Glossary

Control

Also: compliance control, security control

A control is a specific measure a framework expects you to have in place to manage a risk, for example restricting access to authorized users, encrypting data in transit, or logging security events. Frameworks are essentially structured lists of controls plus the evidence that they operate.

Most controls are policy and process, but a subset are implemented and enforced in code, and those are the ones a code review can check.

In code

A control lives in code wherever the running system enforces it: the IAM policy, the TLS configuration, the deletion job, the audit log. A control 'breaks' in a diff when a change weakens that enforcement.

Manifesto: controls live in diffs
SOC 2 CC6.1 in code

Get early access ← All terms