Security controls are specific measures, mechanisms, or activities that an organization designs and applies to address identified information security risks. In the context of ISO 27001 and an Information Security Management System (ISMS), security controls are selected and implemented based on a documented risk assessment and risk treatment plan.
Security controls can be:
- Administrative (organizational): policies, procedures, roles, responsibilities, and governance structures that direct how security is managed.
- Technical: logical or technological mechanisms such as access controls, encryption, logging, and network segregation.
- Physical: measures that protect facilities and physical assets, such as locks, badges, and surveillance.
Each control is defined so that it can be implemented, operated, monitored, and reviewed. ISO 27001 and its related guidance documents (such as ISO 27002) provide structured catalogues of control objectives and example controls that organizations can use when designing their ISMS.