A security control is any safeguard or countermeasure designed to protect the confidentiality, integrity, or availability of information and systems. Controls are classified by type: preventive stop attacks, detective identify attacks in progress, and corrective restore systems after an incident. They are also classified as technical, administrative, or physical.
Selecting controls is driven by risk assessment. Controls that cost more than the risk they prevent are not worth implementing. Effective security programs match control selection to actual threats and organizational risk appetite.
CISSP Relevance
Security controls appear across all eight CISSP domains but are most concentrated in Domain 1 (Security and Risk Management) and Domain 6 (Security Assessment and Testing). CISSP candidates must understand control types, selection frameworks, and how to evaluate control effectiveness.
External reference: NIST SP 800-53 Rev 5 Security and Privacy Controls
Related terms: Risk Assessment, Security Audit