All articles in the "Introduction to Cyber Security" series
- Cyber Security. Not What I thought
- Basics of Cyber Security Requirements
- The CIA Triad
- Introducing the ASD
- Introducing the Essential 8
- Mapping Strategies to controls
- Threats, Vulnerabilities, and Risks
- Introduction to Risk and Risk Management
- ICT Assets and Asset Registers
- Cyber Threat Awareness
- Introduction to Cyber Incident Response Plan
- Risk Management and Cyber Controls
- Risk Mitigation Plans
- Implement Security Controls
- Measuring Security
- Exploring Implementation Discrepancy
- CIRP as a Mitigation Strategy
In a previous article, I looked at how risk mitigation plans succeed only when supported by strong communication, change management, and continuous monitoring. With a plan in place, the next stage is implementation. This article focuses on selecting, implement, test, and document cyber security controls so that a strategy moves beyond planning into measurable action.
Implementing Cyber Security Controls
From plan to action
Once a risk mitigation plan is in place, the next priority is to go from strategy to execution. The transition requires more than identifying risks and selecting controls, it needs a structured implementation plan, targeted testing, and clear documentation. This ensures that security controls move beyond a mitigation strategy and become practical, effective defences integrated into the organisations operations.
Planning and Executing Controls
Implementation begins with developing clear, detailed plans for addressing identified cybersecurity gaps. These plans should outline priorities, resources, and timelines while aligning with organisational objectives and compliance obligations (adhering to a cyber security framework). A structured approach, supported by change management, ensures that stakeholders understand the purpose of the controls, anticipate the impact, and contribute to adoption.
An effective rollout should be guided by the adopted cyber security framework (e.g. The Essential 8), providing consistency and helping the organisation move toward a higher maturity level. By combining governance alignment, risk appetite considerations, and stakeholder engagement, the implementation process goes from controls into both technically effective sustainable defences.
Cybersecurity controls usually fall into one of three categories:
1. Preventative Controls Are designed to stop a cyber incident before it can happen. These are proactive measures that reduce the likelihood of a threat exploiting a vulnerability. An example is requiring all employees to complete mandatory cybersecurity training, which helps to prevent them from falling for phishing scams. Other examples include firewalls, access control policies, and strong password requirements.
2. Detective Controls Are put in place to identify a cyber incident as it occurs or after it has taken place. These controls do not prevent an attack, but they are crucial for minimizing the impact by enabling a quick response. An example is a smoke alarm, which doesn’t prevent a fire but alerts someone that a fire is happening. In cybersecurity, this includes things like intrusion detection systems (IDS), security logs, and vulnerability scanners, all of which help to identify suspicious activity or weaknesses in a system.
3. Corrective Controls Designed to fix a problem or restore a system to a secure state after a security incident has occurred. They are reactive measures that focus on minimizing the damage and ensuring business continuity. An example is a property insurance policy that provides funds to recover from fire damage. In cybersecurity, this includes restoring data from backups, implementing an incident response plan to contain and mitigate an attack, and patching exploited vulnerabilities to prevent a similar attack from happening again.
Testing and Documentation
Controls that are not tested remain unproven. Verification methods include:
Vulnerability scanning. This should be an automated process that uses software to scan systems and networks for known security weaknesses or flaws. It helps an organisation identify which vulnerabilities exist and which systems are at risk.
Penetration testing. Is a controlled, simulated cyber attack on a system to find and exploit vulnerabilities. Unlike a scanner, it aims to demonstrate the real-world impact of a security flaw, providing a more in depth assessment of the controls effectiveness.
Patch validation and configuration reviews. This involve checking that all security updates (patches) have been successfully rolled out and installed and that system configurations align with an organisation’s security standards and policies. This confirms that that this control is properly in place and effective. This should be an automated control
User acceptance testing. THis is a final stage of testing to ensure that a new or modified system functions as required and meets the needs of the business and its users. It focuses on the functional aspects and verifies that the system works as expected in a real-world scenario.
Testing validates not only technical effectiveness but also “operational fit”, ensuring that new measures strengthen rather than hinder the organisation’s objectives.
Just as important, is thorough documentation. Standard Operating Procedures (SOPs), control registers, and compliance records formalise practices, provide a reference for training, as well as traceability in aiding troubleshooting. It also demonstrates compliance to regulators (and underwriters). Documentation also anchors improvements into the organisational culture, making controls repeatable, auditable, and adaptable as the threat landscape evolves.
The move from risk mitigation planning to control implementation marks an important step in building operational resilience through cyber security defences. By planning strategically, following that through to controlled implementation, testing rigorously, and with comprehensive documentation, organisations transform static strategies into active defence controls. This cycle of execution and improvement ensures that security controls are not only effective in address current gaps but remain resilient against emerging threats, strengthening both compliance and business continuity.