cisa-d3-acquisition-development-control-identification-and-design

Control Identification and Design

isaca-cisa · framework · Production-ready

Drawn fromCISA Review Manual · ISACA peer-reviewed case sets·Reviewed May 4, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Control Identification and Design

Control Identification and Design is the systematic process of mapping an organization's business risks to specific safeguards — preventive, detective, and corrective controls — during the requirements and design phases of a system's development or acquisition lifecycle. It is a design-phase discipline, not an audit activity: controls are specified before a system is built or procured, ensuring the resulting system inherently supports compliance, security, and operational integrity. The primary output is a control matrix — a structured document linking each significant risk to one or more designed controls, their owners, evidence artifacts, and test procedures — which implementation teams build to, testers validate against, and auditors reference post-launch.

Where it stops · what it isn't

—IS: Identifying which controls are needed and specifying how they should work — a forward-looking design exercise tied to the SDLC requirements phase.
—IS: Mapping business and regulatory risks to control categories (preventive, detective, corrective) at application, database, infrastructure, and operational layers.
—IS: Producing control design documentation (control matrices, risk-to-control maps, design specifications) consumed by developers, testers, and auditors.
—IS NOT: Testing or auditing whether controls are operating effectively — that belongs to System Readiness Testing and post-implementation review.
—IS NOT: Risk assessment itself — control identification presupposes a completed or concurrent risk assessment; it responds to risk, it does not identify risk.
—IS NOT: Compliance reporting or audit evidence gathering — those are downstream activities; control design is the upstream input that makes them possible.
—IS NOT: A one-time activity — while initial identification occurs in the design phase, the control matrix is revisited when systems change, regulations update, or new risks emerge.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Information Systems Acquisition, Development, and Implementation (ISACA CISA Domain 3)

REQUIRES

Risk Assessment and Risk Management FundamentalsSDLC Phase Awareness (Requirements, Design, Build, Test, Deploy)

ENABLES

System Readiness and Implementation TestingImplementation Configuration and DeploymentPost-Implementation Review and Audit

RELATED TO

System Development MethodologiesInfrastructure DeploymentSystem Migration and Data Conversion

CONSTRAINS

Vendor and Third-Party System Integration

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.