Administrative control

An administrative control is a type of security control focused on governing human behavior and organizational processes through policies, procedures, guidelines, and operational standards. These controls define how individuals should handle sensitive information, manage access privileges, and perform their duties securely. Examples include security awareness training programs, acceptable use policies, background checks, incident response plans, access management procedures, and data retention policies.

Administrative controls form the foundational layer of an organization's security posture by establishing clear responsibilities, enforcing accountability, and fostering a culture of security awareness. They complement technical controls (such as firewalls and encryption) and physical controls (such as locks and surveillance) by providing the governance framework that guides their implementation and use. Within Governance, Risk, and Compliance (GRC) programs, administrative controls are essential for ensuring adherence to regulatory requirements, industry standards, and internal security policies, ultimately reducing risks associated with human error and insider threats.