What is Security Control?

A Security Control is a safeguard or countermeasure — administrative, technical, or physical — implemented to reduce information security risk by protecting the confidentiality, integrity, or availability of data and systems. Examples include access controls, encryption, security awareness training, and logging. Frameworks group controls into reference sets such as ISO 27001 Annex A.

Security controls matter because they are the concrete means by which risk is actually reduced. A risk assessment identifies what could go wrong; controls are what you put in place to stop it or limit the damage. Controls fall into three families — administrative (policies and procedures), technical (software and configuration), and physical (locks and access barriers).

For example, the risk of unauthorized data access can be treated with a combination of controls: an access-control policy (administrative), multi-factor authentication (technical), and a locked server room (physical), each reinforcing the others.

Many controls are administrative, meaning the documented policy or procedure is the control itself. A well-structured policy set gives you those administrative controls immediately and the language auditors expect, so you implement and operate them rather than draft from scratch. Templates accelerate the documentation; a control only counts when it is actually running and producing evidence.

Related terms: Annex A Controls · Access Control · Statement of Applicability (SoA) · NIST CSF Core Functions

Frequently asked questions

What are the three types of security control?
Administrative controls (policies, procedures, and training), technical controls (such as encryption, MFA, and logging), and physical controls (such as locks, badges, and secure facilities). Most effective programs combine all three.
What is the difference between a control and a policy?
A policy is a written rule that often functions as an administrative control. A control is any safeguard that reduces risk, including technical and physical measures. So a policy is one kind of control, but not all controls are policies.

Toolkits that cover Security Control

ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
NIST CSF 2.0

NIST CSF 2.0 Complete Toolkit

15 editable policies and plans covering all six CSF 2.0 functions, plus a Profile & Assessment workbook with every one of the 106 subcategories, a risk register, and an audit evidence checklist.

$7930% off with codeView toolkit
SOC 2 Trust Services Criteria

SOC 2 Complete Toolkit

22 policies plus the risk register, full Trust Services Criteria mapping and audit evidence checklist — built for startups facing their first SOC 2.

$9930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.