Flow

SOC2-CC5-CONTROL-DESIGN

Control Selection and Design Process

preventivemedium effectivenessAnnually

What this control does

Documented process for selecting, designing, and implementing controls in response to identified risks.

Implementation guidance

For each risk in your risk register, document the control(s) selected to address it and why. Use a control framework (SOC 2 TSC, NIST CSF) as a reference. Review control coverage annually as part of the risk assessment cycle.

Requirements satisfied

CC5.1

Why it matters

Without a documented process for linking risks to controls, organizations either over-engineer solutions (wasting resources) or leave gaps in coverage (exposing critical assets). Auditors and regulators expect to see explicit traceability showing *which control* mitigates *which risk* and *why that control was chosen*, creating accountability and enabling informed risk acceptance decisions.

Evidence to collect

  • Risk register with control mappings showing risk ID, risk description, assigned control(s), and design rationale
  • Control design specification document (e.g., per-control SOP or control matrix) defining scope, responsibility, frequency, and success criteria
  • Documented annual risk assessment and control review meeting minutes or sign-off confirming coverage re-evaluation
  • Framework reference document (SOC 2 TSC, NIST CSF excerpt, or custom framework) used as basis for control selection

Testing procedure

Auditor selects 5–8 risks from the risk register and verifies the corresponding control design document includes: (1) risk description and inherent risk rating, (2) selected control(s) with justification, (3) control design specification (e.g., frequency, scope, responsible party), and (4) evidence of annual review or update. Confirm the chosen controls actually address the stated risk threat vectors rather than treating symptoms.

Common gotchas

Many organizations create a control matrix but never tie specific controls back to *specific* risks—they simply map controls to standards, which creates compliance theater with no actual risk mitigation. Another common pitfall: selecting controls based on "industry best practice" without analyzing whether that control actually reduces the *probability or impact* of the identified threat.