Episode 57 — Operate a Controls Calendar: Scheduling, Evidence, and Sustainable Compliance

In this episode, we’re going to talk about something that sounds administrative but is actually one of the most practical ways to keep OT security real over time: operating a controls calendar. If you’re new to cybersecurity, it’s easy to imagine security as a set of projects, like implementing segmentation, improving remote access, or adding monitoring, and then you’re done. In OT, projects matter, but long-term safety and resilience depend on routine, because controls drift, exceptions accumulate, accounts linger, and documentation goes stale unless someone continuously maintains them. A controls calendar is the planned rhythm of recurring control activities, like access reviews, backup tests, configuration baseline checks, and evidence collection, scheduled in a way that is realistic for operations. The calendar turns security from a burst of effort into a steady habit that can survive staffing changes, vendor changes, and the everyday pressures of production. It also supports compliance without making compliance the main point, because it produces evidence as a natural output of doing the work, not as a last-minute scramble. The goal here is to understand what a controls calendar is, why it matters in OT, and how scheduling and evidence practices create sustainable compliance rather than chaotic audit panic.

Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.

A controls calendar starts with a basic truth about OT environments: anything that is not maintained will degrade, even if it was designed well. Remote access pathways that were once tightly controlled can become permanently enabled because someone needed access quickly and never turned it off. Accounts that were created for a vendor project can remain active after the project ends because offboarding was not scheduled. Segmentation rules that were carefully designed can drift as exceptions are added during troubleshooting and never revisited. Logging and monitoring can quietly fail after upgrades, leaving blind spots that no one notices until an incident. Beginners often assume these problems happen because people do not care, but more often they happen because operational demands are constant and attention is limited. A calendar addresses this by turning important control checks into planned events, so they compete less with emergencies. It also makes security predictable for operations, because teams know when reviews occur and can prepare. Predictability is part of safety, because it reduces last-minute changes and surprise requests. When the calendar exists and is respected, controls stay closer to their intended design.

To build a controls calendar, you first need to understand what types of activities belong on it, and why. Some calendar items are control operations, meaning routine tasks that keep a control functioning as intended, like reviewing privileged access lists, verifying that remote sessions are logged, or confirming that segmentation boundaries remain enforced. Some items are control validation, meaning tasks that test whether the control actually works, like restoring from backups to confirm recovery, or checking that monitoring detects key events. Some items are evidence activities, meaning capturing proof that the work occurred, such as signed review records, test results, and change documentation. In practice, these overlap because doing the work often produces evidence, but thinking about them separately helps you avoid a common beginner mistake: collecting evidence without actually performing the underlying control activity. A controls calendar should also include review of exceptions, because exceptions are a major source of drift and inherited risk. If exceptions are never revisited, they become permanent weak links. The calendar therefore supports both security and governance by making sure the organization returns to unfinished risk decisions at predictable times.

Scheduling in OT has to respect operational realities, because unrealistic schedules create noncompliance and resentment. OT systems often have maintenance windows, peak production periods, and safety-driven restrictions on when changes can occur. That means you may not be able to schedule certain checks or tests at arbitrary times. For example, a restore test might require a safe environment, coordination with engineering, and potentially a non-production replica, so scheduling it requires careful planning. An access review might need to align with vendor contract cycles or project cycles so it captures meaningful changes. Beginners sometimes assume compliance requires doing everything monthly, but frequency should be driven by criticality and exposure. High-risk controls like remote access reviews might need more frequent checks, while lower-risk controls might be reviewed quarterly. The key is to choose frequencies that the organization can reliably execute, because a schedule you cannot keep is not a security plan, it is a wish. A good calendar also spreads workload to avoid creating periodic spikes that cause rushed work. When scheduling is realistic, the calendar becomes a habit rather than a burden.

A controls calendar must also clarify ownership, because scheduled tasks without owners become missed tasks. In OT, ownership can be shared across security, engineering, and operations, so the calendar should specify who performs the activity, who reviews the results, and who approves any follow-up actions. For example, an access review might be performed by a system owner, reviewed by security, and approved by an operations manager, depending on the environment. Backup testing might be performed by engineering, with results reviewed by security and operations to ensure recovery time expectations are met. Beginners often think security owns all security tasks, but in OT, ownership must align with who has authority and knowledge, otherwise tasks either do not happen or happen in a superficial way. Clear ownership also supports accountability without blame because it sets expectations in advance. If a task is missed, the response can be to adjust scheduling, clarify responsibilities, or improve tooling rather than to point fingers. When ownership is clear, the calendar becomes a coordination tool, not just a reminder list. That coordination is what makes compliance sustainable.

