CGEIT — Certified in the Governance of Enterprise IT

The Certified in the Governance of Enterprise IT (CGEIT) by ISACA is designed for professionals preparing for executive positions in IT enterprise governance. CGEIT holders often work at large organizations where they’re responsible for overseeing IT governance frameworks. As a vendor-neutral credential, CGEIT validates your skills in IT governance, strategic management, risk optimization and resource/benefits optimization. The certification allows you to demonstrate to potential employers that you’re prepared to ascend into corporate leadership. Common job titles for CGEIT holders include CISO/CTO, information security compliance manager and governance risk consultant.

To learn more about CGEIT and other ISACA certifications, download your free ISACA Career Kit.


How do I get the CGEIT?

The CGEIT is designed for mid-career professionals and requires a minimum of five years of experience in a role related to advising or overseeing an enterprise’s IT governance program. “This is designed for highly experienced strategic IT professionals who are in the role of advisors to upper management and the board,” explains ISACA's Chris DeMale. “We see this as the most C-level of the [ISACA] certifications. We see that it’s also for senior IT auditors, senior lead analysts, security risk and compliance specialists, information security compliance managers, and governance risk consultants.”

The CGEIT certification requirements include five or more years of IT governance experience.

Is CGEIT the right ISACA certification for me?

Determining whether or not the CGEIT is the best certification for you depends on your career goals. CGEIT is ideal for roles focused on “establishing and managing a framework of governance of IT as well as serving in an advisory role or oversight role,” explains Chris DeMale of ISACA. He also reiterates, "CGEIT is a terrific solution for the governance component where you are determining the rules by which the organization needs to operate.” This focus is reflected in CGEIT’s updated domains, which feature governance and management of IT and strategic management.

The CGEIT also overlaps with another ISACA certification in IT governance, the COBIT 5. “Governance and COBIT go hand in hand,” says DeMale. “If you are an expert in COBIT and you want to demonstrate your expertise in governance, those two go hand in hand, and we recommend reaching out to InfoSec for either one of those options.”



The most recent version of the CGEIT exam tests your knowledge of IT governance and enterprise risk optimization. The latest version, which came out in July 2020 (see the detailed CGEIT exam objectives), features updated domains that are more relevant to today’s IT environment. Here’s what you should know about the current CGEIT exam:

How many questions are on the CGEIT exam? How long is the CGEIT exam?

The exam contains 150 multiple-choice questions. You’ll have four hours to complete the test and need a minimum passing score of 450 points out of 800. Exams are completed in person at testing centers or kiosk locations. At a testing center, you’ll take a live proctored exam alongside other test takers; kiosks offer a more self-service experience where you work alone at a private workstation.

Read our CGEIT exam details and process article for more information on scheduling and taking the CGEIT exam.

How hard is the CGEIT exam?

Since the CGEIT is written for those with at least five years of work experience in IT governance, it’s a difficult exam. The questions are designed to make you think like an IT executive. It also has a relatively slim study guide compared to other ISACA certifications.

To pass the test, (like Infosec Alum Rexson Derrao who earned the world's highest CGEIT score), you'll need to earn at least 450 points out of a total of 800.

Practice exams can help you gauge your current “score” and provide valuable insight into which domains you should focus your studies. Pass rates vary depending on an individual’s experience, study habits and test-taking strategies.

For example, Infosec partners with ISACA to offer a CGEIT Boot Camp, which comes with an Exam Pass Guarantee, which means if you don’t pass the exam on your first attempt, you’ll get a second attempt at no cost to you.


How much does the CGEIT exam cost?

The cost of the CGEIT exam will depend on your membership status with ISACA. Members of ISACA pay $575 to take the exam, while non-members pay $760. You can find the most up-to-date pricing for ISACA exams on the ISACA website. You can download ISACA's Exam Candidate Information Guide (English) in multiple languages to get the most up-to-date information about costs and other exam details.

