From CIPedia
Jump to navigation Jump to search

This term is usually synomymous to the term "Countermeasure", "Safeguard" or "Measure". Controls are usually considered as means to mitigate risk.


European Definitions

Control means rights, contracts or any other means which, either separately or in combination and having regard to the considerations of fact or law involved, confer the possibility of exercising decisive influence on an undertaking, in particular by: (a) ownership or the right to use all or part of the assets of an undertaking; (b) rights or contracts which confer decisive influence on the composition, voting or decisions of the organs of an undertaking. [1]

European Project Definitions

CIPRNet project

The CIPRNet project [2] uses the following definition:

Control is a measure that is modifying risk.

Other International Definitions


An action taken to counteract a threat, or to eliminate or reduce vulnerabilities. [3]


(in climate policy), measures are technologies, processes or practices that reduce greenhouse gas emissions or impacts below anticipated future levels. [4]

For example renewable energy technologies, waste minimization processes, public transport commuting practices, etc.


UNISDR does not use the term "control". It defines two types of "measures": Structural and Non-structural measures [5].

* Structural measures: Any physical construction to reduce or avoid possible impacts of hazards, or application of engineering techniques to achieve hazard- resistance and resilience in structures or systems. Common structural measures for disaster risk reduction include dams, flood levies, ocean wave barriers, earthquake-resistant construction, and evacuation shelters.
* Non-structural measures: Any measure not involving physical construction that uses knowledge, practice or agreement to reduce risks and impacts, in particular through policies and laws, public awareness raising, training and education. Common non-structural measures include building codes, land use planning laws and their enforcement, research and assessment, information resources, and public awareness programmes.

Note that in civil and structural engineering, the term “structural” is used in a more restricted sense to mean just the load-bearing structure, with other parts such as wall cladding and interior fittings being termed non-structural.

National Definitions


Kundërmasa, do të thotë veprime me qëllim mbrojtjen nga rreziku kibernetik apo nga incidenti i sigurisë kibernetike ose veprime me qëllim zgjidhjen e një incidenti të konstatuar. [6]


Control: Medio para gestionar el riesgo, incluyendo políticas, procedimientos, directrices, prácticas o estructuras organizacionales, las cuales pueden ser de naturaleza administrativa, técnica, de gestión, o legal. [7]


Control is the overall direction of emergency management activities in an emergency situation. [8]

Czech Republic

Opatření: Znamená řízení rizika, včetně politik, postupů, směrnic, obvyklých postupů (praktik) nebo organizačních struktur, které mohou být administrativní, technické, řídící nebo právní povahy. [9]

Control means control of a risk, including all policies, procedures, directives, usual procedures (practices) or organizational structures, which may be of an administrative, technological, management or legal character. [9]


Mesure de sécurité: Moyen de traiter un risqué de sécurité de l’information.
La nature et le niveau de détail de la description d’une mesure de sécurité peuvent être très variables. [10]

Control: means of addressing a data security risk.
A control’s nature and the level of detail of its description can be highly variable. [11]


Countermeasure: Reactive methods used to prevent an exploit from successfully occurring once a threat has been detected. [12]


Salvgarda: A apăra, a proteja, a lua sub ocrotire un bun moral, social etc. [13]

United Kingdom

Control is the application of authority, combined with the capability to manage resources, in order to achieve defined objectives. [14]

Control is one of the eight principles outlined in Emergency Response and Recovery. The grounding of emergency response and recovery in the existing functions of organisations and familiar ways of working. [15]

United States

Countermeasures is that form of military science that, by the employment of devices and/or techniques, has as its objective the impairment of the operational effectiveness of enemy activity. [16]

Countermeasures are actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. [17]

Synonymous with security controls and safeguards.

Control: The part of the ICS used to perform the monitoring and control of the physical process. This includes all control servers, field devices, actuators, sensors, and their supporting communication systems. [18]

Controls are the methods, policies, and procedures—manual or automated—that are adopted by an organization to ensure the safeguarding of assets, the accuracy and reliability of management information and financial records, the promotion of administrative efficiency, and adherence to standards. [19]

Standard Definition


An action, device, procedure, or technique that meets or opposes (i.e., counters) a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken. [20]


Countermeasure: action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can take place. [21]

ISO/IEC 27000:2014 and ISO 31000:2009

Measure that is modifying risk. [22]

The ISO standard notes that:

  • Controls include any process, policy, device, practice, or other actions which modify risk.
  • Controls may not always exert the intended or assumed modifying effect.

Each control is usually associated to a control objective, which is a statement describing what is to be achieved as a result of implementing the control.

See also



  1. ENTSO-E Glossary of Terms
  3. IAEA - Nuclear Security Series Glossary Version 1.3 (November 2015)
  4. IPCC
  5. 2009 UNISDR Terminology on Disaster Risk Reduction, United Nations International Strategy for Disaster Reduction (UNISDR), Geneva, Switzerland, May 2009.
  7. Oficina Nacional de Tecnologías de Información ADMINISTRACION PUBLICA NACIONAL Disposición 3/2013 - Apruébase la “Política de Seguridad de la Información Modelo” (2013)
  8. Australian Emergency Management Glossary, Emergency Management Australia (1998)
  9. 9.0 9.1 Výkladový slovník kybernetické bezpečnosti (2013)
  10. Méthode de classification et mesures principales, ANSSI (2014)
  11. Classification Method and Key Measures, ANSSI (2014)
  12. Oman CERT Glossary
  14. Glossary - Revision to Emergency Preparedness, Cabinet Office (2012)
  15. UK Civil Protection Lexicon 2013
  16. Department of Defense, Joint Publication 1-02: “Dictionary of Military and Associated Terms” (JP 1-02), 2015.
  17. NIST Special Publication 800-53 Rev 4: Security and Privacy Controls for Federal Information Systems and Organizations (April 2013)
  18. NIST Glossary / NIST SP 800-82
  19. Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide (2016)
  20. IETF RFC449 Internet Security Glossary 2
  21. ISA-62443 series
  22. ISO/IEC 27000:2014, Information technology -- Security techniques -- Information security management systems -- Overview and vocabulary