Example:
The Difference Between Controls and Effectiveness
Select the Start button to begin
Start
Select the Listen button to play the narration for this slide
Navigation
Listen
buttons
Use the following buttons to navigate through the course content
Listen
Play the audio for the current page
hOME
nEXT
PREVIOUS
Return to the previous page
Return to the course home page
Move to the next page
home
next
previous
Select the Listen button to play the narration for this slide
Listen
Hi, I’m Madison, and I want to tell you about the moment my organization learned the difference between having controls and having control effectiveness.
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Part I - The Situation
You’re working in an organization that prides itself on being “serious about security.” And at first glance, it’s convincing. MFA is required. Access reviews are scheduled. Vulnerability scans are running. There’s a vendor risk program. There are dashboards—so many dashboards.
Leadership feels confident because the program looks structured. And if someone asks, “Do we have controls?” you can answer yes without hesitation.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
The Situation
But then something happens that exposes an uncomfortable truth: controls can exist and still fail, quietly, over time.
In our case, the trigger was not a dramatic breach. It was something subtler: a routine internal audit found that multiple former employees still had access to systems they shouldn’t. Not because anyone intentionally kept access open, but because offboarding wasn’t consistently connected to all systems. Some access was removed automatically. Some required manual action. Some systems relied on a ticket that didn’t always get created.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
The Situation
When you see that, your first instinct might be, “Fix offboarding.” But here’s what made it bigger: our program already had controls that were supposed to prevent exactly this. We had an access review control. We had offboarding procedures. We had quarterly certifications.
So why did it still happen?
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
The Situation
Because we were measuring existence, not effectiveness.
We were checking that access reviews were “done,” but we weren’t checking whether they actually caught risk. People were clicking through reviews quickly because they were busy. Managers didn’t always understand what they were approving. Some applications weren’t included in the review scope. Exceptions were piling up quietly.
This wasn’t a control gap. It was an effectiveness gap.
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Part II - The Shift
We changed the way we evaluated controls by asking three questions:
- Is the control designed well for the risk it claims to reduce?
- Is it operating as intended in real life?
- Is it producing evidence that would convince a skeptical reviewer—not just an auditor, but reality?
For access control, we realized our evaluation approach was superficial. We were tracking completion rates: “100% of managers completed access reviews.” That felt comforting, but it was meaningless without quality indicators.
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Investigation
So we redesigned our control evaluation approach. First, we defined what “effective” meant. In this case, an effective access review should:
- identify accounts that no longer need access,
- confirm that privileged access is justified,
- detect orphaned accounts,
- and trigger remediation.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
Investigation
Then we introduced practical tests:
- We sampled terminated employees and checked for residual access across systems.
- We tested whether access removal occurred within defined timelines.
- We reviewed exceptions: who approved them, for how long, and whether compensating controls existed.
- We measured review quality: were managers asking questions, or just clicking approve?
We also introduced a feedback loop:Every quarter, we didn’t just “run the control.” We reviewed outcomes, identified patterns, and updated the process
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Response
If managers didn’t understand the review, we improved guidance.
If systems weren’t in scope, we expanded scope.
If offboarding tickets weren’t triggered, we automated triggers.
We treated control effectiveness like a living thing, not a checkbox.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
Part III - Results
Within two cycles, the results were obvious.
We found fewer orphaned accounts because we were testing for them, not assuming the control would catch them.
Managers took reviews more seriously because expectations were clear and evidence mattered.
We reduced exception backlog because approvals had to be time-bound and reviewed.
And leadership stopped being satisfied with “completion” and started asking about outcomes.
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Results
Most importantly, assurance improved. Not because we declared it, but because we could demonstrate it: reduction in residual access, improved timeliness, fewer privileged accounts without justification.
The control became trustworthy—not because it existed, but because it proved effectiveness over time.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
Part IV - Takeaway
Here’s your Week 6 takeaway: a control isn’t effective because it’s written down or scheduled. It’s effective when it reliably reduces risk in real operations, and when you can prove that with evidence.
Continuous improvement is what keeps controls alive. Without it, controls drift. They become stale. People bypass them. Scope shrinks. Exceptions grow. And the organization becomes vulnerable while still believing it’s protected. This week, you’re learning how to evaluate effectiveness, test controls realistically, and build improvement loops that strengthen assurance before failure forces change.
home
next
previous
Select the Listen button to play the narration for this slide
Listen
Congratulations!
