Security Control Design and Selection

Designing and Selecting Controls in Domain 3

Information Security Program is the single largest CISM domain — 33% of the exam, about 50 of the 150 scored multiple-choice questions. The full exam is 150 questions in 4 hours (240 minutes), scored on ISACA's 200–800 scale with 450 as the passing standard. ISACA's Exam Content Outline updates effective 3 November 2026, so confirm which blueprint your exam date falls under. This section sits at the heart of Domain 3: turning the security strategy into a working set of controls.

In CISM, a control is a safeguard that modifies risk. Controls are never selected because a tool is popular — they are selected to satisfy a control objective that traces back to a policy requirement and an identified risk. The exam tests this chain repeatedly: policy → risk → control objective → control → metric. If a question offers a technically impressive option that does not map to the stated risk, it is a distractor.

The selection sequence the exam expects is consistent. First, the risk assessment establishes which risks exceed appetite and need treatment. Second, management chooses a risk treatment — mitigate, transfer, avoid, or accept — and only mitigation triggers a new control. Third, for risks being mitigated, the manager selects controls that bring residual risk within the defined appetite, no further. Fourth, every control gets an owner and a metric so effectiveness can be proven later.

Notice that designing a control is the fourth step, not the first: a candidate who jumps straight to a control without confirming the risk and the chosen treatment has skipped the management reasoning CISM is testing. Many wrong answers are perfectly good controls aimed at a risk the scenario never raised, or controls layered onto a risk management already decided to accept.

Control Functions

Know these five functions cold; questions often hinge on when a control acts relative to the incident.

Baselining and Tailoring

Managers do not invent controls from scratch. They start from a baseline drawn from a recognized framework — NIST SP 800-53, ISO/IEC 27002:2022 (93 controls in four themes), or the CIS Critical Security Controls v8 — then tailor it. Tailoring means adding controls for residual risk the baseline misses, and removing or scoping out controls that do not apply (e.g., dropping mainframe controls in an all-cloud shop). The justification for every add/remove is documented so an auditor can trace it.

Worked Example

A SaaS company stores cardholder data and must meet PCI DSS. The standard requires file integrity monitoring on a server that cannot run the agent. The manager cannot simply skip the requirement. The correct move is a compensating control: implement equivalent monitoring (e.g., immutable logging plus daily diff review) that meets the original objective of detecting unauthorized change, document the rationale, and obtain risk-owner sign-off. A compensating control that is cheaper but does not meet the objective is wrong.

Administrative, Technical, and Physical Controls

Beyond the function (preventive/detective/etc.), CISM also classifies controls by nature. Administrative (managerial) controls are policies, standards, procedures, screening, and training — they direct human behavior. Technical (logical) controls are implemented in hardware/software: firewalls, encryption, access control, logging. Physical controls protect facilities: locks, badge readers, guards, fire suppression. A defensible program uses all three in layered defense (defense in depth) so that the failure of one layer does not expose the asset.

A question that offers only a technical fix to a problem rooted in human process (for example, repeated misuse of valid credentials) is steering you toward the wrong category — the better answer is often an administrative control such as access recertification or segregation of duties, reinforced by monitoring.

Cost-Benefit and Risk-Based Selection

Control selection is an economic decision, not a maximalist one. The CISM principle is that the annualized cost of a control should not exceed the value of the loss it prevents — conceptually, compare the control's cost against the reduction in Annual Loss Expectancy (ALE = Single Loss Expectancy × Annual Rate of Occurrence). If a control costs more than the risk it removes, the correct treatment may be to accept the residual risk, transfer it (insurance or contract), or avoid the activity entirely. The manager documents the chosen treatment and the risk owner's acceptance of any residual risk.

Selecting an expensive control that drives residual risk far below appetite is just as wrong as under-protecting — both waste resources or accept the wrong exposure.

Common Traps

• Picking the control with the most advanced technology over the one that treats the stated risk.
• Treating a compensating control as a permanent excuse rather than a documented, objective-meeting substitute.
• Selecting a detective control when the prompt clearly needs prevention (or vice versa).
• Applying only a technical fix to a problem that is administrative or physical in nature.
• Forgetting that cost of the control should not exceed the value of the asset it protects — a core CISM cost-benefit principle, anchored in reducing Annual Loss Expectancy.