Domain 3: Information Security Program Module 18 of 47

Module 18: Information Security Control Design and Selection

CISM Domain 3 — Information Security Program Section B 10–12 min read

What the Exam Is Really Testing

Every question on control design comes back to one principle:

Controls must be designed and selected based on risk, business objectives, and proportional protection — not technical preference.

Control design must:

  • Reduce risk to within appetite
  • Align with asset classification
  • Reflect regulatory obligations
  • Be cost-effective
  • Be operationally sustainable

Over-control wastes resources. Under-control increases exposure.

The Executive Mindset Shift

Doer mindset:

Implement the strongest control possible.

Leader mindset:

Implement the most appropriate control based on risk level and business impact.

Security leaders must:

  • Evaluate inherent risk
  • Assess existing control gaps
  • Select preventive, detective, and corrective controls appropriately
  • Consider cost-benefit
  • Avoid operational disruption beyond tolerance

Control design is risk-based — not technology-driven.

Types of Controls

Preventive Controls

  • Stop incidents before they occur
  • Access control
  • Encryption
  • Network segmentation

Reduce likelihood.

Detective Controls

  • Identify incidents after occurrence
  • Monitoring
  • Logging
  • Alerts
  • Audits

Reduce impact through early detection.

Corrective Controls

  • Restore systems after incident
  • Backup recovery
  • Patch remediation
  • Incident response

Reduce duration and impact.

CISM expects layered defense — not reliance on a single control type.

Design Principles

Effective control design:

  1. Aligns with asset classification.
  2. Matches threat likelihood and impact.
  3. Integrates with governance frameworks.
  4. Is measurable.
  5. Assigns clear ownership.
  6. Is sustainable within staffing capacity.

Controls must be documented and monitored.

Cost-Benefit Consideration

Before implementing a control, ask:

  • Does it reduce residual risk below appetite?
  • Is cost proportionate to risk?
  • Does it disrupt business operations?
  • Can the organization support it long term?

Excessive controls can introduce operational risk.

Pattern Recognition

When control design appears in a question, ask:

  1. What is the underlying risk?
  2. What classification level applies?
  3. Is a preventive control realistic?
  4. Is layered defense needed?
  5. Is proportionality maintained?

Correct answers often involve:

  • Risk-based control selection
  • Balanced preventive/detective layering
  • Alignment with business objectives
  • Cost-benefit evaluation
  • Clear accountability

Not:

  • Implementing maximum restriction automatically
  • Selecting technology without risk assessment
  • Ignoring operational impact
  • Relying solely on detective controls

Trap Pattern

Common wrong instincts:

  • “Use the strongest control available.”
  • “Encrypt everything equally.”
  • “One control is sufficient.”
  • “Ignore cost implications.”

CISM emphasizes balanced, risk-aligned control architecture.

Scenario Practice

Question 1

A system processes highly sensitive financial data. Inherent risk is high, and existing controls are minimal.

What is the MOST appropriate approach?

  1. Implement layered preventive and detective controls aligned with classification
  2. Increase monitoring only
  3. Accept the risk
  4. Outsource the system
Answer & Explanation

Correct Answer: A

High inherent risk requires layered controls aligned with asset classification.

Question 2

A preventive control would significantly disrupt a critical business process, but risk is moderate and within tolerance.

What is the MOST appropriate action?

  1. Implement the control anyway
  2. Evaluate alternative proportional controls
  3. Eliminate the business process
  4. Ignore the risk
Answer & Explanation

Correct Answer: B

Controls must balance security with operational feasibility.

Question 3

An organization relies solely on detective monitoring for high-risk systems.

What is the PRIMARY weakness?

  1. Encryption gap
  2. Vendor inefficiency
  3. Lack of preventive control layering
  4. Reduced automation
Answer & Explanation

Correct Answer: C

Layered controls reduce likelihood and impact.

Question 4

A control reduces risk significantly but exceeds budget constraints.

What should occur FIRST?

  1. Ignore budget limitations
  2. Immediately cancel the control
  3. Transfer the risk
  4. Conduct cost-benefit and risk impact analysis
Answer & Explanation

Correct Answer: D

Control decisions must align with economic rationality.

Question 5

A control is selected without evaluating asset classification.

What is the MOST significant risk?

  1. Monitoring gap
  2. Misaligned protection relative to business impact
  3. Increased automation
  4. Vendor delay
Answer & Explanation

Correct Answer: B

Control design must reflect asset criticality.

Key Takeaway

In CISM:

Controls reduce risk — they do not eliminate it. Design must align with classification and appetite. Balance security with operational sustainability.

Before selecting a control:

  • Evaluate risk.
  • Confirm asset classification.
  • Assess cost-benefit.
  • Ensure layered protection.
  • Assign ownership.
  • Plan for monitoring.

On the exam, the right answer almost always favors risk-proportional design over maximum-strength defaults.

Related Modules

CISM Domain 3 — Information Security Program Information Security Control Implementation and Integrations CRISC Domain 3 — Risk Response and Reporting Control Design, Selection & Analysis
Next Module Module 19: Information Security Control Implementation and Integrations