You've successfully completed the example
home
previous
W6_ISSC662_Example
Griky Kontent
Created on February 3, 2026
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Akihabara Connectors Infographic
View
Essential Infographic
View
Practical Infographic
View
Akihabara Infographic
View
Vision Board
View
The Power of Roadmap
View
Artificial Intelligence in Corporate Environments
Explore all templates
Transcript
Example:
The Difference Between Controls and Effectiveness
Select the Start button to begin
Start
Select the Listen button to play the narration for this slide
Navigation
Listen
buttons
Use the following buttons to navigate through the course content
Listen
Play the audio for the current page
hOME
nEXT
PREVIOUS
Return to the previous page
Return to the course home page
Move to the next page
home
next
previous
Select the Listen button to play the narration for this slide
Listen
Hi, I’m Madison, and I want to tell you about the moment my organization learned the difference between having controls and having control effectiveness.
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Part I - The Situation
You’re working in an organization that prides itself on being “serious about security.” And at first glance, it’s convincing. MFA is required. Access reviews are scheduled. Vulnerability scans are running. There’s a vendor risk program. There are dashboards—so many dashboards. Leadership feels confident because the program looks structured. And if someone asks, “Do we have controls?” you can answer yes without hesitation.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
The Situation
But then something happens that exposes an uncomfortable truth: controls can exist and still fail, quietly, over time.
In our case, the trigger was not a dramatic breach. It was something subtler: a routine internal audit found that multiple former employees still had access to systems they shouldn’t. Not because anyone intentionally kept access open, but because offboarding wasn’t consistently connected to all systems. Some access was removed automatically. Some required manual action. Some systems relied on a ticket that didn’t always get created.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
The Situation
When you see that, your first instinct might be, “Fix offboarding.” But here’s what made it bigger: our program already had controls that were supposed to prevent exactly this. We had an access review control. We had offboarding procedures. We had quarterly certifications. So why did it still happen?
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
The Situation
Because we were measuring existence, not effectiveness. We were checking that access reviews were “done,” but we weren’t checking whether they actually caught risk. People were clicking through reviews quickly because they were busy. Managers didn’t always understand what they were approving. Some applications weren’t included in the review scope. Exceptions were piling up quietly.
This wasn’t a control gap. It was an effectiveness gap.
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Part II - The Shift
We changed the way we evaluated controls by asking three questions:
- Is the control designed well for the risk it claims to reduce?
- Is it operating as intended in real life?
- Is it producing evidence that would convince a skeptical reviewer—not just an auditor, but reality?
For access control, we realized our evaluation approach was superficial. We were tracking completion rates: “100% of managers completed access reviews.” That felt comforting, but it was meaningless without quality indicators.home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Investigation
So we redesigned our control evaluation approach. First, we defined what “effective” meant. In this case, an effective access review should:
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
Investigation
Then we introduced practical tests:
We also introduced a feedback loop:Every quarter, we didn’t just “run the control.” We reviewed outcomes, identified patterns, and updated the process
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Response
If managers didn’t understand the review, we improved guidance. If systems weren’t in scope, we expanded scope. If offboarding tickets weren’t triggered, we automated triggers. We treated control effectiveness like a living thing, not a checkbox.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
Part III - Results
Within two cycles, the results were obvious. We found fewer orphaned accounts because we were testing for them, not assuming the control would catch them. Managers took reviews more seriously because expectations were clear and evidence mattered. We reduced exception backlog because approvals had to be time-bound and reviewed. And leadership stopped being satisfied with “completion” and started asking about outcomes.
home
next
previous
Select the Listen button to play the narration for this slide.
Listen
Results
Most importantly, assurance improved. Not because we declared it, but because we could demonstrate it: reduction in residual access, improved timeliness, fewer privileged accounts without justification. The control became trustworthy—not because it existed, but because it proved effectiveness over time.
home
next
previous
Listen
Select the Listen button to play the narration for this slide.
Part IV - Takeaway
Here’s your Week 6 takeaway: a control isn’t effective because it’s written down or scheduled. It’s effective when it reliably reduces risk in real operations, and when you can prove that with evidence.
Continuous improvement is what keeps controls alive. Without it, controls drift. They become stale. People bypass them. Scope shrinks. Exceptions grow. And the organization becomes vulnerable while still believing it’s protected. This week, you’re learning how to evaluate effectiveness, test controls realistically, and build improvement loops that strengthen assurance before failure forces change.
home
next
previous
Select the Listen button to play the narration for this slide
Listen
Congratulations!
You've successfully completed the example
home
previous