Control
A control is a policy, process, procedure, system setting, review, or activity that helps reduce risk.
In compliance and security, controls are used to show that an organization has safeguards in place to protect data, manage access, respond to incidents, review changes, and operate systems responsibly.
For example, requiring multi-factor authentication is a control. Reviewing user access every quarter is also a control. So is requiring approval before production code is deployed.
Why Controls Matter
Controls are the foundation of most compliance programs. Frameworks like SOC 2, ISO 27001, HIPAA, and PCI DSS all expect organizations to define, operate, and document controls that address specific risks.
A control is not just something written in a policy. It should be something the organization actually does, can explain, and can prove with evidence.
Examples of Controls
| Control Area | Example Control | Example Evidence |
|---|---|---|
| Access Control | Employees must use MFA to access business systems | MFA settings, identity provider screenshots |
| Change Management | Production changes must be reviewed and approved before release | Pull requests, approval records, deployment logs |
| Vendor Management | High-risk vendors must be reviewed before approval | Vendor assessment, security questionnaire, approval record |
| Incident Response | Security incidents must be documented and tracked through resolution | Incident ticket, timeline, post-incident review |
| Policy Management | Employees must acknowledge required security policies | Policy acknowledgement report |
| Vulnerability Management | Critical vulnerabilities must be remediated within a defined timeframe | Scan results, remediation tickets |
Control Design vs. Control Operation
A control has two important parts:
| Concept | Meaning |
|---|---|
| Control design | Whether the control is set up in a way that addresses the risk |
| Control operation | Whether the control actually happened as expected during the audit period |
For example, a company may design a control that says all production changes require approval. But during an audit, the company also needs to show that approvals actually happened for the changes being tested.
How AuditFlo Helps
AuditFlo helps teams organize controls, connect them to evidence, and maintain a historical record of control activity over time.
Instead of waiting until audit time to prove a control operated, teams can collect evidence as work happens and keep it mapped to the right compliance requirement.
Plain-English Definition
A control is a safeguard your company uses to reduce risk and prove that important security or compliance activities are actually happening.