LR-301h · Module 2

Implementation Sequencing

3 min read

Not all controls can be implemented simultaneously. Resources are limited. Some controls depend on others. Some risks are more urgent than others. Implementation sequencing determines which controls are deployed first, which can run in parallel, and which must wait for prerequisites to be completed.

Do This

  • Sequence by risk score first — the highest-risk mitigations get implemented first
  • Identify dependencies between controls — a detective control that depends on a logging infrastructure cannot deploy before the infrastructure
  • Group independent controls for parallel implementation — maximize risk reduction per unit time. [CLEARED]: Parallel implementation is the most efficient use of limited resources.

Avoid This

  • Sequence by ease of implementation — easy controls may address low risks while high risks remain unmitigated
  • Ignore dependencies — a control deployed before its prerequisites is a control that does not function
  • Serialize everything — sequential implementation delays risk reduction unnecessarily when controls are independent