A security control is a safeguard or countermeasure—technical, administrative or physical—designed to manage and reduce security risks to an acceptable level. Technical controls include firewalls, encryption and access management systems; administrative controls encompass policies, procedures and training programmes; physical controls cover locks, CCTV and environmental protections. Controls are selected based on risk assessment outcomes and framework requirements.
The effectiveness of security controls must be regularly tested and monitored to ensure they continue to mitigate the risks they were designed to address. In ISO 27001, controls are mapped to Annex A and documented in the Statement of Applicability, providing a clear audit trail of which measures are in place and why. A defence-in-depth approach layering multiple controls is considered best practice.