Security controls or security measures are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information. Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency.

Types of security controls

Security controls can be classified by various criteria. For example, controls can be classified by how/when/where they act relative to a security breach (sometimes termed control types): Security controls can also be classified according to the implementation of the control (sometimes termed control categories), for example:

Information security standards and control frameworks

Numerous information security standards promote good security practices and define frameworks or systems to structure the analysis and design for managing information security controls. Some of the most well known standards are outlined below.

International Standards Organization

ISO/IEC 27001:2022 was released in October 2022. All organizations certified to ISO 27001:2013 are obliged to transition to the new version of the Standard within 3 years (by October 2025). The 2022 version of the Standard specifies 93 controls in 4 groups: It groups these controls into operational capabilities as follows: The previous version of the Standard, ISO/IEC 27001, specified 114 controls in 14 groups:

U.S. Federal Government information security standards

The Federal Information Processing Standards (FIPS) apply to all US government agencies. However, certain national security systems, under the purview of the Committee on National Security Systems, are managed outside these standards. Federal information Processing Standard 200 (FIPS 200), "Minimum Security Requirements for Federal Information and Information Systems," specifies the minimum security controls for federal information systems and the processes by which risk-based selection of security controls occurs. The catalog of minimum security controls is found in NIST Special Publication SP 800-53. FIPS 200 identifies 17 broad control families: National Institute of Standards and Technology

NIST Cybersecurity Framework

A maturity based framework divided into five functional areas and approximately 100 individual controls in its "core."

NIST SP-800-53

A database of nearly one thousand technical controls grouped into families and cross references.

Commercial Control Sets

COBIT5

A proprietary control set published by ISACA.

CIS Controls (CIS 18)

Formerly known as the SANS Critical Security Controls now officially called the CIS Critical Security Controls (COS Controls). The CIS Controls are divided into 18 controls. The Controls are divided further into Implementation Groups (IGs) which are a recommended guidance to prioritize implementation of the CIS controls.

Telecommunications

In telecommunications, security controls are defined as security services as part of the OSI model: These are technically aligned. This model is widely recognized.

Data liability (legal, regulatory, compliance)

The intersection of security risk and laws that set standards of care is where data liability are defined. A handful of databases are emerging to help risk managers research laws that define liability at the country, province/state, and local levels. In these control sets, compliance with relevant laws are the actual risk mitigators.

Business control frameworks

There are a wide range of frameworks and standards looking at internal business, and inter-business controls, including: