Controls library

Security controls library

Controls are the specific safeguards organisations implement to enforce framework requirements. Without controls, frameworks remain aspirational — controls are how compliance becomes operational.

Domains

40+

Controls

10+

Frameworks mapped

IIA & ISACA

Aligned

Filter by domain

Filter by framework

🖥️

ITGC

20 controls

IT general controls

Logical access, change management, SDLC, and computer operations across IT systems.

NIST 800-53 ISO 27001 SOX COBIT

4 sub-domains Explore →

🛡️

Cybersecurity

15 controls

Cybersecurity controls

Vulnerability management, firewall security, IAM, and endpoint protection controls.

NIST CSF ISO 27001 PCI DSS CIS v8

3 sub-domains Explore →

⚙️

Application

10 controls

Application controls

Input, processing, and output controls ensuring data accuracy and integrity within applications.

NIST 800-53 ISO 27001 PCI DSS COBIT

2 sub-domains Explore →

☁️

Cloud

10 controls

Cloud & infrastructure controls

Cloud security configuration, infrastructure hardening, and data residency controls.

NIST CSF ISO 27001 CSA CCM CIS v8

2 sub-domains Explore →

🔒

Data & privacy

10 controls

Data & privacy controls

Data classification, retention, privacy compliance, and personal data handling controls.

GDPR ISO 27001 HIPAA CCPA

2 sub-domains Explore →

🏢

Vendor & third party

10 controls

Vendor & third party controls

Vendor onboarding, third party risk assessments, and contract security requirements.

ISO 27001 NIST 800-53 PCI DSS COBIT

2 sub-domains Explore →

🔄

Business continuity

8 controls

Business continuity & DR controls

Controls ensuring organisational resilience, disaster recovery, and continuity of critical operations.

ISO 27001 NIST 800-53 COBIT

2 sub-domains Explore →

🤖

AI & emerging tech

8 controls

AI & emerging technology controls

Model risk, AI governance, bias and fairness controls, and AI system access management.

ISO 42001 NIST AI RMF

2 sub-domains Explore →

Built on recognised professional guidance

Grounded in industry standards, written for practitioners

The controls in this library are not invented — they are drawn from and inspired by the collective guidance of the world’s leading audit, security, and governance bodies. Each control has been rewritten in plain language so practitioners at every level can understand, implement, and test them without needing to cross-reference multiple standards.

IIA

Institute of Internal Auditors — global standards for internal audit practice and methodology.

ISACA

Publisher of COBIT — the leading framework for IT governance and control objectives.

NIST

National Institute of Standards and Technology — SP 800-53 control catalogue and CSF guidance.

ISO/IEC

ISO 27001 and 27002 — internationally recognised controls for information security management.

AICPA

American Institute of CPAs — SOC 2 Trust Service Criteria and attestation standards.

CIS

Center for Internet Security — CIS Controls v8, the prioritised set of cybersecurity best practices.

COSO

Committee of Sponsoring Organizations — the definitive internal control and enterprise risk framework.

PCAOB

Public Company Accounting Oversight Board — auditing standards for SOX compliance and ICFR testing.

Securitora is an independent knowledge resource and is not affiliated with, endorsed by, or officially associated with any of the organisations listed above. All framework and standard names are the property of their respective owners.