5.3 CONTROL DOCUMENTATION (Controls):

Details about controls in the Entity being profiled are captured in the same way as risks. In a Risk Assessment workshop, the individual risks already captured are ignored at this point; controls are captured as they are thought of. The reason for this is that redundant controls can be identified later, plus the list can be used to check whether a risk has been left off of the first list; i.e. a control which appears to be redundant may, in fact, be mitigating a risk not originally thought of and therefore not on the first list.