What is a common control?

A common control is a security control that is implemented at the organizational level and is inherited by one or more information systems within that organization. The key aspect of a common control is that it provides security not just to a single system but to multiple systems that can leverage the same control to achieve compliance and risk management objectives.

For example, a firewall can be considered a common control if it is established centrally and protects various systems across the organization. This approach allows for efficiency in managing security controls, as organizations can establish shared measures that serve to protect multiple systems rather than requiring individual systems to implement their own unique controls independently.

This shared responsibility helps reduce redundancy, streamline management efforts, and maintain a cohesive security posture throughout the organization, facilitating compliance with regulatory requirements and enhancing overall security effectiveness. Hence, recognizing common controls is pivotal for achieving a comprehensive and economical security framework within an organization.