Skip to main content

2.3 Current State of Control

2.3 Current State of Controls

  • It is very important for a risk practitioner to determine the current state of control before making any recommendation. Regular review of IT risk and control environments will help to determine current position.

  • A gap analysis is done to determine the gap between desired state of control vis-à-vis current state. It helps to identify the disparity and to determine further level controls to bridge the gap or disparity.

  • A risk practitioner can determine current state of control by evaluating following documents and procedures:

  • Risk Assessment

  • Audit Reports & Third-Party Assurance

  • Business Continuity and Disaster Recovery Plans

  • Capability maturity models

  • Control Self-Assessment

  • Incident Reporting Procedure and Logs

  • Vulnerability Assessment and Penetration Testing

Let us discuss each in detail:

Risk Assessment

  • Risk assessment is the process to identify and evaluate the risk and its potential impact.

  • Main objective of performing a risk assessment is to:

  • To determine the current state of risk

  • To justify and implement a risk mitigation strategy

  • Risk assessment should be performed at a frequent interval to address the change in business processes and new threats.


  • Audit is an evidence-based verification process and helps to determine effectiveness, efficiency and adequacy of current controls.

  • Review of audit reports, helps the risk practitioner to determine the internal control system of the organization.

  • It is the responsibility of the system auditor to provide continuous feedback to senior management about the effectiveness of internal controls within the organization.

Business Continuity Plan

  • Objective of the business continuity plan is to prepare the organization for continuity of critical processes during the disaster. In absence of a well-documented business continuity plan, a disaster can adversely impact the business processes. Thus, BCP supports an organization to survive a disastrous interruption.

  • Disaster Recovery Plan is about IT capability to support the business continuity and recovery objectives.

  • Both BCP and DRP should be kept updated and tested at periodic intervals for continuous improvement.

Business Impact Analysis

  • Business Impact Analysis (BIA) determines the critical business processes by analyzing the impact of disaster on each process.

  • BIA is a process to determine critical processes that have considerable impact on business processes. It determines processes to be recovered on priority to ensure organization's survival.

  • For determining business impact, two independent cost factors are to be considered. First one is the downtime cost. Example of downtime cost includes drop in sales, cost of idle resources, interest cost etc. Another element of cost is with respect to alternative collective measures such as activation of BCP and other recovery costs.

  • Once the business impact is available for each process, it is important to prioritize the processes which need to be recovered at the earliest. This criticality analysis should be performed in co- ordination with IT & business users.

  • Business process owners possess most relevant information about processes and hence they are considered as the best source for determining criticality of the process.

  • Once the critical assets are determined through BIA, the next step is to develop a recovery strategy that ensures that critical assets are recovered at the earliest to minimize the impact of disaster. Recovery strategy is primarily influenced by business impact analysis.

  • Prime criteria to determine severity of service disruption is the period for which system will remain down. Higher the system downtime, higher the severity of disruption.

Capability Maturity Models

  • Capability maturity models are useful to determine the maturity level of the risk management process.

  • Following table indicates different maturity level of an organization:

Maturity Level


0 - Incomplete   

Process is not implemented or does not achieve its intended purpose.

1 - Performed   

Now the process is able to achieve its intended purpose.

2 - Managed   

  • Process is able to achieve its intended purpose

  • Also, the process is appropriately planned, monitored and controlled.

3 - Established   


  • Now the process is able to achieve its intended purpose

  • Also, the process is appropriately planned, monitored and controlled.

  • Also, there is a well defined, documented and established process to manage the process.

4 - Predictable   

Process is predictable and operates within defined parameters and limits to achieve its intended purpose.

5 - Optimized   

Process is continuously improved to meet current as well as projected goals.

  • The capability maturity model (CMM) indicates a scale of 0 to 5 on the basis of their maturity level and CMM is the most common method applied by the organization to measure their existing state and then to determine the desired one.

  • Maturity models identify the gaps between the current state of process and the desired state to help the organization to determine necessary remediation steps for improvement.

  • Capability maturity model is best technique to enable a peer review of an organization's risk management process

  • Capability maturity model requires an organization to have the defined and reliable processes that it follows consistently and continuously seeks to improve.

  • A matured organization is much more likely to prevent incidents, detect incidents sooner and recover rapidly from incidents.

  • A maturity model determines the current status as against the desired level and thus is most helpful for improvement of the risk management process.

  • Level of performance is the most important factor when using a capability maturity model. Performance is achieved when the objective of the implemented process is met.

