What Are Security Controls? A Full Breakdown

Security controls are a critical element of any IT strategy. However, it’s a common misconception that the number of controls correlates to a level of difficulty in achieving compliance. As with many things in the world of compliance, there is more to the story. 

To determine what security controls are appropriate for your needs, you must first consider the risk that your organization faces and the requirements that you may need to meet. In this post, we’ll tell you what you need to know about security controls and share a few best practices based on different frameworks.

What Are Security Controls?

Security controls are strategic measures implemented to protect your organization’s physical assets and digital data from threats. These controls form an interconnected system of defenses that work together to prevent, detect, and respond to potential risks. 

Whether designed to block unauthorized access, monitor unusual activities, or restore operations after an incident, security controls are essential in minimizing risk across the entire organization.

Why Are Security Controls Important?

We’ve established that security controls are essential for protecting your organization’s assets. Below is a closer look at the benefits they offer in managing risk and building resilience.

Layered Security

Layered security strengthens your organization’s defenses across various levels, such as identity management, data protection, application security, and network infrastructure. This multi-tiered approach reduces reliance on any single point of defense, creating a more resilient security posture that’s harder for hackers to breach.

For example, your organization might implement multi-factor authentication for identity management, encryption to protect data, firewalls to secure network access, and activity monitoring tools to oversee application security. Each layer works together to deter unauthorized access and close potential gaps.

Adaptation to Regulatory Requirements

Security controls also play an important role in helping your organization comply with regulatory standards, such as GDPR, CCPA, and industry-specific regulations. These controls are often mandatory to protect sensitive data and demonstrate due diligence in safeguarding customer information.

For instance, regulations like GDPR require organizations to implement measures that ensure the integrity and confidentiality of data. Security controls such as data classification policies, encryption, and access management align directly with these requirements, so it’s easier to prove compliance and avoid penalties.

Operational Efficiency

Automated controls, like real-time monitoring and role-based access management, help reduce resource demands and eliminate redundant tasks. This shift allows IT teams to focus on strategic objectives, like improving threat intelligence, enhancing user training programs, or developing stronger incident response plans.

Well-implemented controls also minimize disruptions from security incidents and reduce costs associated with breaches, fines, and recovery efforts. 

What Are the Types of Security Controls? 

Security controls are broken down into categories. They can either be broken down based on the type of control (physical, administrative, or technical) or based on the purpose of the control (preventive, detective, corrective). 

Controls may be categorized based on any combination of type and purpose. For instance, a control can be categorized as a preventive physical control, or a corrective technical control. 

Each of these categories of controls plays a key role in both proactively addressing risk and responding to threats when they appear. To provide the best security for your organization and its data, you need to consider all of them.

Physical Controls 

Physical controls protect your resources and infrastructure from physical threats such as theft or damage. These controls exist on-premise to help you manage the environment where critical information exists. 

Examples of physical controls include: 

• Security guards who monitor access to restricted areas and deter unauthorized entry

• Video surveillance equipment that records activities on-site and provides visual evidence in case of incidents

• Access cards that limit entry into restricted areas, allowing only authorized personnel to access sensitive resources

Administrative Controls 

Administrative controls involve policies, procedures, and guidelines which are put in place to ensure that human error does not create security vulnerabilities for the organization. This is key because approximately 88% of all data breaches are caused by employee error. 

Examples of administrative controls include: 

• Data classification policies that specify how different types of data should be handled and protected

• Employment agreements that outline employees’ responsibilities in maintaining security and confidentiality

• Password expiration policies that enforce regular password changes to reduce unauthorized access risks

Technical Controls 

Technical controls include hardware, software, and firmware that is used to prevent unauthorized access to systems or data. Controls at this level act as another line of defense if an unauthorized user were to gain access to your devices. 

Examples of technical controls include: 

• Firewalls that filter network traffic to prevent unauthorized users from accessing systems

• Antivirus software that scans for malicious software and protects devices from infection

• Encryption that secures data during storage and transmission, making it unreadable to unauthorized parties 

Preventative Controls

Preventative controls are there to prevent or decrease the chances of an information security incident. Controls at this level allow you to take a proactive approach and build a security-first culture within your organization. 

Examples of preventative controls include:

• Multi-factor authentication (MFA) requires multiple verification methods to confirm a user’s identity, making unauthorized access more complex

• Security awareness training to educate employees on best practices and reduce the likelihood of human error

• Segregation of duties that divides responsibilities to reduce the risk of internal fraud or misuse of access 

Detective Controls 

Detective controls are put in place to help you identify irregularities or problems when an information security incident occurs. They can also help you determine whether your preventative controls are working properly. 

Examples of detective controls include: 

• Security Information and Event Management (SIEM) systems that analyze and monitor security-related data from various sources across an organization’s network in real-time

• Data leakage detection tools that alert administrators when sensitive information is at risk of exposure

• Malware detection software that identifies malicious programs attempting to infiltrate the system

Corrective Controls 

Corrective controls act after an information security incident or problem has been detected. These controls are there to remedy flaws, make improvements, and guide corrective action. 

Examples of corrective controls include: 

• Incident management and planning to coordinate responses, investigate root causes, and minimize incident impact

• Disaster recovery planning that provides a roadmap for restoring operations after significant disruptions

• Error handling protocols to correct software or system flaws and prevent reoccurrence

Although the examples above are not exhaustive lists of possible controls, they can give you an idea of what you can implement across different control types.

What is the Main Goal of Security Controls? 

The goal of security controls is to protect your data and systems from unauthorized access or use. You should use security controls for everyone—from passwords for online accounts to monitoring your network for attacks. 

The important thing to remember is that security controls are not something you can set and forget. When you take part in an audit, you’ll need to take steps to ensure specific controls are in place and working properly. 

You’ll also need to take steps to address new risks, continuously update and test your programs, and maintain compliance.

Number of Security Controls Through Different Frameworks 

There are several different security frameworks organizations can use to help prove that assets secure. The number of controls you will need to implement depends on the criteria and requirements that apply to your organization based on the framework.

Keep in mind that the below is simply a generalized breakdown to give you a ballpark on the number of controls for each framework. 

SOC 2 

Depends on which categories (Availability, Confidentiality, Processing Integrity, Privacy) are included in your audit in addition to Security. Controls aren’t defined by SOC 2, so there can be a wide range of controls included in an audit. 

Organizations define their own controls and your auditor will use their professional judgment to render an opinion on whether the controls you have in place meet the SOC 2 criteria for the categories in scope. 

Average number of controls: Typically between 80 to 150 

ISO 27001 

ISO 27002 defines ISO 27001 Annex A controls. You can identify controls from any source, however, the controls they use must be compared to the Annex A controls to determine that all Annex A controls are covered. Organizations complete an SOA (Statement of Applicability) to determine which Annex A controls apply.

Number of Annex A controls that must be covered: 

• ISO 27002:2013 – 114 

• ISO 27002:2022 – 93 

PCI DSS 

If you’re required to complete Self-Assessment Questionnaire (SAQ) D or engage a Qualified Security Assessor to complete a Report On Compliance (ROC), you will be subject to all required controls, unless you deem controls not applicable. Other self-assessment questionnaires will require less controls. 

Number of controls if all PCI controls are in scope: 

• PCI v3.2 – about 350 

• PCI v4.0 – about 400 

HITRUST v9.6 

HITRUST recently released the new i1 assessment. The i1 assessment does not take into account an organization’s inherent risk factors like the r2 assessment considers. 

For r2 assessments, each control is divided into three implementation levels with multiple requirements. Organizations have to determine the implementation level for each control and tailor the controls based on risk. Once the implementation level and risk is determined, the number of required controls can be determined. i1 assessments won’t have implementation levels. 

Even though there are more controls in an i1 assessment, it will require less effort since implementation levels in r2 assessments have several items to consider.

Number of controls:

• i1 assessment – 219 

• r2 assessment – 156 

For the r2 assessment, there can be as many as 1000 sub requirements. Most organizations are able to significantly reduce the number of control requirements after they determine which control requirements are necessary based on risk. 

