Types of Controls and Considerations is the CISA framework for classifying and evaluating the mechanisms organizations use to manage risk to information systems. Controls are categorized by function: Preventive controls stop unwanted events before they occur (e.g., access restrictions, encryption); Detective controls identify events after they occur (e.g., log monitoring, intrusion detection); Corrective controls remediate identified problems (e.g., patch management, incident response procedures); and Compensating controls provide alternative risk mitigation when a primary control is unavailable or impractical (e.g., quarterly manual access reviews substituting for automated provisioning). Beyond taxonomy, control evaluation spans four dimensions: control objective (which risk the control addresses), control design (whether the control is logically structured to meet its objective), control effectiveness (whether it consistently operates as designed), and control maturity (how institutionalized the control is, from ad-hoc Level 1 to optimized Level 5). IS auditors must assess all four dimensions — not merely whether a control exists.
Where it stops · what it isn't
- —IS NOT a policy or procedure: controls are implemented mechanisms, not written intent. A documented policy that is never enforced is not a control.
- —IS NOT limited to IT: administrative controls (e.g., separation of duties, background checks) and physical controls (e.g., badge access, locked server rooms) are within scope for CISA auditors.
- —IS NOT a one-time evaluation: controls that passed last year may have drifted into ineffectiveness due to organizational or environmental change.
- —IS NOT interchangeable with 'safeguard' or 'countermeasure' across all frameworks — CISA uses the four-type taxonomy above; NIST CSF 2.0 uses a Govern/Protect/Detect/Respond hierarchy. These overlap but do not map 1:1.
- —Compensating controls are temporary or supplemental — they do not eliminate the residual risk of a missing primary control and must be documented with explicit justification and a remediation roadmap.
- —Control effectiveness is distinct from control design: a well-designed control can fail operationally due to human error, misconfiguration, or lack of monitoring.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFIS Audit Process (CISA Domain 1)
REQUIRESRisk Assessment Fundamentals (likelihood, impact, tolerance)Control Objectives and Organizational Goals
ENABLESControl Testing Procedures (design testing vs. operating effectiveness testing)Audit Opinion Formation and Audit ReportingThird-Party and Vendor Control Assessment (SOC 2)Continuous Control Monitoring and Automation
RELATED TOAudit Planning and Risk-Based Audit Approach
CONSTRAINSRegulatory Compliance Mapping (SOX, HIPAA, PCI-DSS, GDPR)