Module 27: Control Types, Standards & Frameworks
Most people think of controls as tools or technologies. CRISC thinks of them as structured responses to risk. Domain 3 Section B tests whether you can:
- Select appropriate control types
- Align controls to risk
- Design controls proportionate to exposure
- Integrate standards and frameworks
- Avoid over-control or under-control
The exam tests structured, risk-aligned control thinking — not product knowledge.
What the exam is really testing
When control design appears, CRISC is asking:
- Does the control address the root cause?
- Is it aligned to risk appetite?
- Is it cost-effective?
- Is it properly categorized?
- Is it integrated into governance frameworks?
- Is it preventive, detective, or corrective?
Controls must be intentional — not reactive.
Control categories
You must distinguish these clearly.
Preventive controls
Designed to stop an event from occurring.
Examples:
- Access controls
- Encryption
- Segmentation
- Authentication requirements
- Segregation of duties
Preventive controls reduce likelihood.
Detective controls
Identify events after they occur.
Examples:
- Logging
- Monitoring
- Alerts
- Reconciliation reviews
- SIEM analysis
Detective controls reduce impact by enabling early response.
Corrective controls
Restore systems after an event.
Examples:
- Backups
- Disaster recovery plans
- Incident response procedures
- Patch remediation
Corrective controls reduce duration and severity.
Directive vs compensating controls
Directive controls
Provide guidance and direction.
Examples:
- Policies
- Standards
- Procedures
- Awareness training
They shape behavior.
Compensating controls
Alternative controls used when primary controls are not feasible.
Example:
If encryption cannot be implemented, strong segmentation and monitoring may compensate.
CRISC often tests proper justification and documentation of compensating controls.
Administrative, technical, physical
Another way controls are classified:
- Administrative (policies, procedures, training)
- Technical (system-based controls)
- Physical (locks, surveillance, facility security)
CRISC may test classification understanding — not memorization.
The most common exam mistakes
The most common trap is reaching for the strongest technical control without asking whether it addresses the root cause or whether it is even cost-justified. Another frequent miss: forgetting that policies and procedures are controls too. If the question describes a governance gap, a new firewall is probably not the answer. CRISC emphasizes proportionality.
Control design principles
Effective control design should be:
- Risk-based
- Cost-effective
- Measurable
- Aligned with business objectives
- Integrated into ERM
- Supported by governance
Control selection must reflect residual risk evaluation.
Example scenario (walk through it)
Scenario:
Repeated unauthorized access incidents occur due to weak password practices.
What is the MOST effective preventive control?
A. Strengthen password policy and enforce multi-factor authentication
B. Increase logging
C. Improve backup procedures
D. Purchase cyber insurance
Correct answer:
A. Strengthen password policy and enforce multi-factor authentication
This addresses the root cause and reduces likelihood.
Try this one
An organization cannot implement full disk encryption due to legacy system limitations. Management implements network segmentation, enhanced monitoring, and strict access control as alternatives.
This represents:
A. Avoidance
B. Corrective control
C. Compensating control
D. Risk transfer
Correct answer:
C. Compensating control
Alternative controls compensate for the unavailable primary control.
Control standards and frameworks
CRISC does not require memorizing framework details.
But it expects recognition that:
Controls should align to established frameworks such as:
- Enterprise governance frameworks
- Industry security standards
- Regulatory control requirements
Framework alignment supports:
- Consistency
- Audit readiness
- Aggregation
- Governance maturity
If controls are ad hoc and undocumented, governance is weak.
Over-control vs under-control
Over-control:
- Excessive restrictions
- Reduced business agility
- High operational cost
- Poor user adoption
Under-control:
- Excessive exposure
- Regulatory non-compliance
- Reputational risk
CRISC prefers balanced, risk-aligned design.
Control effectiveness
Control design must consider:
- Design effectiveness (Is it well designed?)
- Operating effectiveness (Is it functioning properly?)
- Monitoring mechanisms
- Validation testing
A well-designed but poorly operated control does not reduce residual risk effectively.
Here’s where it gets tricky
A high-cost control significantly reduces a low-impact risk that already falls within tolerance.
What governance principle is MOST relevant?
A. Excessive appetite
B. Poor threat modeling
C. Weak BIA
D. Cost-benefit misalignment
Correct answer:
D. Cost-benefit misalignment
Controls must be economically justified.
Quick knowledge check
1) Which control type is designed to reduce likelihood before an event occurs?
A. Corrective
B. Preventive
C. Detective
D. Compensating
Answer & reasoning
Correct: B
Preventive controls aim to stop events from occurring.
2) Which is an example of a detective control?
A. Encryption
B. Log monitoring
C. Multi-factor authentication
D. Segregation of duties
Answer & reasoning
Correct: B
Monitoring identifies events after they occur.
3) When a primary control cannot be implemented and an alternative is used, this is:
A. Risk avoidance
B. Risk transfer
C. Corrective action
D. Compensating control
Answer & reasoning
Correct: D
Compensating controls substitute for unavailable primary controls.
Final takeaway
Control design must be:
- Root-cause aligned
- Risk-based
- Proportionate
- Cost-effective
- Framework-aligned
- Governed and monitored
Preventive reduces likelihood. Detective reduces duration and impact. Corrective restores. Compensating substitutes. Know which is which, and more importantly, know when each is the right fit for a given scenario.