Control Management

Control Management is a central part of risk, compliance, and security management – because it is all about making them concrete. Risk, compliance, and security won’t get you anywhere if they do not result in implemented security measures and timely execution of well-designed controls.

Control Management can be divided into four parts:



Before you start design of any control, you need to answer the following questions:

What is the control supposed to secure?

This is typically a direct or indirect result of a requirement or a risk. Ask the question “What is the challenge?”

Why is it essential? is concerned with what caused the problem rather than the solution.

How are you able to use the result?

How will the organisation use the information and what could be necessary to account for? For example:

  1. That you transmit, store, and process sensitive personal information confidentially
  2. That you know the identity of all existing customers
  3. That you know how many are rejected based on background or missing legitimisation
  4. That you conduct self-regulation

After answering these questions, you know the aim, which will make the work of designing meaningful controls a lot easier.

Overall, there are three types of control:



Preventive control relates to minimising the risk of or preventing that something happens, or on the opposite side, this relates to increasing the possibility that something good happens.


Detecting control refers to having the information and knowledge concerning what happens and when it happens.


Responding controls are about being prepared when an incident has happened or is happening.

Execution and documentation

When it comes to scheduled controls, the timeliness of control execution can be increased a lot by sending out automatic e-mail reminders.

You may also ensure to instruct the employees responsible, when they get delayed on control execution, to make sure not to skip the control but remember to pick up and complete it later. There may be lots of good reasons not to execute a control at the scheduled time, but following up on skipped or delayed controls may be an important step to avoid a growing backlog.

Ad-hoc controls are typically not possible to control with automatic e-mail reminders. You may, however, design and schedule a manual detecting control, evaluating the last period of an event, and verifying that any needed ad-hoc control has been correctly executed.

Your company should monitor and distinguish between controls that were executed as planned (OK), failed, or weren’t executed.

If the control was not executed, it may be due to lack of time and resources but sometimes there might also be commercial valid reasons for skipping a control, e.g., if an introduction course or awareness training for new employees was not executed because no new employees were hired.


Once a year and in relation to any significant change or incident, all related controls should be reviewed.

When reviewing controls, you should relate to the following:

  1. Is the aim still relevant?
  2. Does the control fulfill the requirements?
  3. Is the control efficient?
  4. Is control execution still profitable?


When you are done reviewing the controls, make sure that you report or communicate your observations and adjustments to the owners of the risks, procedures, and requirements that the controls are related to.

Just focus on setting up a system for control management, following a good structure.

Good control management is all about simplicity, discipline, and accountability. So, are you in control or not?