualify as experience in the Resource Management domain?
8. What does a CGEIT “in good standing” mean?

1. I think I am qualified, but not sure. Any suggestions?

First, re-read the CGEIT Job Practice. While going through it one domain at a time, write down specific examples from your work experience that demonstrate your participation in that area of governance of enterprise IT. Keep in mind that just having experience with business systems or IT or audit or security, doesn't necessarily mean you are qualified. You must be able to relate that experience to IT governance. Also, you must have experience in domain 1 and at least 2 of the other domains in order to qualify.

2. There is no way that I can summarize my career in 500 words. What should I do?

Remember that you aren't trying to summarize your career. The CGEIT Certification Board is not looking for volume (of words), but clear and succinct examples of your experience in domain 1 and at least two other domains. Your description needs to help the CGEIT Board reviewers see that you have an understanding of, and experience in, the governance of enterprise IT.

3. What is the best way to summarize my IT governance experience in the narrative?

Explicitly identify the domains in your narrative when you describe your specific experiences in those areas. In other words, start your narrative with "Domain 1: IT Governance Framework", then under that, describe your experience with developing, or being part of the development of, and/or maintenance of an IT governance framework. Then do the same with each of the other domains in which you have experience. This allows you highlight the experience you have in each domain, without including other experience that is less governance related. The CGEIT Certification Board members reviewing the applications have found this approach very helpful. Remember, you want to demonstrate to the CGEIT Certification Board members that you have an understanding of, and experience in, the governance of enterprise IT.

4. My view is that IT governance involves assessing how financial resources are to be spent to maximize a business process. Would you agree?

IT governance is broader than that. If it were only "assessing how financial resources are to be spent to maximize a business process" then good investment management and program/project management is all you would need. The broader view says that IT governance is about the leadership, the organizational structures, and the processes in the organization that, all together, help ensure that the detailed IT work contributes to business goals and objectives. So good project management practices help make sure you meet time, budget and scope requirements, but IT governance processes are about how those projects get selected and how the available resources get split between new projects and sustaining operations; they're about the measurement of expected business outcomes to actuals. It's about how alignment of the entire IT effort with business objectives is ensured.

5. I have been working in assurance or compliance related jobs my entire career. Can I qualify?

You may but you need to have had experience that goes beyond just doing audits or checking compliance. Go through the CGEIT Job Practice. Think of examples from your roles and responsibilities where you participated in work that furthered the purpose/objective of each of the governance domains. Assurance professionals can, and do, make contributions beyond inspection and reporting. If you have, record those specific examples in the application narrative so that the CGEIT Board Certification Board members can see that you have an understanding of, and experience in, enterprise governance of IT.

6. Does my Information Security Governance experience qualify as IT Governance experience?

Very likely, but not automatically. You need to be able to relate that experience to how it contributed to the broader IT governance domains described in the CGEIT Job Practice.

7. As an IT manager, I've had experience with identifying the skill gaps of the people who work for me. Does that qualify as experience in the Resource Management domain?

Probably not, although it may appear so. For example, there is a task statement in the CGEIT Job Practice that says, "Ensure that the requirements for trained resources with the requisite skill sets are understood and are assessed appropriately." You might be doing that within the organization you manage, but at that level it isn't IT governance, it's good management. The CGEIT Job Practice task statements must be considered within the context of the domain description. In this example, the CGEIT Certification Board is looking at this task as it contributes to the development of "systematic and continuous resource planning, management, and evaluation processes" to "ensure that IT has sufficient, competent and capable resources to execute current and future strategic objectives". If your assessment of the skill gaps of your people was part of a broader governance effort, OR if your efforts somehow lead to better enterprise IT resource planning (beyond your group), then the experience would apply.

8. What does a CGEIT “in good standing” mean?

In order to be a CGEIT “in good standing”, the following must be achieved:

• Certification granted from the corresponding Board, resulting from an approved application
• Continuing professional education is current and up-to-date
• All renewal fees/maintenance payments are current
• Continued compliance with the ISACA’s Code of Professional Ethics

CGEIT Certification :: Exam Registration & Administration
Exam Content :: Certification Requirements

Exam Registration & Administration

1. When will I receive my December 2009 exam results?
2. Can you further explain my exam score in my results letter that I have received?
3. What is the date of the next CGEIT exam?
4. When does registration begin for the next exam?
5. What is the registration deadline of the next exam and what are the fees?
6. Can I take the CISA, CISM and CGEIT exams on the same day?
7. Are there study materials available for the CGEIT exam?
8. Can I change my exam site or language?
9. Can I defer my exam?
10. How do I provide comments on testing conditions?
11. Where can I find CISA/CISM/CGEIT applications for certification?
12. What are the requirements for CISA/CISM/CGEIT certification?

