Categories of Controls
Controlling risk through mitigation, avoidance or transference is accomplished by implementing controls. There are 4 effective approaches to select the controls by category:
Control function: Controls (safeguards) designed to defend systems are preventive or detective.
Architectural layer: Some of the controls apply to one or more layers of organization’s technical architecture
Strategy layer: Controls classified by risk control strategy (avoidance, transference, mitigation) in which they operate.
Information security principle: Controls can be classified according to characteristics of secure information they assure. These characteristics include: accountability integrity, availability, confidentiality, authorization, authentication, and privacy.