NIST SP 800-53 and ISO/IEC TR 19791:2010 are known as “Security and Privacy Controls for Information Systems and Organizations” and “Information technology — Security techniques — Security assessment of operational systems,” respectively. NIST SP 800-53 and ISO/IEC TR 19791:2010 define the terms “Security Controls,” “Management Controls,” “Operational Controls,” and “Technical Controls” as follows:
Security Controls
management, operational and technical controls (i.e. safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity and availability of the system and its information
Management controls
security controls (i.e., safeguards and countermeasures) for an information system that focus on the management of risk and the management of information system security
Operational Controls
security controls (i.e., safeguards and countermeasures) for an information system that primarily are implemented and executed by people (as opposed to systems)
Technical Controls
security controls (i.e., safeguards and countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system
The following definitions come from ISO/IEC 27002:2022 [Information security, cybersecurity and privacy protection — Information security controls]:
Control
measure that maintains and/or modifies risk
Note 1 to entry: Controls include, but are not limited to, any process, policy, device, practice or other conditions and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]
Access Control
means to ensure that physical and logical access to assets is authorized and restricted based on business and information security requirements
Information System
set of applications, services, information technology assets, or other information-handling components
Asset
anything that has value to the organization
Note 1 to entry: In the context of information security, two kinds of assets can be distinguished:
— the primary assets:
— information;
— business processes and activities;
— the supporting assets (on which the primary assets rely) of all types, for example:
— hardware;
— software;
— network;
— personnel;