Module 28: Control Design, Selection & Analysis
A control that doesn’t address the root cause is decoration.
A control that costs more than the risk is misalignment.
This module focuses on disciplined control decisions.
CRISC expects you to evaluate:
- Appropriateness
- Proportionality
- Cost-benefit alignment
- Operational feasibility
- Impact on business objectives
Control design is strategic — not reactive.
What the exam is really testing
When control selection appears, CRISC is asking:
- Does the control reduce likelihood or impact appropriately?
- Does it address root cause?
- Is it aligned with risk appetite?
- Is it cost-justified?
- Does it conflict with business objectives?
- Has residual risk been reassessed?
CRISC prefers structured analysis over technical enthusiasm.
Step 1: Align control to risk
Every control must connect clearly to:
- A defined risk scenario
- A known vulnerability
- A measurable exposure
If the control does not reduce likelihood or impact of that specific risk, it is misaligned.
Example:
Risk: Unauthorized privileged access
Misaligned control: Backup enhancement
Aligned control: MFA + access review
CRISC often tests misalignment traps.
Step 2: Address root cause
If an issue is recurring:
- Is it a policy problem?
- Is it an ownership gap?
- Is it monitoring weakness?
- Is it design deficiency?
Adding technical controls without fixing governance gaps often fails long-term.
CRISC favors systemic correction.
Step 3: Perform cost-benefit analysis
Controls should be:
- Economically reasonable
- Proportionate to risk
- Sustainable operationally
If mitigation cost exceeds expected loss and residual risk is within tolerance, acceptance may be appropriate.
CRISC frequently tests over-control scenarios.
Step 4: Consider operational impact
Controls must not:
- Undermine business objectives
- Create excessive friction
- Conflict with strategy
- Introduce new risk
Example:
Overly restrictive access control that disrupts operations may create productivity risk.
CRISC values balance.
Preventive vs detective tradeoff
Sometimes:
- Preventive control is too costly
- Detective + corrective combination may be acceptable
Example:
Instead of full system replacement, implement monitoring and response until modernization is feasible.
CRISC tests realistic governance thinking.
Example scenario (walk through it)
Scenario:
A moderate risk is identified involving unauthorized remote access. Proposed mitigation involves deploying a costly identity platform that exceeds projected loss exposure.
What should be evaluated FIRST?
A. Immediate deployment
B. Risk avoidance
C. Cost-benefit alignment and alternative controls
D. Risk transfer
Correct answer:
C. Cost-benefit alignment and alternative controls
Controls must be proportionate and economically justified.
Slightly harder scenario
Repeated access violations occur due to unclear access provisioning procedures. Management proposes implementing advanced monitoring software.
What is the MOST appropriate first action?
A. Deploy monitoring software
B. Redesign access governance process
C. Transfer risk to vendor
D. Increase audit frequency
Correct answer:
B. Redesign access governance process
Root cause is procedural governance weakness — not lack of monitoring.
Control layering
Strong design may include:
- Preventive control
- Detective control
- Corrective capability
Layered defense increases resilience.
But layering must be justified — not redundant.
Redundant controls without risk justification may signal inefficiency.
Compensating controls analysis
When primary control cannot be implemented:
- Evaluate whether compensating control reduces risk sufficiently
- Document justification
- Reassess residual risk
- Monitor effectiveness
CRISC tests whether compensating controls are truly equivalent in risk reduction.
The most common exam mistakes
Candidates often:
- Choose strongest technical control automatically
- Ignore economic analysis
- Overlook business impact
- Fix symptoms, not causes
- Forget to reassess residual risk after control implementation
CRISC evaluates structured decision-making.
Slightly uncomfortable scenario
A high-cost encryption program is implemented to address a low-impact internal data risk already within tolerance.
What governance principle is MOST relevant?
A. Excessive risk appetite
B. Poor control alignment
C. Cost-benefit misalignment
D. Weak inherent risk calculation
Correct answer:
C. Cost-benefit misalignment
Control cost must be proportionate to risk exposure.
Control effectiveness analysis
After implementation, organizations should evaluate:
- Design effectiveness
- Operating effectiveness
- Impact on residual risk
- Ongoing monitoring needs
- Metrics for performance tracking
Without measurement, effectiveness cannot be validated.
CRISC frequently tests failure to reassess after implementation.
Quick knowledge check
1) The FIRST step in control selection should be:
A. Purchase technology
B. Align control to defined risk scenario
C. Transfer risk
D. Increase monitoring
Answer & reasoning
Correct: B
Control must align directly to the identified risk.
2) If mitigation cost exceeds expected loss and residual risk is within tolerance, the MOST appropriate response may be:
A. Avoid
B. Mitigate anyway
C. Accept
D. Escalate automatically
Answer & reasoning
Correct: C
Acceptance may be appropriate if economically justified.
3) Repeated issues usually indicate:
A. Weak inherent risk
B. Poor threat modeling
C. Root cause not addressed
D. Excessive tolerance
Answer & reasoning
Correct: C
Recurring problems suggest systemic weakness.
Final takeaway
Control design must be:
- Risk-aligned
- Root-cause driven
- Cost-justified
- Operationally feasible
- Governance-supported
- Measured for effectiveness
Strong controls are not always the right controls.
CRISC rewards disciplined selection — not maximum restriction.