ISC2 Governance, Risk and Compliance (CGRC) Practice Question

NIST divides security and privacy safeguards into management, operational, technical, and common controls. Operational controls are those mainly implemented and performed by people, often supported by technology, and include activities such as physical and environmental protection, incident response, awareness and training, and personnel security. Stationing guards to check identification, keep manual logs, and escort visitors is a human-executed measure that protects physical access, so it falls squarely under operational controls. Technical controls (e.g., encryption or firewalls) rely on automated mechanisms; management controls focus on policy or oversight (e.g., risk assessment, planning); common controls are shared across multiple systems or organizations. Because the described safeguard is people-centric and operational in nature, it is classified as an operational control.