Controls are the safeguards implemented to reduce or eliminate risks. They include technical measures (encryption, firewalls) and organizational measures (policies, training, procedures).
Controls are mapped to risk levels and compliance requirements. Regular testing ensures they remain effective and aligned with evolving threats.