Where do I take the CGEIT exam?

The CGEIT exam is administered by PSI. You can take the exam online with remote proctoring or in-person at a PSI testing center. For more information, see the "Register for the Exam" section on the ISACA CGEIT page.

How to prepare for CGEIT exam?

You have a variety of learning resources at your disposal to prepare for the CGEIT exam. We recommend starting out with the ISACA candidate guide (check out the ISACA CGEIT webpage for the most up-to-date version or to download the guide in other languages). The guide covers topics related to exam registration, important deadlines, exam domains and more. The guide is a must-read for every CGEIT test taker.

Several training resources are provided in the free and paid CGEIT training resources sections below.

It's helpful to learn about how others have prepared. Read How Infosec Alum Rexson Serrao earned the world’s highest CGEIT score.

How long is my CGEIT certification active? How do I earn CPEs?

Once you successfully pass the CGEIT exam, your certification will be valid for three years. To maintain your certification, you must complete 120 hours of CGEIT continuing professional education (CPE) over the next three years, with a minimum of 20 hours annually. You’ll also have to pay a yearly maintenance fee of $45 for ISACA members and $85 for non-members. A variety of activities count as CPEs, from attending conferences to completing online training and more — you can view the full list of qualifying activities to choose what’s right for you.

Our How to earn CGEIT CPE credits article is filled with a wealth of helpful information.

How much does it cost to renew my CGEIT?

The cost to renew the CGEIT is $45/year for ISACA members and $85/year for non-members. The renewal cost drops for every credential after your first two — ISACA members pay $25/year per credential, and non-members pay $50/year.

For more information, read our article, Maintaining your CGEIT certification: Renewal requirements.

Free and self-study CGEIT materials

Budget-savvy test-takers will be pleased to learn that there are plenty of free CGEIT training resources to help you prepare for the CGEIT. ISACA itself has official study materials on its website, including a study guide and a database of exam questions. Be sure to check your local library if you’re training on a budget.

Books and study guides are excellent resources for preparing for the CGEIT exam. You may be able to find copies at your local library or bookstore, but there are plenty of online vendors to choose from as well, including the official ISACA store and Amazon. The two most popular official books are:

  • CGEIT Review Manual, 8th Edition
  • CGEIT Review Questions, Answers & Explanations, 5th Edition

Keep in mind that each resource comes in print and digital copies, so you can select the one that best meets your study preferences.

You can also download your free ISACA Career Kit for more information from ISACA on their certifications.

CGEIT practice exams and simulations

Practice exams are an excellent study resource for the real exam. Taking a CGEIT practice exam will give you an in-depth preview of the exam-taking experience, from pacing and timing to the types of questions asked. Your results will allow you to benchmark your skills and help you identify domains that require further study. Both official and unofficial practice exams are available.

Infosec partners with ISACA to provide live online CGEIT Boot Camps that include unlimited practice exam attempts and a 12-month subscription to the ISACA QAE Database. Read How Infosec Alum Rexson Serrao earned the world’s highest CGEIT score after taking the CGEIT Boot Camp.


Other free CGEIT training resources

There are a number of other free CGEIT practice training materials being produced and shared by the community:

  • Forums like TechExams and Reddit allow you to connect directly with others who are studying for or have already taken CGEIT.
  • Podcasts may not help you directly study for your CGEIT exam, but those like the Cyber Work Podcast are a great way to learn about cybersecurity career options and your peers' career journeys.
  • Video platforms are another great place to connect with cybersecurity practitioners and learn about the CGEIT exam. and many people have created free CGEIT videos on YouTube, TikTok, Twitch and other platforms, including our webcast on ISACA career paths.

CGEIT jobs and careers

Earning the CGEIT will open the pathway to executive positions in IT governance at large organizations. Once certified, you will have access to high-paying roles such as CIO/CISO, IT director and audit director.

What are common CGEIT jobs?

