An image of a person in thought with a cloud to the right and 3 checkmarks below

Control assessments can be a hard thing to wrap your head around, especially if you’re new to the industry. Even seasoned professionals aren’t operationalizing their control assessments to the best of their ability. In December of 2022, we surveyed over 1,000 IT risk management and compliance operations professionals and found that control assessments were not only top-of-mind, but also one of the most manual processes respondents encountered. Four out of ten respondents felt that control testing is a very time-consuming task, which means operationalizing them is a lucrative initiative. But before we get into that, what are control assessments, why do they matter, and how do you conduct them?

What are control assessments?

Vector illustration of a woman in front of a wall of green, orange, and red keys, feeling confused about a flagged risk

The National Institute of Standards and Technology (NIST) defines control assessments as “the testing or evaluation of the controls in an information system or an organization to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security or privacy requirements for the system or the organization.”

Put simply, control assessments are the testing of controls to ensure that they are implemented, operating, and functioning properly so an organization can meet security and privacy objectives.

What is the difference between a control assessment and a risk assessment?

A control assessment is the independent testing of a framework, such as NIST CSF or ISO 27001. A risk assessment is the process of identifying potential risks and the effects they could have on the company’s operations. These can include cyber, physical, and other threats. Other examples of risks include: financial, operational, strategic, compliance, economic, legal, natural disasters, and security. Assessing both risk and controls is vital to an organization’s security posture, but they are inherently quite different. This distinction matters because some frameworks may be based upon risk, such as NIST RMF, while others focus more deeply on other areas. Both need to have their controls assessed so that you can be certain you’re not putting your company at risk.

What is the objective of a control assessment?

The objective of a control assessment is to pressure test existing controls to see if they are adequately functioning or if they are at risk and pose a threat to the company. By identifying control weaknesses, an organization can better assess their overall risk and identify areas for monitoring and improvement. Testing controls regularly — not just when it’s time for an audit — is critical because it prevents them from failing and opening your company up to vulnerabilities. Internal control testing is vital for keeping an organization safe and compliant.

Why do Control Self Assessments (CSAs) matter?

Control self assessments performed by your team, as opposed to an independent party during an audit, help ensure that your company is aware of the potential risks it faces. Internal assessments allow you to fully evaluate whether the controls in place are sufficient and that all control weaknesses are monitored. This helps your organization operate with risk in mind, so you can keep an eye on your weakest areas while creating a culture of security from within your company.

The 3 types of security controls

When it comes to security controls, there are three categories they can be classified as: management security, operational security, and physical security.

  1. Management security is the infrastructure of your overall control design. These controls outline the rules and regulations that your security program adheres to.
  2. Operational security is the overall effectiveness of your controls. According to LBMC, “these include access controls, authentication, and security topologies applied to networks, systems, and applications.”
  3. Physical security is the protection of employees, data, hardware, and so on from any harmful physical threats. These may also protect the company from any damage or disruptions to business operations, as well as the “confidentiality, integrity, or availability of systems and/or data” as put by LBMC.

4 simple steps for how to conduct control assessments

Four connected illustrations representing the workflow for completing control assessments.

There are four steps to conducting control assessments: preparing for the assessment, developing an assessment plan, conducting the assessment, and analyzing the findings.

1. Prepare for the assessment

In our 2023 IT Compliance and Risk Benchmark Report, we found that 52% of organizations test all of their controls, while 41% reserve control testing for their most critical controls to mitigate risk. Nine percent of those surveyed said they only test the controls needed for their next audit. This should be avoided, as regular internal audits ensure that your organization is as safe from its risks as its documentation claims it is.

A graph showing how different organizations approach evidence collection for controls.

Therefore, preparation for the assessment is of the utmost importance. Creating a plan for which controls are to be tested is essential. Will you be testing all controls or only the most critical ones? These are the questions your team will need to answer before proceeding.

You’ll also need to prepare the organization for control assessments, as there may be an impact on your employees beyond the ones on your security team. By having a risk-informed organization, you can help ensure that everyone understands the importance of what they need to accomplish to test your controls. 

Lastly, your team will need to prepare for testing the controls. Whether that involves a planning document, a project plan, spreadsheets to organize your efforts, or leveraging a GRC software is up to your discretion.

2. Develop an assessment plan

In our 2023 IT Compliance and Risk Benchmark Survey, 70% of those surveyed said their process to identify controls that can mitigate risks meets their company’s objectives, meaning 30% still struggle with this process. Consequently, you must develop a plan before moving forward with your assessment. This allows you to ensure that your efforts are meeting company objectives and expectations so there are no surprises down the line.

A graph showing how well companies are doing in performing a number of different risk management actions

It’s vital to define which controls are being assessed and to identify your controls testing procedure. Naturally, you may need to modify the procedure to fit your assessment, especially if you’re developing standards for organization-specific controls. From there, you can optimize procedures for efficiency. Then, it’s just a matter of finalizing the plan, obtaining approval, and executing the plan.

