Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.
They can be classified by several criteria. For example, according to the time that they act, relative to a security incident:
According to their nature, for example:
A similar categorization distinguishes control involving people, technology and operations/processes.
In the field of information security, such controls protect the confidentiality, integrity and/or availability of information - the so-called CIA Triad
Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.
Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known are outlined below.
ISO/IEC 27001:2013 specifies 114 controls in 14 groups:
From NIST Special Publication SP 800-53 revision 4.
From DoD Instruction 8500.2 [1] there are 8 Information Assurance (IA) areas and the controls are referred to as IA controls.
DoD assigns the IA control per CIA Triad leg.
In telecommunications, security controls are defined as Security services as part of OSI Reference model
These are technically aligned. This model is widely recognized
There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including: