Failed my CGEIT - What next?
February 11, 2018

Main Reason: Due to a lack of focus and a lack of guidance required to pass the exam.

Sounds generic I know, though truthfully I didn't provide enough designated time and effort to studying CGEIT. The studying materials left me gouging my eyes and the syllabus was difficult to comprehend. Furthermore, differentiating the fluff and nonsense as opposed to the worthwhile materials was often difficult.

Sounds generic I know, though truthfully I didn't provide enough designated time and effort to studying CGEIT. The studying materials left me gouging my eyes and the syllabus was difficult to comprehend. Furthermore, differentiating the fluff and nonsense as opposed to the worthwhile materials was often difficult.

So I decided to write this in the hope that someone could benefit from my mishaps.

Despite reading this thread when 'EVERYONE passes the CGEIT exam', I can only assume that the failures stayed shy. I believe there's no shame in failing the exam, it simply means has an insufficient knowledge on pass the exam (or that you're lazy, stupid, and you didn't put in the time, effort, dedication - Joke, kinda)

I failed by a question, maybe two. I needed 450 out of 800 and received the email stating I achieved 444/800 (see below)

Gut-wrenching I know. Though this gut-wrenching feeling is way too familiar for me. Back in the days, I attempted the CISSP exam and failed when I needed a 700 and received a 685 (see below again)

I outline below what when wrong and what is my next steps

WHAT WENT WRONG - Not knowing the syllabus

Truthfully, I just didn't know what would be on the exam. I'm a little wiser now though I still cannot locate a stronger syllabus definition.

In contrast, I took the OCPJP exam in 2017, of which outlined the boundaries of the exam. You need to know this, this, this, and this. Then boom, I passed - easy. I also stated that OCPJP was going to be my final IT exam though I was convinced that CGEIT would have been beneficial for me to achieve and here I am now, ranting, complaining, and up @ 3am writing this with my beautiful girlfriend snoring next to me. It got me thinking - was it all worth it?

I noticed the high-level syllabus within the task statements if you ever wanted to submit your suggested exam questions. That said, these guidelines are vague definitions on what could be incorporated into the exam. I bought both of the ISACA books from Amazon though despite that they are ISACA official publications, I found them misleading as the materials would often refer to COBIT and other unrelated topics. That said, I would recommend the questions and answers book

Despite the fact that I passed in risk optimization, the mistake I made was not distinguishing the difference between risk optimization is risk management. Based on my knowledge, risk optimization is simply a subset of risk management. For the exam though, risk management is barely on the CGEIT radar

For example, if I were a CIO, how would I be involved when optimizing risk, not necessary risk management? The questions I should be asking is, "How can I involve (enterprise) risk management into IT effectiveness? then ignoring the rest"

Again, it's all about the governance of corporate IT, so questions are going to be asked from a strategic and program level, it's unlikely to have questions from the project and operational level

All that said, I'm still scratching my head on what the syllabus is!

WHAT WENT WRONG - Unable to avoid the buzzwords

For these type of exams, I would begin by siphoning out the corporate b* buzzwords and remove any ambiguity terminology depending on the corporation in question.

In my experience, the 'play-with-words' is too familiar when taking IT exams. I believe governing bodies and examining boards use this tactic to confuse the participant if the participant is unable to distinguish between the two entities in question

Some ambiguity questions before taking the exam include

"what's the difference between senior management, board of directors, and top management?"


"What's the responsibilities for a Director vs VP?"

Simple stuff I know, though given some scenarios (and factors on corporation and geographies), a Vice President is considered higher than Director though often not the case in America so how does the play-with-words come into play here?

The question that required the most research was as the following,

'What is the difference between 'IT governance' and 'Governance of Enterprise IT'?

Both terminologies were often used. My Harvard extension studies discusses IT governance though CGEIT is focused on Governance of Enterprise IT. So what's the difference? Is there even a difference? CGEIT is clearly the certified 'Governance of Enterprise IT' exam so where does IT governance play a part here?

Each have their own obvious definition though the ball dropped when I saw this blog highlighting the scope of the standard against the maturity of COBIT

Ooohhhhhh, it's the terminology used within the COBIT 4 and COBIT 5 standards!", I thought.

