"Decision Gates define major control points that are used to move from one phase of the project to the next. A control gate is used to determine if the products for the current phase of work are completed based on the criteria set out at the beginning of the project and that the project is ready to move forward to the next phase. Controls are used to get formal sign off of that phase of work by the system’s owner and management."Ok, so you need to deploy security controls and processes. Try to identify the decision gates inside your organization. They are everywhere: change management, application development, hiring process, aming others. Decision gates that already exist are the best places to include security assessments and verifications. You don't need to change established processes, just include some checks on the decision gates. One thing is very important, however. Remember to clearly define the pass/fail conditions, the exemption process and to get some empowerment to be able to participate on the decision that is made on those gates. Without that, you'll just be documenting risk, not controlling (and managing) it.