crisc-d3-risk-response-control-design-selection-and-analysis

Control Design Selection and Analysis

isaca-crisc · framework · Gold standard

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Control Design Selection and Analysis

Control Design Selection and Analysis is the structured process of identifying, evaluating, and selecting the most appropriate controls to address specific risks — before those controls are built or deployed. It encompasses three activities: (1) Selection — choosing among preventive, detective, and corrective control options based on risk assessment results and organizational context; (2) Design — specifying how a chosen control will operate, what inputs it requires, what outputs it produces, and how it will be tested; and (3) Analysis — evaluating each candidate control's effectiveness, efficiency, feasibility, cost-benefit ratio, and alignment with risk tolerance thresholds and regulatory obligations. Control design is distinct from control implementation: design produces the blueprint; implementation builds from it. A control can be flawlessly implemented yet fundamentally ineffective if the design was wrong — which is why research consistently attributes the majority of control failures to design deficiencies rather than execution errors.

Where it stops · what it isn't

—IS: Choosing and specifying controls prior to implementation, including trade-off analysis, feasibility assessment, cost-benefit evaluation, and documentation of design rationale
—IS: Evaluation of layered control architectures combining preventive, detective, and corrective types to achieve acceptable residual risk
—IS: Analysis of control interdependencies, conflicts, and cascading effects across the control environment
—IS NOT: Control implementation — the physical or technical act of deploying a control — which is a downstream activity
—IS NOT: Control testing or effectiveness validation — that occurs post-implementation and is covered in the sibling competency 'Control Implementation Testing and Effectiveness'
—IS NOT: A taxonomy of control types and standards frameworks — covered in the sibling competency 'Control Types Standards and Frameworks'
—IS NOT: Risk identification or risk assessment — control design is a response activity that begins after risks have been assessed and treatment options determined

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

Risk Response and Reporting (CRISC Domain 3)

PRECEDES

Control Implementation Testing and Effectiveness

DEPENDS ON

Control Types Standards and Frameworks

RELATED TO

Risk Treatment and Response OptionsRisk and Control OwnershipManaging Risk from Processes Third Parties and Emerging SourcesRisk Treatment PlansRisk and Control Monitoring and Reporting

CONSTRAINS

Residual Risk Acceptance

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.