Dictionary defines: control – to exercise restraining or directing influence over
ISO/IEC 27000 defines: control – measure that is modifying risk
A good definition assuming the reader understands that the dictionary defines “measure” as a step planned or taken as a means to an end
COBIT and ISACA define: control – The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management or legal nature.
A good definition up to the 5th word.
CIS RAM defines: control – A documented method for protecting information assets using technical, physical, or procedural safeguards.
A good definition up to the 7th word.
O-TTPS defines: mitigation – Any action, device, procedure, technique, or any other measure that reduces the vulnerability or risk.
Skip the first 8 words for a good definition.
STIX defines: A Course of Action – an action taken either to prevent an attack or to respond to an attack that is in progress.
This definition uses the security jargon “attack”, but otherwise aligns well with the dictionary definition.
FAIR defines: control – Any person, policy, process, or technology that has the potential to reduce the Loss Event Frequency (LEF) and/or Loss Magnitude (LM).
Provides categories and factors impacted rather than a definition.
NIST 800-53 defines: Countermeasures – Actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system. Synonymous with security controls and safeguards.
Provides examples rather than a definition.
PCI DSS defines: Compensating Controls – Compensating controls may be considered when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.
No definition of “controls” is provided, and this is an explanation rather than a definition.