Controls, Audits and Certification

Choosing a framework is the easy part. The hard work is implementing controls, then proving they work through audits and, where required, achieving certification.

This lesson covers the practical journey: what controls actually look like, the types of evidence auditors expect, how the audit process runs, and what a certificate does and does not mean.

Controls fall into three classic categories by how they reduce risk:

• Preventive — stop an incident from happening (MFA, firewalls, least privilege).
• Detective — reveal an incident in progress or after the fact (logging, SIEM alerts, file-integrity monitoring).
• Corrective — restore and limit damage after an incident (backups, patching, incident response).

A strong program layers all three; relying only on prevention leaves you blind when prevention fails.