LR-301h · Module 2

Implementation Verification

3 min read

A control that is "implemented" but not verified is a control that is assumed to work. Verification tests the control under realistic conditions and confirms that it produces the expected risk reduction. The verification may reveal that the control works differently than designed, addresses a narrower scope than intended, or does not function at all. Better to discover this during verification than during an incident.

Do This

  • Test every control after implementation under conditions that simulate the risk it addresses
  • Verify that the control produces the evidence artifacts specified in the design — a control without evidence is unauditable
  • Document verification results and address any gaps before declaring implementation complete

Avoid This

  • Mark controls as implemented based on the deployment alone — deployment is not verification
  • Skip verification for controls that "obviously work" — the obvious ones are the ones most likely to have untested assumptions
  • Verify once and never again — controls degrade over time and need periodic re-verification. [RISK]: Unverified controls create false confidence that is worse than acknowledged gaps.