1. When will I receive my December 2009 exam results?

Results for the for the December 2009 exam have been released via email to those candidates who elected to receive the email notification option and have no outstanding balances for the exam. The hard copy result letters have been sent out the week of 1 February via the post to the mailing address listed in your profile. Please allow for adequate delivery time to your mailing location. Exam results will be posted online after 15 February, but will only contain your overall exam score. To ensure the confidentiality of scores, exam results will not be reported by telephone, fax or email other than the one-time notification email.

2. Can you further explain my exam score in my results letter that I have received?

Your overall score is in the top box of your results letter. Exam scores are reported on a scale from 200-800. A scaled score is a conversion of your raw score(s) to a common scale. A score of 450 represents a minimum consistent standard of knowledge as established by ISACA’s CGEIT Certification Committee. You have also received, in the second box, a score by subject domain area. Please be aware that each domain area is individually weighted and a simple arithmetic mean was not used to arrive at your total scaled score. The score report is helpful in identifying your areas of strength and areas for improvement. These subject area scores should be interpreted as follows:

• A score below 375 indicates that you did not demonstrate an understanding of this area and a substantial review is recommended.
• A score between 375 and 450 indicates that you demonstrated an understanding of the area, but additional review is recommended.
• A score above 450 indicates that you demonstrated an understanding of the area, and limited review is recommended.

3. What is the date of the next CGEIT exam?

The next exam will be administered on 12 June 2010 unless otherwise specified at www.isaca.org/examlocations.

4. When does registration begin for the next exam?

Registration for the 12 June 2010 exam is currently open. You can register for the exam at www.isaca.org/cgeitreg.

5. What is the registration deadline of the next exam and what are the fees?

The early registration deadline has been extended until Friday, 12 February 2010–5:00PM Central Time (Chicago, Illinois, USA).

Early registration deadline: 12 February 2010
Final registration deadline: 7 April 2010

Please visit www.isaca.org/cgeitboi for more details, including fees.
Candidates can save US $50 on the exam registration fee by registering online.

6. Can I take the CISA, CISM and CGEIT exams on the same day?

The CISA, CISM and CGEIT exams are given simultaneously in a 4 hour time frame. It is not possible to take multiple exams on the same day.

7. Are there study materials available for the CGEIT exam?

Please visit www.isaca.org/cgeitreferences for a reference list of key study publications and periodicals. These are cross-referenced by the CGEIT domains.

8. Can I change my exam site or language?

Yes, changes to the exam site and language are permitted until 23 April 2010**. Exam registration changes are subject to the following charges:

• On or before 16 April 2010.....no charge
• 17 April through 23 April 2010.....$50

No exam registration changes will be granted after 23 April 2010.
**Please note that all deadlines are based on Chicago, Illinois, USA 5PM Central Time. For exam site or language changes, please send an email to exam@isaca.org. These changes do not include deferrals.

9. Can I defer my exam?

Candidates unable to take the exam can request a deferral of their registration fees to the next exam date. To learn more about deferring your exam, including deferral deadlines and costs, please visit www.isaca.org/examdefer.

10. How do I provide comments on testing conditions?

Candidates wishing to comment on the test administration conditions may do so at the conclusion of the testing session by completing the “Test Administration Questionnaire.” The Test Administration Questionnaire is presented at the back of the examination booklet and your questionnaire answers should be entered in boxes P through S of the Special Codes section (Grid No. 4) on the front of your Answer Sheet. Candidates who wish to address any additional comments or concerns about the examination administration should contact ISACA international head-quarters by letter or by e-mail (exam@isaca.org). These comments or concerns should be received by ISACA within 2 weeks after the examination date. Candidates who wish to comment on the contents of the examination may do so by mailing their comments to the Professional Examination Service. However, only those comments received by The Professional Examination Service during the first 2 weeks after the exam administration will be considered in the final scoring process of the examination. You may obtain the address of the Professional Examination Service from the Proctor after you complete the examination.

11. Where can I find CISA/CISM/CGEIT applications for certification?

CISA applications are located at www.isaca.org/cisaapp.
CISM applications are located at www.isaca.org/cismapp.
CGEIT applications are located at www.isaca.org/cgeitapp.

12. What are the requirements for CISA/CISM/CGEIT certification?

CISA requirements for certification are available at www.isaca.org/cisarequirements.
CISM requirements for certification are available at www.isaca.org/cismrequirements.
CGEIT requirements for certification are available at www.isaca.org/cgeitrequirements.

