Control
Definition
A control is a safeguard or measure used to reduce the likelihood or impact of an unwanted event (such as a security incident, service outage, fraud, or data misuse) to an acceptable level. Controls can be preventive (stop something from happening), detective (identify that something happened), or corrective (restore normal operations and reduce recurrence). They can also be administrative/organizational (policies, training, approvals), technical (configuration, encryption, access restrictions, monitoring), or physical (locks, badges, secure disposal). In a compliance program, a control is more than an intention: it is something that is designed, implemented, and operated consistently, with clear ownership, scope, and objective. Effective controls are typically tied to risks and requirements, have defined steps or configurations, produce evidence (logs, tickets, reports, attestations), and are reviewed and improved over time. When controls are documented well, teams can explain why the control exists, how it works, what it covers, what could cause it to fail, and how they verify it is operating effectively.
Real-World Examples
Startup access control
A small team enforces least privilege by requiring manager approval for new admin access and reviewing privileged accounts quarterly.
Scaleup data protection
Engineering enables encryption in transit and at rest, plus automated key rotation, to reduce the impact of data exposure.
Enterprise change management
Production changes require peer review, testing evidence, and a documented rollback plan before deployment to reduce outage risk.
Ongoing detection and response
Security monitoring alerts on suspicious logins, and the incident process mandates triage, containment, and post-incident corrective actions.
A control is a safeguard that reduces risk by preventing, detecting, or correcting unwanted events. In compliance, it must be designed, implemented, and operated with evidence that it works.
Administrative controls include policies, training, and approvals; technical controls include access restrictions, encryption, and monitoring; physical controls include locks, badges, and secure facilities.
A control objective states the intended outcome (what you want to achieve), while a control is the specific measure that achieves it (how you achieve it), including steps, configurations, and ownership.
Preventive controls stop issues (e.g., MFA), detective controls identify issues (e.g., alerting on unusual logins), and corrective controls restore and improve (e.g., rollback plans and root-cause fixes).
Select controls by linking each significant risk to treatment actions that reduce likelihood or impact, then document why each control is chosen. For example, if credential theft is a key risk, implement MFA, conditional access rules, and monitoring to reduce the likelihood of account compromise and detect suspicious activity.
Document the control’s purpose, scope, owner, frequency, steps or configurations, required evidence, and how exceptions are handled. Include references to supporting procedures and a method for periodic review.
Typical evidence includes configurations, access review records, logs, tickets, change approvals, training completion records, monitoring alerts and follow-up actions, and periodic review reports showing consistency over time.
Auditors typically review documentation, interview control owners, and sample evidence over a defined period to confirm the control is implemented, followed, and effective, including how issues are tracked and corrected.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
