LR-301h · Module 1

Control Specification

3 min read

A control that is not specified precisely is a control that is implemented inconsistently. "Monitor AI systems for compliance" is a control objective, not a control specification. A specification defines: what is monitored, how often, by what method, against what criteria, who is responsible, what constitutes a finding, and what action is taken on a finding. The specification is the blueprint that makes implementation consistent and auditable.

Do This

  • Specify controls with enough detail that two different people would implement them identically — that is the test of adequate specification
  • Include success criteria in every specification — how do you know the control is working? What metric confirms effectiveness?
  • Link every control specification to the risk it mitigates — the traceability from risk to control to evidence is the audit chain. [RECOMMEND]: Write specifications using the format: purpose, scope, frequency, method, criteria, owner, evidence.

Avoid This

  • Specify controls as objectives without operational detail — objectives are the "what," specifications are the "how"
  • Write specifications that only the author can implement — specifications must be transferable across personnel
  • Create controls without success criteria — a control without measurable effectiveness is a control you hope works