CGEIT Certification :: Application Processing :: Exam Content :: Certification Requirements

Exam Content

1. How long is the exam?
2. What does the CGEIT exam cover?
3. What is the CGEIT job practice and how was it developed?

1. How long is the exam?

A candidate is given 4 hours to complete the exam.

2. What does the CGEIT exam cover?

The CGEIT exam will cover (6) IT governance domains, each of which is further defined and detailed through task and knowledge statements. The governance areas, or domains, include: IT Governance Framework, Strategic Alignment, Value Delivery, Risk Management, Resource Management, and Performance Measurement. For specific details, please go to www.isaca.org/cgeitjobpractice.

3. What is the CGEIT job practice and how was it developed?

ISACA's philosophy toward certification is to measure the individuals' ability and knowledge as it pertains to the performance of their job. The job practice serves as the basis for the exam and the experience requirements to earn the CGEIT certification. This job practice consists of task and knowledge statements, organized by domains. These statements and domains were based on feedback from IT governance subject matter experts from around the world. Numerous reference sources were also utilized including research conducted by the IT Governance Institute and COBIT 4.1.

The detailed CGEIT job practice areas can be viewed at www.isaca.org/cgeitjobpractice.

CGEIT Certification :: Application Processing
Exam Registration & Administration :: Certification Requirements

Certification Requirements

1. What do I need to do if I've received a revocation notice?
2. Where can I find the CGEIT application for certification?
3. What are the qualifications to earn the CGEIT credential?
4. What does the CGEIT continuing professional education program require?
5. How can I earn CPE credits online?
6. How do I submit my annual continuing profession education (CPE) hours to ISACA?
7. What does a CGEIT “in good standing” mean?
8. Do I need to submit documentation for my 2009 CPE hours?

1. What do I need to do if I've received a revocation notice?

If you have received a revocation notice, please contact certification@isaca.org.

2. Where can I find the CGEIT application for certification?

CGIET applications are located at www.isaca.org/cgeitapp.

3. What are the qualifications to earn the CGEIT credential?

Qualifying for CGEIT requires a combination of four "e's": experience, ethics, education and exam. Specifically, the requirements are:

• Earn a passing score on the CGEIT exam
• Adhere to the ISACA Code of Professional Ethics
• Commit to abide by the CGEIT Continuing Professional Education Policy
• A minimum of five years of experience managing, serving in an advisory or oversight role, and/or otherwise supporting the governance of the IT-related contribution to an enterprise is required to apply for certification. This experience is defined specifically by the domains and task statements described in the CGEIT Job Practice. Some substitutions and waivers of such experience are available.

For further details, visit www.isaca.org/cgeitrequirements.

4. What does the CGEIT continuing professional education program require?

In order to become and remain a CGEIT an individual must agree to comply with the CGEIT continuing professional education program. This program requires an individual to earn a minimum of twenty (20) hours annually and one hundred twenty (120) hours every three years of continuing professional education. In addition, an annual maintenance fee of US $40 ISACA member and US $80 non-member is required.

To access the CPE policy, visit www.isaca.org/cgeitcpepolicy.

5. How can I earn CPE credits online?

ISACA members can earn CPE hours by taking and passing an ISACA Journal CPE Quiz online. One CPE hour is awarded per quiz. ISACA members may also earn CPEs online by participating in e-symposia. The e-symposia are offered live each month or may be accessed on demand via the archives. For more information, please go to www.isaca.org/webcasts. In order to claim the CPE hours (generally 3 hours per e-symposia), a passing score must be earned on the quiz.

6. How do I submit my annual continuing profession education (CPE) hours to ISACA?

CPE hours are reported annually during the renewal process which begins in October/November of each year. At renewal time, you will be asked to report the total number of CPE hours that you earn during the cycle year. Please keep track of the activities you take and retain the supporting documentation so that you are able to properly report your hours. You will be sent an email notification when the renewal process opens each year. At that time, you can go to our web site and pay your annual dues and report your CPE hours at www.isaca.org/renew. Alternatively, you can wait until we send you the hard copy annual invoice and use that as the mechanism to make your payment and report your CPE hours.

7. What does a CGEIT “in good standing” mean?

In order to be a CGEIT “in good standing”, the following must be achieved:

• Certification granted from the corresponding Board, resulting from an approved application
• Continuing professional education is current and up-to-date
• All renewal fees/maintenance payments are current
• Continued compliance with the ISACA’s Code of Professional Ethics

8. Do I need to submit documentation for my 2009 CPE hours?

CPE hours are entered into your profile annually during renewal time. Documentation of CPE hours does not need to be provided to ISACA unless you are selected for an audit of your CPE hours.

CGEIT Certification :: Application Processing
Exam Registration & Administration :: Exam Content