CGEIT holders are usually found in roles that center on IT governance in an advisory capacity to upper management or board members. Here’s a list of popular CGEIT jobs:

  • Senior IT internal auditor, cybersecurity and compliance
  • Lead analyst — IT governance, risk and compliance
  • Security risk and compliance specialist
  • Information security compliance manager
  • Governance risk consultant
  • IT risk manager
  • IT governance controls specialist

Want to learn more about your job options? Take a look at our  Common CGEIT job titles  and CGEIT overview and career path articles.

What does a CGEIT certification holder do?

Specific job duties vary from role to role, but CGEIT holders are typically upper-level managers who advise other enterprise leaders on how the business should operate in IT governance and compliance.

Depending on your role, you may research and implement a specific governance framework in addition to auditing the existing framework to ensure it gels with the company's strategic goals. You may also have a hand in implementing a risk management framework and creating plans to help the business continue operating in the event of an attack.

For more details on specific tasks, see the CGEIT exam outline, which includes the main job areas covered in the CGEIT certification as well as 38 supporting tasks.

Is CGEIT worth it?

Whether or not earning the CGEIT is worth it depends on your career goals. The certification can give you an edge if your sights are set on a position like CISO or senior IT internal auditor.

The CGEIT is valuable if you want to validate your knowledge of domains related to IT governance, risk optimization and strategic management. In addition to skill validation and job prospects, the CGEIT also boasts the highest average salary of all ISACA certifications.

What is the CGEIT average salary?

According to ISACA, the average salary for CGEIT holders is $141,000 annually. Your exact salary will vary based on factors like seniority, employer and location. Here are salary ranges for GCEIT’s common roles (all data was taken from Glassdoor in July 2022).

  • Senior IT internal auditor: $88k-$176k
  • Lead analyst — IT governance, risk and compliance: $65k-$165k
  • Security risk and compliance specialist: 52k-$148k
  • Information security compliance manager: $85k-$182k
  • Governance risk consultant: $76k-$209k
  • IT risk manager: $87k-$180k
  • Information governance specialist: $65k-$203k

Read our Average CGEIT salary article for more information.

How many people have CGEIT?

Over 8,000 professionals worldwide hold the CGEIT. As a vendor-neutral certification with high earning potential, it’s an ideal credential for up-and-coming leaders in the IT enterprise governance space.

Where can I find CGEIT jobs?

The CGEIT is a highly respected C-suite level certification. It's often listed in cybersecurity senior management job openings as a way to validate your knowledge and skills. To find CGEIT or cybersecurity management openings on general job boards like Indeed, Monster, Glassdoor, LinkedIn and CareerBuilder, search for the keywords “CGEIT," "ISACA" or "security manager."

Security-focused job boards such as ClearedJobs and are also good sources of roles for CGEIT holders. Other good sources of security job postings are cybersecurity groups like ISACA and others (ISSA, BSidesOWASPWomen in Cybersecurity and others) and cybersecurity websites.

Before your interview, check out our free ebook of cybersecurity interview tips, “How to stand out, get hired and advance your career.”

Paid CGEIT training and exam prep

When it comes to preparing for the CGEIT exam, you can choose to train yourself with books and free resources, or you can find a paid course. Most CGEIT courses fall into two categories: live online CGEIT camps or on-demand CGEIT courses where you go at your own pace.

Live CGEIT boot camps

Live CGEIT boot camps provide direct instruction where you can interact with your instructor and classmates. Live boot camps can be at a location or online. For example, Infosec partners with CGEIT to provide a five-day CGEIT Boot Camp that you can take live online or in person.

The benefits of a live CGEIT boot camp include:

  • Live training and Q&A: CGEIT is an advanced certification, and interacting with a group of seasoned professionals in a live setting often provides a great learning experience.
  • Complete training package: Most CGEIT boot camps come with everything you need: instruction, exam vouchers, books, the ISACA QAE database and labs. Training with a live instructor is more expensive, so when shopping around, be sure you know what's included in your purchase — and what you may have to pay extra for.
  • Improved pass rates: Boot camp providers like Infosec stand by their training with an Exam Pass Guarantee. That means if you fail your CGEIT exam on your first attempt, you’ll get a second attempt to pass — for free.