Evidence is a central part of a controls calendar, but it should be treated as proof of reality, not as paperwork for its own sake. In OT, evidence matters because it allows you to show that controls are not just designed, they are maintained. Evidence also supports incident response because when something goes wrong, evidence helps you determine whether the control failed, was bypassed, or was never applied. Beginners sometimes imagine evidence as screenshots and files collected at audit time, but the strongest evidence is generated naturally during routine control work, such as access review records, session logs, change tickets, and test results. A good calendar defines what evidence is required for each activity and where it is stored, so it can be found later without a scramble. It also defines what good evidence looks like, meaning it includes date, scope, reviewer, findings, and follow-up actions. Evidence should be just detailed enough to be trusted, not so burdensome that people skip it. In OT, where teams are busy, the best evidence is concise, consistent, and tied to real decisions. When evidence is designed into the process, compliance becomes a byproduct of doing the right work.

Sustainable compliance is not the same thing as doing the minimum to pass an audit, and the controls calendar is where that difference becomes visible. A program that chases audits tends to do last-minute evidence collection, superficial reviews, and rushed remediations that can create operational risk. A sustainable program uses the calendar to keep controls healthy all year, which means audits become a snapshot of ongoing work rather than a panic event. Beginners sometimes assume audits are the goal, but the real goal is stable and defendable operations, and compliance is a way of showing that stability to outsiders and to leadership. The calendar helps because it creates a routine that can be repeated, measured, and improved, which is what auditors and risk leaders tend to want to see. It also helps because it makes control gaps visible early, when they can be addressed safely and deliberately. If a quarterly segmentation review reveals drift, you can plan corrections during a safe window rather than discovering drift after an incident. The calendar therefore reduces both cyber risk and operational stress. This is why calendars are not just for compliance, they are for resilience.

A controls calendar also needs to include follow-up and escalation logic, because finding a problem is only useful if it leads to action. For example, an access review might find orphaned accounts, and the calendar should connect that finding to a remediation workflow with deadlines and approvals. A backup test might fail, and the response should include corrective actions and retesting, not just a note that it failed. Beginners sometimes think the calendar ends when the activity is performed, but in reality the calendar should include time for remediation and revalidation. This is especially important in OT because remediation often requires coordination and safe scheduling, so delays are common, but delays must be managed and documented. The calendar can also define thresholds for escalation, such as when a repeated control failure becomes a leadership issue or a formal risk acceptance discussion. Escalation is not punishment, it is governance, ensuring that important risks are visible to the people who can allocate resources. When follow-up is built in, the calendar drives improvement rather than merely tracking activity.

Another important aspect is managing calendar scope across different sites and systems, because OT environments are rarely uniform. A single enterprise might have multiple plants with different processes, different vendors, and different risk profiles. A mature controls calendar supports a common baseline, like minimum remote access review frequency, while allowing site-specific additions based on criticality and exposure. Beginners might assume standardization means identical schedules everywhere, but a more realistic approach is standardizing expectations and evidence while allowing local adaptation. For example, a safety-critical site might run more frequent recovery tests than a low-impact site, and that is appropriate because consequence is different. The calendar should also align with other operational rhythms, like maintenance windows, shutdowns, and major upgrade cycles, so control activities fit naturally. When the calendar is integrated with operational planning, it feels less like a security add-on and more like part of disciplined plant management. This integration also helps because control activities can be combined with other planned work, reducing disruption. A good calendar respects that OT time is precious and uses it wisely.

Beginners also need to understand that a controls calendar is not static, because maturity changes what you need to schedule. Early in a program, you might schedule more frequent inventory reconciliation and discovery because visibility is still developing. As visibility improves, you might shift focus to validating segmentation and improving monitoring quality. If third-party access is a major inherited risk, you might schedule frequent vendor access reviews until the program stabilizes. Over time, as controls become reliable, you can adjust frequencies based on evidence, like reducing frequency for controls that consistently perform well and increasing it for controls that show repeated drift. This is a healthy feedback loop, because it uses performance to tune effort, which supports sustainability. Beginners sometimes think compliance schedules are fixed forever, but in risk-driven programs, schedules evolve with maturity and with changes in the environment. The important thing is that changes are deliberate and documented, so the calendar remains defendable. When the calendar evolves, it shows the program is learning rather than simply repeating tasks.

Finally, operating a controls calendar is about making OT security repeatable, evidence-backed, and compatible with safe operations. The calendar creates a steady rhythm of control operation and validation so drift is caught early and controls remain trustworthy. Scheduling makes the work realistic and predictable, which reduces the temptation for shortcuts and reduces operational disruption. Evidence practices make compliance sustainable by turning routine work into proof, and they also strengthen incident response by showing what was in place at the time of an event. Ownership and follow-up ensure that calendar activities lead to real improvements rather than checkmarks. Over time, the calendar becomes part of organizational memory, helping the program survive staff turnover and changes in vendor relationships. For beginners, the key takeaway is that OT security is not only about what you build, it is also about what you keep building every week, every month, and every quarter. A controls calendar is how you keep building without chaos, and it is one of the most practical tools for making risk treatment real in the long run.

Episode 57 — Operate a Controls Calendar: Scheduling, Evidence, and Sustainable Compliance
Broadcast by