When it comes to managing controls for information security (InfoSec) compliance, event-based controls are among the most challenging to execute consistently and the most prone to failure.
These controls are triggered by ad hoc events like onboarding new employees, responding to incidents, or managing system changes. Despite accounting for roughly 30% of InfoSec compliance activities, they are frequently the source of exceptions in SOC 1, SOC 2, and ISO/IEC 27001 audits.
The Three Types of Controls
A well-rounded InfoSec compliance program includes three control types:
- Continuous controls are always in effect, such as system configurations, policies, and static documentation. These are audited in their present state.
- Periodic controls occur at regular intervals, such as quarterly risk assessments or annual board reviews. Auditors verify they’re completed within the defined timeframe.
- Event-based controls apply when specific events happen, such as hiring a new employee or releasing a software update. Auditors look to confirm that required actions were taken in response to each event.
Why Event-Based Controls Often Fail
The primary reason event-based controls fail is simple: the event occurs, but the corresponding control doesn’t. It may be skipped, forgotten, or left incomplete—just like any other business task. And if the audit evidence isn’t documented, it’s as if the control was never implemented.
Here are common event triggers that require documented controls:
- New employees
- New contractors
- Terminations
- New customers
- New third-party vendors
- Asset disposals
- Vulnerabilities identified
- Incidents
- Change releases
Controls must be applied consistently and documented in line with requirements, whether those stem from SOC 2 criteria or specific customer expectations.
Complicating matters, no two events are the same. A new hire might be a relative of an executive, bypassing typical onboarding steps. A change release might seem minor and be rolled out without the usual review. While auditors are allowed judgment in such cases, these deviations may still be noted as exceptions, unless the reasoning is documented clearly. Proactive explanation shows governance in action and may help avoid formal findings.
How to Implement Effective Event-based Controls
To improve the consistency and effectiveness of event-based controls, consider these best practices:
1. Automate Where Possible
Software can trigger or carry out controls to help ensure nothing is missed. Automation promotes consistency, creates audit trails, and reduces manual error. While not every control can be automated, many tools can streamline execution.
2. Embed Controls Into the Process
Controls are more effective when they’re baked into core workflows. For instance, asking employees to sign a Code of Conduct is less reliable if it’s a separate HR task. But if it’s part of the employment contract or onboarding checklist, it’s far more likely to be completed. Wherever possible, tie controls to natural process checkpoints.
3. Assign Ownership
Clear ownership improves accountability. A dual-level ownership model works well—an individual operator manages day-to-day control execution (e.g., an HR manager). At the same time, a senior leader (e.g., the COO or CFO) owns oversight of the broader control category.
4. Schedule Regular Checks
Monthly or quarterly check-ins can surface issues before they escalate. These don’t need to be formal audits—just brief meetings or touchpoints with control owners to verify nothing critical is slipping through the cracks.
5. Build Organizational Awareness
Controls tied to unpredictable events, like risk reporting or incident management, benefit from widespread awareness. When more people understand their role in these processes, they’re more likely to contribute to control effectiveness.
Identifying Your Event-Based Controls
Need help identifying or strengthening your event-based controls? Contact us to learn more about how we can support your InfoSec compliance efforts.