3. Conduct the assessment

Our survey results also found that 43% of respondents said their internal team conducts manual control reviews and testing to ensure those security controls are still operational.

Here, you can see additional manual tasks survey respondents struggled with:

A graph showing the recurring and time-consuming tasks companies struggle with when managing security and data privacy risks in a internal environment

This is the area where work becomes the most manual and time-consuming for your security controls assessment team. It’s tedious but important work, so it requires much attention to detail. But, this is also an area for improvement: certain softwares can help you test your controls automatically — which we’ll cover in more detail later.

In this phase, you measure whether assessment objectives are Satisfied (S) or Other than Satisfied (O). If the results are Satisfied, then your objective has been achieved. However, if it is Other than Satisfied, there are potential abnormalities that exist in the implementation or operation of the control, and more action may need to be taken.

4. Analyze the findings

Forty percent of our survey respondents said testing and validating the evidence before it’s sent to external auditors is a very time-consuming process. Because the assessment is manual and inefficient, your team may struggle to put the findings into action, due to their burnout from completing the assessments.

This can lead to teams not being able to spend much time analyzing the findings and identifying key areas for improvement, which is also a vital element to control assessments. Putting the insights into action following the assessment is the entire point of testing your controls in the first place. However, due to the manual nature of the work, it can be where your team runs out of steam and struggles. 

Why are the findings so important? These results help you identify where you need to improve your current security procedures so your company is protected as a whole from all threats, and not just the ones stemming from the controls that are easiest to test. You’re only doing risk management right if all of your security controls are functioning as intended.

What “operationalizing control assessments” actually means

A vector illustration of two people celebrating in front of a target with an arrow and a bullhorn.

What do we actually mean when we talk about operationalizing control assessments? First, it’s taking a different approach to compliance. Essentially, it’s about streamlining the way your people handle the control assessment process. You don’t want to work for a company where the safety team takes a non-operational approach to control assessments (or risk management, for that matter).

But that’s exactly how a lot of compliance teams manage their risks. They run around doing a million things that look like compliance, but never actually address the things people do that cause and/or prevent risk.

An operational approach to compliance is proactive and continuous rather than reactive and one-off. It’s about focusing on the right stuff, not simply checking off a list of action items — and it’s about strategically and thoughtfully thinking about compliance. There are so many processes involved in control assessments, and many of them can be streamlined to save hours of time.

Operationalization means focusing on the parts of compliance no one likes talking about: controls, procedures, monitoring, auditing, and super-specific training. Fortunately, many of these parts can be automated.

But it’s not enough to simply set these processes in place — you have to align your risk and compliance activities to give you full visibility into your compliance and risk posture.

Using software to operationalize control assessments

A vector illustration of a robot completing tests on another robot.

We’ve discussed what control assessments are, why they matter, how to conduct one, and why operationalizing them matters. Now let’s talk about simple ways you can make your workflows even faster, more efficient, and more effective.

Using software to streamline control assessments helps you eliminate time spent defining and selecting control sets. With the right software, you can choose from predefined controls from existing frameworks or even customize your own.

Software can also help you track and remediate issues, which is a big deal. Fifty-one percent of our survey respondents said they struggle with identifying where the critical risks are to assess what remediations to prioritize. With the time saved by automatically testing your controls, your team can know where to prioritize remediation and track everything all in one place.

Continuous Controls Monitoring (CCM)

The right compliance software helps you continuously monitor your controls. By monitoring and testing your controls automatically, you save time on the controls that don’t need to be manually tested, which frees up time for the controls that do.

Issues management

With the right compliance operations platform, you can create, assign, and track issues from within the platform to even further streamline remediation. Plus, you can manage everything in one place, so you’re not navigating multiple systems just to perform your control assessments.

Project management tools

With a holistic compliance platform, you can monitor progress on the overall control assessment project by using a dashboard to track evaluations, issues, and overall project timelines. Dashboards are also convenient to share with leadership and other stakeholders, as they allow everyone to see how audit and control assessments are progressing.

Operationalizing control assessments isn’t hard with the right tools

A vector illustration of a laptop with the Hyperproof logo on it surrounded by icons representing successful control assessments.

Eliminating manual processes will help your team create a more efficient process for testing your controls, relieving stress, and increasing their overall capacity. Whether you have a complete look at your risks and controls or not, making accurate and timely assessments is important for your overall compliance posture — and if you’re operationalizing your control assessments and unifying risk and compliance, then you’re in a better position to keep your company safe. Ready to get started with the right control assessments tool for your company? Schedule a demo with Hyperproof today.

Monthly Newsletter

Get the Latest on Compliance Operations.
Subscribe to Hyperproof Newsletter