Identifying controls
It is generally preferable to inventory existing controls before implementing new ones.
To do so, controls can be identified in various ways:
• From risks
Certain controls are installed to meet a particular risk.
• From control type lists
Control type lists are associated with certain regulations (eg.: COBIT).
• From diagrams of existing business processes
Similarly to risk identification, it is possible to examine the operation of each step in the business process from its diagram, if this exists, to discover the controls installed.
• From specialist expertise
A specialist in a particular field is often able to describe controls which are or should be implemented.
• From incident databases
By consulting past events, controls that could have prevented them or reduced their consequences can be proposed.
Access to Controls
To create a control from the Processes pane:
Click Controls & Risks > Controls.As with risks, associated controls can be numerous. To improve control management, HOPEX Risk Mapper proposes several control classification criteria.
The controls covered by a control system can be viewed in the Treatment section of the Control System. For more details, see Control Systems.