Short answer: YES!
Generally speaking, you'll have a set of user needs (high-level, basis for validation) and these drive (and trace to) system requirements (written such that they can be verified). In parallel, you have risk management work and the controls also drive (and trace to) system requirements. (It can get substantially more complex, especially if software is involved but that's the gist.) Risk controls need to be demonstrated to be implemented (often through verification) and effective (often through validation).