What type of control is intended to enforce compliance with security policies within an organization?

Directive control is designed to establish and enforce compliance with security policies within an organization. This type of control is proactive in nature, providing guidelines and frameworks intended to direct the behavior of employees and systems. By outlining expectations and procedures, directive controls help ensure that individuals understand the security policies they must follow.

These controls often manifest in the form of policies, standards, training programs, and awareness campaigns. For example, issuing an information security policy that details the responsibilities of employees in protecting sensitive data acts as a directive control.

In contrast, other control types have different focuses. Preventive controls aim to prevent security incidents from occurring in the first place, such as firewalls or access control measures. Detective controls identify and detect incidents that have already occurred, like intrusion detection systems. Corrective controls are designed to respond to incidents and rectify any damage that may have been done, such as incident response plans or recovery procedures.