Security controls are the practical measures a programme uses to reduce risk. Some are technical, like access control, encryption, or logging. Others are procedural, like a documented incident response plan or a quarterly access review. The ISO 27001 Annex A catalogue lists 93 controls grouped into four themes; NIS2 references many of the same ideas under different headings. Picking the right set is not a matter of ticking every box. It is a matter of mapping each control back to the specific risks it addresses, and being able to explain that mapping when an auditor asks.
Glossary category
Security Controls
The technical and procedural measures that reduce risk: how Annex A controls map to real practices, and how to pick the ones that matter.
Terms in this category.
6 entries.
Access Control
Policies and mechanisms that restrict who can do what within information systems, by reference to identity, role, or attribute, recorded in a form that can be reviewed.
Identity and Access Management
The discipline of authenticating who someone is, deciding what they are allowed to do, and recording the decisions so they can be reviewed, revoked, or attested to over time.
Incident Response
Procedures, roles, and decisions activated when a security incident is detected, covering containment, eradication, recovery, regulatory notification, and post-incident learning.
Least Privilege
Principle that every identity should hold only the permissions required for its legitimate function, with privileges granted, time-bound, and revoked rather than accumulated.
Phishing
Social-engineering attack in which a threat actor impersonates a trusted party to induce the recipient to disclose credentials, transfer funds, or run malicious code.
Supply Chain Security
The discipline of identifying, assessing, and managing the security risks introduced by third-party suppliers, sub-processors, and managed service providers throughout the contract lifecycle.