The CGEIT certification: Certified in the Governance of Enterprise IT

ISACA is a great organization. They are a not-for-profit that focuses on IT processes, risk, value, and how IT can best support the overall organization’s goals. They’re most famous for COBIT and the CISA certificate.

COBIT, the Control Objectives for Information and related Technology, presents a set of IT processes that are meant to be complete. They span IT from strategic planning to project management to asset acquisition to the Service Desk to monitoring and reporting for governance groups. COBIT also puts the processes in context, by presenting a set of enterprise (i.e. institutional) goals and how they map to IT goals and then how they map to IT processes. I could say a lot more about COBIT, but for now I’ll say it’s a very thorough approach that allows you to measure and target improvements based on intended organizational outcomes.

The CISA certificate is for Certified Information Systems Auditors. As far as I’m aware it is the gold standard for IT auditors. To earn the CISA you need experience as an IT auditor and you need to pass a 200-question exam.

ISACA does many other things, too. It has a close (overlapping?) relationship with the IT Governance Institute, which historically has done research and published materials about how to implement IT governance. However, with the latest version of COBIT–COBIT 5–much of the Governance Institute’s materials have merged with COBIT. (A few other ISACA frameworks, notably RiskIT for reviewing IT risk and ValIT for identifying the value of IT service, were also merged into COBIT.)

ISACA also offers other certificates, including the CISM (“Certified Information Systems Manager”) and the CGEIT (“Certified in the Governance of Enterprise IT”).


The CGEIT certificate recognizes and attests to people who have experience with IT governance. To receive the certificate, you must pass a 150-question exam and, once you pass the exam, you must demonstrate at least five years’ experience with IT governance.

(In the past, the CGEIT allowed some of these five years to be waived if you had other credentials such as the PMP, but now the only waivers are for professors teaching about IT governance.)

IT governance is when people get together to talk about what’s needed and what’s expected from IT, at the Board level and other levels. In many ways IT governance is the lynchpin process that ties together project management, service management, enterprise architecture, and other IT processes. COBIT 5 was re-designed in no small part to better illustrate the connections between individual IT processes and IT governance.

CGEIT is organized around five knowledge areas:

  • Framework for the Governance of Enterprise IT
  • Strategic Management
  • Benefits Realization
  • Risk Optimization
  • Resource Optimization

The test pulls from each of these areas, and the five years’ experience must fall into one or more of these areas. The CGEIT works like the PMP, though: there is no authoritative reference text (although there are official exam study guides).

Because IT governance pulls together other IT processes, I have found that if you already understand IT service management, IT project management, and enterprise architecture fairly well, you know most of the CGEIT material.

The certification process itself is not very expensive: perhaps $750 in exam, application, ISACA membership, and study materials costs. Working in higher education you can pull many of the source materials through your library.

I’ve seen a couple of people in higher education with CGEIT certificates, and the certification itself is only five and a half years old. I expect that CGEIT certifications will grow in proportion to people’s awareness that IT governance exists.