Controls Help Mitigate and Reduce Risks
Controls are administrative, management, technical, and legal methods that are used to manage risk. Controls include policies, procedures, programs, techniques, technologies, guidelines, and organizational structures. They help an organization comply with standards by addressing information security risks, information confidentiality, integrity, and availability.
Security policies and control objectives express management’s commitment to the implementation, maintenance, and improvement of its information security management system. Leading organizations use best-practice information security control measures to satisfy the stated control objectives. Standards frequently do not mandate specific controls, but leave it to the users to select and implement controls that suit them, using a risk-assessment process to identify the most appropriate controls for their specific requirements. Organizations are typically free to select controls as long as their control objectives are satisfied.
Leading organizations follow a Plan, Do, Check, and Act process:
- Plan – planning
- Do – implement, operate, and maintain
- Check - monitor, audit, and review
- Act – continual improvement