FedRAMP 

The number of required controls is based on the control baselines: LI-SaaS, Low, Moderate, High. Organizations must determine the impact level of the system being assessed as defined in FIPS 199. 

The security controls and enhancements were selected from the NIST SP 800-53 Revision 4 catalog of controls. 

Number of Controls: 

• High – 421 

• Moderate – 325 

• Low – 125 

• LI-SaaS – 126 

CMMC 2.0 

This certification has three levels. Level 1 is for organizations handling Federal Contract Information only and Levels 2 and 3 are for organizations handling Controlled Unclassified Information. 

Level 1 encompasses the basic safeguarding requirements in FAR Clause 52.204-21. Level 2 encompasses the security requirements for CUI in NIST SP 800-171 Rev 2 per DFARS Clause 252.204-7012. Information on Level 3 will be released at a later date and will contain a subset of the security requirements specified in NIST SP 800-172. 

Number of Controls: 

• Level 1 – 17 

• Level 2 – 110 

• Level 3 – 110+ 

For Level 3, the total number of controls will be determined by the Department of Defense at a future date.

HIPAA

HIPAA doesn’t define a fixed number of controls but instead sets forth standards for ensuring the confidentiality, integrity, and availability of Protected Health Information (PHI). 

Compliance involves implementing safeguards defined in the Privacy Rule for Protected Health Information (PHI) and in the Security Rule for Electronic Protected Health Information (ePHI). Both PHI and ePHI require Administrative and Physical safeguards to protect patient privacy. However, a critical distinction is that ePHI additionally requires Technical safeguards to address vulnerabilities inherent to electronic data. 

The implementation of these safeguards is highly dependent on the organization’s size, complexity, technical environment, as well as the nature of the risks to the information.

Number of controls:

• Administrative safeguards:  covers nine standards and 21 implementation specifications (e.g., risk analysis, workforce clearance procedures)

• Physical safeguards:  covers four standards and eight implementation specifications (e.g., facility security plan, disposal of media containing ePHI)

• Technical safeguards: covers five standards and seven implementation specifications (e.g., unique user identification, emergency access procedures)

It’s essential to recognize that HIPAA divides implementation specifications into two categories: required and addressable. Required specifications must be implemented as written, while addressable specifications provide flexibility, allowing organizations to evaluate their applicability and document alternative measures when appropriate.

How to Evaluate and Strengthen Your Foundation With Security Control Assessments

A security control assessment is a great starting point for pinpointing any weaknesses within your organization’s defenses and confirming that security measures are both effective and aligned with key standards. 

The National Institute of Standards and Technology’s (NIST) cybersecurity framework provides a structured approach to evaluating controls, focusing on areas like implementation, effectiveness, and alignment with security requirements.

While NIST offers a strong foundation, your organization can further strengthen its security by conducting different types of assessments tailored to its needs. Below, we explore three such core assessments—security risk assessments, vulnerability scans, and penetration testing.

Security Risk Assessments: Identifying and Prioritizing Risks

A security risk assessment gives your organization a clear view of its current risk landscape. It identifies the assets that need protection, the threats those assets face, and the likelihood and severity of those risks.

Risk assessments typically cover three main areas:

• Asset identification: The IT team maps out critical assets, like customer data and essential systems, to make sure nothing important is overlooked.

• Threat analysis: The team evaluates potential risks for each asset, such as external threats, like cyberattacks, or internal risks, like human error.

• Impact and likelihood: For each threat, IT considers the potential impact and the likelihood of it happening. This step helps them decide which assets need the most protection.

For instance, a security risk assessment might reveal that your customer database is at higher risk because of outdated encryption. You can then strengthen that area with updated encryption protocols and added monitoring.

Vulnerability Scans: Finding Weak Spots in Systems and Networks

Vulnerability scanning is actually a key control within most security control frameworks like SOC 2 and ISO. And while it's not required by HIPAA or GDPR, vulnerability scans help fulfill both regulations' security requirements. 

