cc5-1 High priority Security / Control Activities

Control activities are selected and developed to mitigate risks

Controls must be chosen and designed with specific risks in mind. A control that exists without a clear risk it is mitigating is administrative overhead; a risk without a control is an unaddressed gap. This criterion requires evidence that your controls are deliberately selected to address identified risks — not just a collection of best practices applied without thought.

10h estimated effort

controls design risk-treatment documentation

Complete first: cc3-2

Implementation steps

1

Map controls to risks in your risk register

For each risk in your risk register that you have chosen to mitigate, document the specific control(s) that address it. This mapping is often done in a spreadsheet alongside the risk register. The mapping does not need to be elaborate, but it must be explicit: 'Risk: unauthorized database access. Control: database access requires VPN + MFA + role-based permissions.'

google-sheets notion confluence vanta drata
2

Document control design for key controls

For each significant control, write a brief description of how it works: the control objective, who performs it, how often, and how effectiveness is verified. This documentation is what auditors use to understand your control environment. Without it, even well-designed controls are hard to audit.

confluence notion google-docs
3

Review control design annually for continued relevance

Controls that addressed risks five years ago may not address the same risks today. As part of your annual risk assessment, review whether existing controls are still appropriate for current risks. Remove controls that address risks you no longer carry. Add controls for new risks. Document the review.

notion confluence google-sheets