Self-paced CGIET training

If you're not in a hurry to earn your CGIET, the go-at-your-own-pace model can be a great (and more affordable) option. These types of courses usually consist of a number of pre-recorded videos, along with practice exams and labs or exercises you can do on your own to reinforce the material.

The benefits of on-demand CGIET training include:

  • Train when you want: You're in charge of your training schedule, whether that's daily on your lunch break or cramming all weekend long. For further motivation, you can join a study group or connect with others who are preparing for the exam.
  • Build an individual training plan: Don't waste time learning what you already know. Since you're not tied to a group, you can spend more time focused on the areas you need to learn most.
  • Accredited training partner: ISACA accredited partners regularly work with ISACA to ensure their training content is up to date and meets ISACA's quality standards.

CGEIT comparisons and alternatives

The CGEIT is one of several advanced cybersecurity certifications that you can choose from. Here’s how it stacks up against the others.


ISACA offers Certified Information Security Manager (CISM) to professionals with technical experience in IS/IT security and control. CISM holders occupy roles such as information system security officer, information/privacy risk consultant, information security manager and chief information security officer. As a mid-career certification, applicants must have a minimum of 5 years of related work experience to qualify. The average salary for CISM holders is $129,000 compared to $141,000 for the CGEIT.

For more information on the CISM exam and job opportunities, visit Infosec's CISM hub, read our Best information security management certifications article and  The ultimate guide to ISACA certifications: Overview & career paths.


Certified in Risk and Information Systems Control (CRISC) by ISACA is a mid-career certification geared toward IT audit, risk, and security professionals. CRISC covers the domains of governance, IT risk assessment, risk response and reporting and IT and security. There are more than 30,000 CRISC holders worldwide in CRISC jobs, such as information technology (IT) auditor, information security officer, and director of risk management/risk control. Earning potential for CRISC is reported to be an average of $132,266 for CRISC and $141,000 for CGEIT.

For more information on the CRISC, read  Top 5 highest-paying infosec certifications and  The ultimate guide to ISACA certifications: Overview & career paths.


Certified Information Systems Security Professional (CISSP) is a credential provided by (ISC)2 to mid-career professionals in security and risk management. To qualify for the exam, you need at least five years of professional experience in two of CISSP’s eight domains. CISSP holders are well-suited for a range of management and practitioner roles, including security analyst, security systems engineer, IT manager/director and chief information officer. The certification also provides competitive earning prospects with an average salary of $120,552 in North America.

View our CISSP hub to learn more.


COBIT 5 is a series of certifications by ISACA validating that the holder has the professional skills to implement the COBIT 5 framework for governance and management of enterprise IT. Most recently updated in 2019, COBIT comprises COBIT 5 Assessor, COBIT 5 Foundation, COBIT 5 Implementation and Implementing the NIST Cybersecurity Framework Using COBIT 5.

The average salary for COBIT 5 Foundation certification holders is $114,949. Common job titles for this credential include information systems audit manager, risk management analyst and information technology (IT) consultant.


The ITIL framework by Axelos is a well-recognized model for IT service management and delivery. It performs well across various industries, and its core principles are compatible with those of other common frameworks like COBIT and Six Sigma.

Learners begin the ITIL certification process by earning the ITIL foundation credential before following one of two tracks: ITIL managing professional (MP) or ITIL strategic leader. After completing all modules in their respective track, learners complete the certification scheme by earning the ITIL master.

Due to the credential’s pathway scheme, various career options range from practitioner-level roles in project management to executive-level positions as CIO and CISO. Salary expectations are also quite diverse and can fall anywhere from $72,852 to $188,388.