Control Tests

  • Through control testing, a risk practitioner can evaluate the effectiveness, efficiency and adequacy of control and advise the risk owner of any gap identified.

  • A threat and vulnerability assessment involves evaluating the business process for threats and vulnerabilities and identifies the likelihood of occurrence and impact on business processes.

  • Risk assessment techniques are used to evaluate and implement a risk mitigation strategy as efficiently as possible.

Incident Reports

  • Risk practitioners should evaluate the incident management procedure to determine the current state of controls.

  • Incident management process includes awareness amongst staff for incident reporting, analysis and root cause analysis for the incidents, corrective as well as preventive actions, appropriate training for the response team etc.

  • Main objective of the incident management process is to minimize the impact on an incident by getting the affected systems and processes back into normal service at the earliest.

  • Qualitative analysis of threat will help to design an effective incident response plan. Knowledge of type, kind and impact of the incident will be of great help for incident response efforts.

Enterprise Architecture

  • Enterprise Architecture provides a current state of IT along with a futuristic strategy and vision.

  • The risk practitioner should determine the maturity of enterprise architecture and where EA is either immature or absent, the risk practitioner must place greater emphasis on technology specific risk assessment and compatibility.


  • Log files should be properly protected considering it helps immensely during forensics.

  • Maintenance of log file should have appropriate segregation of duties. Log should be only read only mode i.e. write, edit and delete should be prohibited.

  • It is important to ensure the regulatory requirements are complied with. The organization may be fined for non-compliance and failing to properly track regulation-related transactions.

Media Reports

  • Media Reports provides useful sources of information about industry level threats or incidents.


  • The risk practitioner should ensure that the organization has capability to track the media communication impacting the organization or its employees, customers or business partners. 

  • Organization should have a well-defined and documented policy to respond to a threat mentioned in the media impacting the organization.

Self – Assessments

  • Control self-assessment requires the involvement of the line managers in monitoring risk and control effectiveness within their areas of responsibility.

  • Control self-assessment provides assurance about control effectiveness and may also reduce the need for more intense audits.

Third Party Assurance

  • Third-party assurance in forms reviews, audits and compliance verification provides an independent source of information about the current state of control.

  • In case of an outsourcing of a service, the first step for a risk practitioner is to validate that all the required security clauses are addressed in service level agreement.

User Feedback

  • Feedback from the system users helps to determine risk and control the environment of the system.

Vendor Reports

  • Computer emergency response teams (CERTs) and other security vendors provided inputs on current threats and vulnerabilities, new types of malware or emerging attack methods are of immense help for making control environments more stringent.

Vulnerability Assessments and Penetration Testing

  • VAPT reports are reliable means of estimating the level of IT risk in the organization.

  • Penetration tests should be conducted at regular intervals and also after a major infrastructure change as changes in the infrastructure is more likely to introduce new vulnerabilities.

  • In black box testing kind of attack scenario, the tester is provided with limited or no knowledge of the target’s information systems. Inappropriate plan and timing of the attack may cause the system to fail. It is very important that the tester is well experienced and aware about the clear scope of the test.

Key aspects from CRISC exam perspective

CRISC Question

Possible Answer

In which type of assessment,  risk scenario is used to estimate the likelihood and impact of risk?

Threat and vulnerability assessment

What is the  objective of Business Impact Analysis?

To determine criticality of business processes to plan recovery strategy

Most valuable input to improve the incident response efforts is 

Knowledge about threats

Measuring the existing level of risk management processes against their desired state is best done through   

Capability Maturity Model

Objective of maturity models

Constant improvement in risk management process

Most important criterion to evaluate the process when using a capability maturity model


Capability maturity model (CMM) is based on   

Standard, repeatable and measurable processes

Risk is measured as 

Impact on business operations 

Why is risk assessment  conducted at frequent intervals?

Constant change in risk scenarios and threats

Objective of gap analysis

To determine control deficiencies (i.e. the gap between desired control objectives and actual controls available)

Main objective of performing a risk assessment

To determine the current state of risk

Best frequency for risk evaluation

Annually or when there is a significant change

Responsibility of data classification resides with

Data Owner

Document which includes details of the risk and the corrective actions

Risk Register

Most important factor for log management

To comply with regulation

Penetration test is to be best performed   

Annually and also after major infrastructure changes

Major risk of black box testing

Inappropriate plan and timing of the attack may cause the system to fail.

Most important aspect of black box testing 

It is very important that the tester is well experienced and aware about the clear scope of the test.

Flashcards – 2.3 Current State of Controls

Practice Questions – 2.3 Current State of Controls

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates