Security controls are the practical measures a programme uses to reduce risk. Some are technical, like access control, encryption, or logging. Others are procedural, like a documented incident response plan or a quarterly access review. The ISO 27001 Annex A catalogue lists 93 controls grouped into four themes; NIS2 references many of the same ideas under different headings. Picking the right set is not a matter of ticking every box. It is a matter of mapping each control back to the specific risks it addresses, and being able to explain that mapping when an auditor asks.
Glossary category
Security Controls
The technical and procedural measures that reduce risk: how Annex A controls map to real practices, and how to pick the ones that matter.
Terms in this category.
11 entries.
Access Control
Policies and mechanisms that restrict who can do what within information systems, by reference to identity, role, or attribute, recorded in a form that can be reviewed.
Data Breach
An incident in which personal or confidential data is accessed, disclosed, or destroyed without authorisation, triggering GDPR Article 33 and NIS2 notification obligations.
Identity and Access Management
The discipline of authenticating who someone is, deciding what they are allowed to do, and recording the decisions so they can be reviewed, revoked, or attested to over time.
Incident Response
Procedures, roles, and decisions activated when a security incident is detected, covering containment, eradication, recovery, regulatory notification, and post-incident learning.
Least Privilege
Principle that every identity should hold only the permissions required for its legitimate function, with privileges granted, time-bound, and revoked rather than accumulated.
Multi-Factor Authentication
An authentication mechanism requiring two or more independent verification factors, ensuring that credential theft alone cannot produce a successful breach.
Phishing
Social-engineering attack in which a threat actor impersonates a trusted party to induce the recipient to disclose credentials, transfer funds, or run malicious code.
Prompt Injection
An attack class where adversarial instructions in user input or retrieved content hijack an LLM's system prompt, causing the model to act against its operator's intended behaviour.
Role-Based Access Control
A permissions model where users inherit access rights from assigned business roles rather than through per-person grants, making the access landscape manageable and auditable as headcount grows.
Supply Chain Security
The discipline of identifying, assessing, and managing the security risks introduced by third-party suppliers, sub-processors, and managed service providers throughout the contract lifecycle.
Zero Trust
A security model that removes implicit trust based on network location, requiring every access request to be authenticated and authorised regardless of whether the requestor is inside the perimeter.