These scans dig deep into systems, applications, and networks to find specific security gaps that attackers could exploit. Unlike a risk assessment, which looks at overall threats, a vulnerability assessment pinpoints weaknesses in your organization’s infrastructure so you can take proactive steps to strengthen its defenses.

Vulnerability scanning typically involves:

• Automated scanning tools: IT teams often use specialized software to scan systems and applications for known vulnerabilities, such as outdated software versions, open ports, or misconfigured settings.

• Manual analysis: After scanning, IT professionals review and validate findings to ensure that they’re relevant and actionable, filtering out false positives and focusing on real risks.

• Remediation planning: Once vulnerabilities are identified, teams develop a plan to fix or mitigate them, prioritizing the most critical issues for quick action.

For example, a vulnerability assessment might uncover a misconfigured firewall that allows unnecessary traffic into a secure network. Your organization can correct the configuration to reduce its exposure to unauthorized access.

Penetration Testing: Simulating Real-World Attacks to Test Defenses

Penetration testing, also known as "pen testing" or "ethical hacking," simulates real-world cyberattacks to evaluate how well your organization’s security controls hold up against potential intrusions. 

While vulnerability assessments identify weaknesses, penetration testing actively tests those weaknesses by attempting to exploit them. This hands-on approach gives your organization a realistic view of how attackers might breach its defenses.

Pen testing typically follows these steps:

• Planning and scoping: IT teams define the test's scope, goals, and rules of engagement so that it targets the right systems and respects organizational boundaries.

• Testing and exploitation: Pen testers use different techniques to probe defenses and exploit vulnerabilities, simulating the actions of real attackers. Common tactics include phishing, network attacks, and attempting unauthorized access.

• Reporting and remediation: After testing, the team compiles a report of findings, detailing exploited vulnerabilities, potential impact, and recommended fixes. They can then prioritize and address these issues to prevent actual breaches.

For example, a pen test might reveal how an attacker could bypass authentication controls to access sensitive customer data. Based on this insight, your organization can bolster access controls, strengthen password policies, or add multi-factor authentication to reduce risk.

Keep Your Security Controls In Check With Drata

Looking for the smartest way to continuously monitor your controls for SOC 2, ISO 27001, PCI DSS, GDPR, CCPA, and HIPAA in one place? Drata can help. Schedule a demo to see how our solution can play a role in streamlining the process.

Security Controls Frequently Asked Questions (FAQs)

Below we answer some of the most common questions related to security controls.

What Are the Main Types of Security Controls?

Security controls are generally categorized into three main types: physical controls, administrative controls, and technical controls. 

Physical controls secure the physical environment, administrative controls focus on policies and procedures, and technical controls use technology to protect data and systems. Each type plays a unique role in a comprehensive security strategy, providing layered protection against a range of risks.

Why Are Security Controls Necessary?

Security controls are essential for protecting your organization’s assets, maintaining regulatory compliance, and reducing the risk of breaches or data loss. They help safeguard sensitive information, secure access to critical systems, and build resilience against cyber threats. 

Without well-implemented security controls, your organization is more vulnerable to unauthorized access, data theft, and costly compliance violations.

How Do Security Controls Help with Compliance?

Many regulatory frameworks require organizations to implement specific security controls to protect sensitive data. These controls, such as data encryption, access management, and incident response planning, help demonstrate that an organization is committed to safeguarding personal information. 

What Is the Difference Between Preventive, Detective, and Corrective Controls?

• Preventive controls, such as multi-factor authentication and firewalls, aim to stop incidents before they happen.

• Detective controls, like security monitoring and malware detection, help identify and respond to incidents in real time.

• Corrective controls, including incident response and disaster recovery planning, activate after an incident to restore normal operations and fix vulnerabilities.

Each type of control complements the others, creating a balanced approach that addresses both proactive and reactive security needs.

How Often Should Security Controls Be Assessed?

Best practices recommend assessing security controls after any major changes to systems or infrastructure. Regular assessments, including risk assessments, vulnerability scans, and penetration tests, help ensure that controls remain effective and adapt to new threats. 

More frequent assessments may be necessary for organizations facing high-risk environments or strict compliance standards.