Module 27: Control Types, Standards & Frameworks

A control is not a tool.
It is a structured response to risk.

Domain 3 Section B tests whether you can:

• Select appropriate control types
• Align controls to risk
• Design controls proportionate to exposure
• Integrate standards and frameworks
• Avoid over-control or under-control

CRISC rewards structured, risk-aligned control design.

What the exam is really testing

When control design appears, CRISC is asking:

• Does the control address the root cause?
• Is it aligned to risk appetite?
• Is it cost-effective?
• Is it properly categorized?
• Is it integrated into governance frameworks?
• Is it preventive, detective, or corrective?

Controls must be intentional — not reactive.

Control categories

You must distinguish these clearly.

Preventive controls

Designed to stop an event from occurring.

Examples:

• Access controls
• Encryption
• Segmentation
• Authentication requirements
• Segregation of duties

Preventive controls reduce likelihood.

Detective controls

Identify events after they occur.

Examples:

• Logging
• Monitoring
• Alerts
• Reconciliation reviews
• SIEM analysis

Detective controls reduce impact by enabling early response.

Corrective controls

Restore systems after an event.

Examples:

• Backups
• Disaster recovery plans
• Incident response procedures
• Patch remediation

Corrective controls reduce duration and severity.

Directive vs compensating controls

Directive controls

Provide guidance and direction.

Examples:

• Policies
• Standards
• Procedures
• Awareness training

They shape behavior.

Compensating controls

Alternative controls used when primary controls are not feasible.

Example:

If encryption cannot be implemented, strong segmentation and monitoring may compensate.

CRISC often tests proper justification and documentation of compensating controls.

Administrative, technical, physical

Another way controls are classified:

• Administrative (policies, procedures, training)
• Technical (system-based controls)
• Physical (locks, surveillance, facility security)

CRISC may test classification understanding — not memorization.

The most common exam mistakes

Candidates often:

• Deploy technical controls without addressing root cause.
• Choose mitigation without cost-benefit consideration.
• Implement controls that conflict with business objectives.
• Ignore control effectiveness validation.
• Forget that policies are controls.

CRISC emphasizes proportionality.

Control design principles

Effective control design should be:

• Risk-based
• Cost-effective
• Measurable
• Aligned with business objectives
• Integrated into ERM
• Supported by governance

Control selection must reflect residual risk evaluation.

Example scenario (walk through it)

Scenario:
Repeated unauthorized access incidents occur due to weak password practices.

What is the MOST effective preventive control?

A. Increase logging
B. Strengthen password policy and enforce multi-factor authentication
C. Improve backup procedures
D. Purchase cyber insurance

Correct answer:

B. Strengthen password policy and enforce multi-factor authentication

This addresses the root cause and reduces likelihood.

Slightly harder scenario

An organization cannot implement full disk encryption due to legacy system limitations. Management implements network segmentation, enhanced monitoring, and strict access control as alternatives.

This represents:

A. Avoidance
B. Corrective control
C. Compensating control
D. Risk transfer

Correct answer:

C. Compensating control

Alternative controls compensate for the unavailable primary control.

Control standards and frameworks

CRISC does not require memorizing framework details.

But it expects recognition that:

Controls should align to established frameworks such as:

• Enterprise governance frameworks
• Industry security standards
• Regulatory control requirements

Framework alignment supports:

• Consistency
• Audit readiness
• Aggregation
• Governance maturity

If controls are ad hoc and undocumented, governance is weak.

Over-control vs under-control

Over-control:

• Excessive restrictions
• Reduced business agility
• High operational cost
• Poor user adoption

Under-control:

• Excessive exposure
• Regulatory non-compliance
• Reputational risk

CRISC prefers balanced, risk-aligned design.

Control effectiveness

Control design must consider:

• Design effectiveness (Is it well designed?)
• Operating effectiveness (Is it functioning properly?)
• Monitoring mechanisms
• Validation testing

A well-designed but poorly operated control does not reduce residual risk effectively.

Slightly uncomfortable scenario

A high-cost control significantly reduces a low-impact risk that already falls within tolerance.

What governance principle is MOST relevant?

A. Excessive appetite
B. Poor threat modeling
C. Cost-benefit misalignment
D. Weak BIA

Correct answer:

C. Cost-benefit misalignment

Controls must be economically justified.

Quick knowledge check

1) Which control type is designed to reduce likelihood before an event occurs?

A. Corrective
B. Detective
C. Preventive
D. Compensating

2) Which is an example of a detective control?

A. Encryption
B. Multi-factor authentication
C. Log monitoring
D. Segregation of duties

3) When a primary control cannot be implemented and an alternative is used, this is:

A. Risk avoidance
B. Compensating control
C. Corrective action
D. Risk transfer

Final takeaway

Control design must be:

• Root-cause aligned
• Risk-based
• Proportionate
• Cost-effective
• Framework-aligned
• Governed and monitored

Preventive reduces likelihood.
Detective reduces duration and impact.
Corrective restores.
Compensating substitutes.

CRISC rewards structured control thinking — not tool deployment.