CGEIT certification exam Domain 4: Risk optimization [updated 2021]

Greg Belding
April 3, 2021 by
Greg Belding


The Certified in Governance of Enterprise IT, or CGEIT, is an IT governance certification offered by ISACA. The certification exam received a recent overhaul that changes not only the number of domains in the exam, but also a fair amount of exam content and how it is presented to the certification exam candidate. 

This article will detail Domain 4 of the CGEIT certification exam and explore the changes that will affect the 2020 job practice as and the sub-topics of the domain. For those familiar with previous job practices, this term sub-topic may seem completely new to you. But don’t worry: all will be explained.

Earn your CGEIT certification, guaranteed!

Earn your CGEIT certification, guaranteed!

Enroll in a CGEIT Boot Camp and earn one of the most respected certifications — guaranteed.

Recent changes to CGEIT

Several changes to the CGEIT certification exam have kicked in, starting in July 2020. These changes are:

  • The CGEIT certification exam has shifted its focus from task statements to topic/knowledge areas (or sub-topics) in the outline of exam specifications. The new exam outline contains secondary task statements/activities in each of the four domains of knowledge that allow the candidate to apply the knowledge.
  • The sub-topics provide better organized knowledge and task statements in the domains.
  • What was once five domains is now four, with the former Domain 5 being spread amongst the remaining domains.
  • Domain 4 formerly had an exam content weight of 26% in previous exam versions. This domain now has a weight of 19%.
  • The domain called Strategic Management did not make it to the CGEIT exam outline (job practice). Instead, this domain has been spread throughout the other domains.
  • The knowledge statements have been rewritten throughout. This is to account for current technology. Some have been combined to avoid redundancies.
  • These changes are intended to enhance the exam preparation experience and the changes provide for a better context in which to apply the knowledge.

CGEIT: Revised

You will probably find that the most obvious change to the certification exam is the appearance of sub-topics. These sub-topics, or content areas, will help to better focus and organize the exam. The sub-topics for Domain 4 are:

  • Risk strategy
  • Risk management

Just as subtopics are used as signposts to guide the exam candidate, I will likewise use them to guide you through this article. 

Domain 4 objective

The objective of this domain is to ensure that the appropriate IT risk frameworks are in place and aligned with standards to identify, evaluate, analyze, manage, mitigate, monitor and communicate regarding IT business risk as an essential part of the enterprise IT governance environment.

Risk strategy

IT risk is affected by the same factors that business risk is affected by, which are management, geographical, risk appetite, geopolitical and industry-specific factors. It is imperative to consider IT risk in the wider business context.

Risk frameworks and standards

This secondary task covers the following risk management frameworks and standards:

  • ISACA Risk IT Framework
  • Factor Analysis of Information Risk (FAIR)
  • COSO ERM Integrated Framework
  • ISO 31000 Risk Management Series
  • ISO 20000-1:2018: Information technology – Service management – Part 1: Service management system requirements
  • ISO 20000-2:2019: Information technology – Service management – Part 2: Guidance on the application of service management systems
  • Project Management Body of Knowledge (PMBOK)
  • ISO/IEC 27005:2018: Information technology – Security techniques – Information security risk management
  • ISO/IEC 27001:2013: Information technology – Security techniques – Information security management systems – Requirements
  • ISO/IEC 27002:2013: Information technology – Security techniques – Code of practice for information security controls

Risk IT Framework

The guiding framework for Risk IT is the ISACA Risk IT Framework. This framework is aligned with the COBIT Framework and helps enterprises make risk-aware IT decisions that are appropriate for the enterprise.

COBIT 5 for Risk

This COBIT information risk view provides risk-specific guidance for ISACA information risk professionals as it relates to COBIT. COBIT 5 provides practical guidance through two different perspectives:

  • Risk function perspective
  • Risk management perspective

COSO ERM Framework

COS ERM Framework provides an outline of objectives and components that have a direct relationship between each other. This relationship is presented in the form of a cube.

ISO 31000:2018 Principles and Guidelines on Implementation of Risk Management

This is a family of risk management-related standards that are applicable through the entire lifespan of an enterprise, as well as various activities. 


Octave is a threat and vulnerability assessment framework that has an objective of aiding in information security risk evaluations.

Other risk management standards and frameworks

  • ISO/IEC 20000
  • ISO/IEC 27000-series
  • ISO/IEC 31010:2019
  • NIST Special Publication 800-37 Revision 2
  • NIST Special Publication 800-30 Revision 1
  • NIST Special Publication 800-39

Enterprise risk management

Risk hierarchy

Other than IT risk, enterprises are faced with:

  • Strategic risk
  • Environmental risk
  • Credit risk
  • Market risk
  • Operational risk
  • Compliance risk

Risk appetite and risk tolerance

  • Exactly what it says on the label!

Risk management

IT-enabled capabilities, processes, and services

  • The relationship of the risk management approach to business resiliency

Business risk, exposures and threats

  • Risk categories
  • Risk scenarios
  • Opportunities and risk
  • Types of business risk, exposures and threats that can be addressed using IT resources

Risk management life cycle

  • IT risk analytics, monitoring and reporting
  • Risk management information system
  • Locked-down operations
  • Decision support, risk analytics and reporting
  • Risk response strategies related to IT in the enterprise
  • Methods to establish key risk indicators
  • Methods to monitor effectiveness of response strategies and/or controls
  • Segregation of duties
  • Stakeholder analysis and communication techniques
  • Methods to track, manage and report the status of identified risk

Risk assessment methods

  • Qualitative risk assessment
  • Quantitative risk assessment
  • Combining qualitative and quantitative methods – toward probabilistic risk assessment
  • Practical guidance on analyzing risk

Earn your CGEIT certification, guaranteed!

Earn your CGEIT certification, guaranteed!

Enroll in a CGEIT Boot Camp and earn one of the most respected certifications — guaranteed.


The CGEIT certification exam has undergone a facelift of sorts to update the exam material with the latest technology, a restructuring of the focus of the exam from task and knowledge statements to topic/knowledge areas, and a shift from IT governance to information governance and big data. 

Domain 4 had a slight drop in its content weight, from 26% to 19%. This does not mean this domain is skimpy on exam material! Despite its weight, there is more content in this domain than in any of the others.



What are the major changes to the CGEIT job practice in 2020?, ISACA Support

CGEIT Exam Content Outline, ISACA

ISACA, “CGEIT Review Manual, 8th Edition,” 2020

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.