All that said, knowing the explicit difference providing me with little help within the exam. Furthermore, ISACA make it clear within the official documents that there will not be any questions on COBIT 5 or any other standard framework. Because the CGEIT review manual is packed with COBIT references, I had to question whether the official book was worth the $135. That said, what book out there would be more useful for studying this exam; I don't know, probably not.

WHAT WENT WRONG - Not knowing the type of questions

Before the exam, it was unclear what the question would be like.

Would the questions predominately be 'knowledge base' or perhaps more comprehensive and would require methodological thoughts and understanding because they are 'scenario based'? Would they be 'keyword based' then having the participate understand a particular word and therefore knowing what type of question you're facing?

Based on previous question dumps, the exam was more focused on knowledge-based questions though with my failed experience and during this write-up, and of course without exploiting the contents of the exam, the questions were more 'executive-based'. When preparing for the exam, start thinking along the lines of a CIO to give yourself the best possible chance, don't get bogged down with the nitty-gritty stuff. You would be asked to answer based on simpler questions then making 'the call' on what should happen, which in turn will provide you the correct answer

WHAT WENT WRONG - Being mislead

Risk optimization, which is a focal topic for the CGEIT exam, is a great example. Risk management in question is often the responsibility of the risk and auditing committee. For the exam however, as stated, start thinking like a CIO then studying for this exam.

So for instance, in the past, I reviewed the CISSP studying materials as shown in CISSP risk management Part 1 as well as CISSP risk management Part 2 then started focusing on qualitative and quantitative risk assessments, gap analysis and mitigation strategies etc. which was part of the CISSP exam.

You can ask the very question, If I was a CIO (at very least top management), would I be concerned with how these techniques work? As a CIO, I'd be more concerned with how risk aligns with the IT strategy, this is stated if you review the development guide and it simply states that

" and that the framework for IT risk management is in alignment with the enterprise risk management (ERM) framework".

Nothing further is mentioned regarding the specifics ERM

WHAT WENT WRONG - Not enough studying

Immediately, I could see that my preparation was insufficient. After reviewing my studying model, it wasn't enough. Studying the official books clearly was not enough and there's little supportive materials out there.

My prep included reading the review manual 7th edition once then reading the questions and answers 7th edition twice. Reflecting back, I needed to expand beyond the realms of the ISACA materials and focus more on learning groups, forums etc.

WHAT WENT WRONG - No pen and paper available

This may sound strange to some.

To date, I've passed 15 certified exams since 2007. I've developed a technique during the exam whereby I would use 3 horizontal columns with a 'tick','question mark','cross'. As I progressed, I would place the exam question in one of the 3 columns depending if I knew the question, or if I should come back to it, or if I don't care about the question as I simply didn't know

Though the CGEIT exam prohibits a pen/paper. Because I didn't have a pen/paper, I couldn't review my questions in the typical way. There is a 'marked as review' for each question in an electronic format, though that would categorize as a boolean. Because I HATED their review marking system, I decided not to bother reviewing the exam questions again - stupid to state I know though I gave the questions my best-guess initially

WHAT WENT WRONG - They told me I didn't pass

You know if you've passed right after the exam. As I submitted my exam, it was indicated that, 'it was suggested that I did not pass the exam', though I would get that confirmation later to date.


The exam is difficult to quantify the studying materials though the exam in question isn't that difficult retaliative to, let's say CISSP. I simply failed to study the correct material and lost focus on the type of exam

So far, I've spent $760 on the exam, $200 on official CGEIT study books. JUST spent $185 to become a ISACA member and to become a local charter of NY. Hopefully breaking into the forums will provide me a different perspective. I've designated 40 hours of studying already and will designate another 30 more before taking the exam. I will change my studying approach though I was incredibly close last time, I should pass this time

Exam has been penciled-in for March, wish me luck and good luck to everyone considering the exam.

Oh, and I would love to hear if this article helped at all, other individuals' experiences and feedback below!

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as
Follow Daniel on twitter @nervouswiggles