In the CISA Review Manual 28th Edition, Chapter 2 represents Domain 2, which carries significant weight in the exam. It explains how organizations align IT with business goals, manage risks, and ensure effective control over IT resources.
1. IT Governance Overview
IT governance defines how IT systems are directed, controlled, and monitored within an organization. Its main objective is to ensure that IT supports business strategies while delivering value and minimizing risks.
Organizations implement governance frameworks such as COBIT, ITIL, ISO standards, and NIST frameworks to maintain structured control and consistency.
Auditors evaluate whether IT governance aligns with business objectives and whether responsibilities are clearly defined.
2. Enterprise Risk Management (ERM) and IT Risk
Risk management is a core concept in Chapter 2. Enterprise Risk Management (ERM) involves identifying, assessing, and controlling risks across the organization.
The risk management process includes:
- Risk identification
- Risk assessment (impact and likelihood)
- Risk response (mitigate, accept, transfer, avoid)
- Continuous monitoring and reporting
IT risk management focuses specifically on risks related to systems, cybersecurity, and data integrity. Auditors ensure that risk processes are complete and effective.
3. IT Policies, Standards, and Compliance
Organizations must establish policies, standards, and procedures to guide IT operations. These documents translate governance into actionable practices.
Compliance with laws and regulations (such as data protection and financial reporting requirements) is essential. Auditors verify whether controls are in place and whether organizations can demonstrate compliance effectively.{index=3}
4. Data Governance and Classification
Data governance ensures that data is managed as a strategic asset. It defines ownership, quality standards, and lifecycle management processes.
Data classification categorizes information based on sensitivity (e.g., public, confidential), ensuring appropriate security controls are applied.
Auditors assess whether data governance frameworks are properly implemented and whether data integrity is maintained.
5. IT Management and Resource Management
IT management focuses on executing strategies defined by governance. It includes managing personnel, infrastructure, and operational processes.
Key areas include:
- Staff recruitment, training, and performance
- Segregation of duties to prevent fraud
- IT asset and configuration management
- Capacity planning and infrastructure control
Auditors evaluate whether resources are used efficiently and securely.
6. Vendor and Third-Party Management
Organizations often rely on external vendors for IT services. Managing these relationships is critical to maintaining security and performance.
This includes vendor selection, contract management, service level agreements (SLAs), and performance monitoring.
Auditors review contracts and assess risks associated with third-party services.
7. IT Performance Monitoring
Performance monitoring ensures that IT services meet business expectations. Organizations use key performance indicators (KPIs) to measure efficiency and effectiveness.
Auditors verify that metrics are accurate, relevant, and used for decision-making and continuous improvement.
8. Quality Assurance in IT
Quality assurance ensures that IT systems and processes meet defined standards. It focuses on preventing defects and maintaining consistency in service delivery.
Organizations implement quality management frameworks to improve processes and reduce errors over time.
9. Current Situation in IT Governance and Management
The Current Situation in IT governance shows a strong shift toward digital transformation, cloud computing, and cybersecurity risk management. Organizations are increasingly adopting integrated governance frameworks to manage complex IT environments.
Modern IT management emphasizes data-driven decision-making, automation, and continuous monitoring to improve performance and reduce risks.
Conclusion
Chapter 2 of the CISA Review Manual 28th Edition is essential for understanding how IT is governed and managed within organizations. It highlights the importance of aligning IT with business goals, managing risks effectively, and ensuring compliance and performance through structured frameworks and processes.