Domain 3 – Section B Review: Control Design & Implementation

Controls reduce risk only when they are
designed correctly,
implemented properly,
and tested objectively.

Section B evaluates whether you can:

• Choose appropriate control types
• Align controls to root cause
• Perform cost-benefit analysis
• Integrate change management
• Validate effectiveness
• Reassess residual risk

This review blends all of those.

10 scenario-based questions

Question 1

A control is implemented to reduce unauthorized access risk. It is properly documented but has not yet been tested.

What is the PRIMARY governance concern?

A. Weak inherent risk
B. Lack of effectiveness validation
C. Excessive appetite
D. Poor threat modeling

Question 2

A preventive control is too costly relative to the expected loss of the risk it addresses. Residual risk remains within tolerance.

What is the MOST appropriate action?

A. Implement anyway
B. Escalate immediately
C. Accept risk formally
D. Avoid activity

Question 3

An access review control is well designed but performed inconsistently.

This represents:

A. Design deficiency
B. Operating deficiency
C. Inherent risk
D. Compensating control

Question 4

A monitoring tool is implemented to address repeated policy violations, but the root cause is unclear accountability.

What is the MOST significant issue?

A. Weak threat modeling
B. Misaligned control selection
C. Excessive mitigation
D. High inherent risk

Question 5

A compensating control is implemented because the primary control is not technically feasible.

What must occur NEXT?

A. Close the risk
B. Document justification and reassess residual risk
C. Escalate to regulator
D. Increase inherent risk rating

Question 6

A new control is deployed without following change management procedures. Business disruption occurs.

What governance principle was MOST directly violated?

A. Risk appetite alignment
B. Structured implementation discipline
C. Threat landscape monitoring
D. Risk aggregation

Question 7

Testing reveals that a control no longer covers expanded business operations.

What type of weakness exists?

A. Operating deficiency
B. Design deficiency due to scope change
C. Excessive appetite
D. Weak inherent risk

Question 8

A corrective control is implemented to restore systems after failure. Which control type is this?

A. Preventive
B. Detective
C. Directive
D. Corrective

Question 9

Residual risk is not updated after control testing reveals weaknesses.

What is the PRIMARY governance concern?

A. Weak inherent risk
B. Failure to reassess exposure
C. Excessive mitigation
D. Poor BIA

Question 10

Multiple overlapping controls are implemented without evaluating redundancy or operational impact.

What governance issue may result?

A. Excessive appetite
B. Over-control and inefficiency
C. Weak inherent risk
D. Poor risk identification

Section B master pattern

When answering Domain 3 Section B questions:

• Align controls to root cause.
• Choose proportionate solutions.
• Justify cost-benefit.
• Follow change management.
• Validate design and operating effectiveness.
• Reassess residual risk after testing.
• Escalate when control failures increase exposure.
• Avoid redundant or excessive controls.

If you assume “more control = better governance,” you will miss nuance.

CRISC rewards disciplined control lifecycle management.