Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

Controls include any process, policy, device, practice, or other actions which modify risk. Individual controls are often designed to act together to increase effective protection. Systems of controls can be referred to as frameworks or standards. Frameworks can enable an organization to manage security controls across different types of assets with consistency. For example, a framework can help an organization manage controls over access regardless of the type of computer operating system. This also enables an organization to assess overall risk. Risk-aware organizations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO27001:2013, the Information Security Forum's Standard of Good Practice for Information Security, or NIST SP 800-53. In telecommunications, security controls are defined as Security services as part of OSI Reference model by ITU-T X.800 Recommendation. X.800 and ISO ISO 7498-2 (Information processing systems. Open systems interconnection - Basic Reference Model - Part 2: Security architecture are technically aligned. For business-to-business facing companies whose service may affect the financial statements of the other company, the prospect may require successful audit reports of policy controls such as a SSAE 16 report before granting them authorization as a vendor.