Security governanceIntermediate20 min read

What Is Administrative control? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Administrative controls are the rules and policies that tell people what to do to keep information safe. They are not technical tools like firewalls but instead include things like security awareness training, background checks, and access review procedures. These controls help organizations manage security by defining how employees should behave and how systems should be used.

Commonly Confused With

Administrative controlvsTechnical controls

Technical controls are implemented through hardware or software, such as firewalls, encryption, or access control lists. Administrative controls are policies and procedures that guide human behavior. While both manage risk, technical controls enforce rules automatically, whereas administrative controls rely on people following them.

Requiring a strong password policy (administrative control) vs. implementing a password manager that enforces complexity (technical control).

Administrative controlvsPhysical controls

Physical controls are tangible barriers like locks, fences, guards, and security cameras. They protect physical assets and spaces. Administrative controls are intangible-they exist as documents, training, and processes. Both are needed, but they operate in different realms.

A locked server room door (physical control) vs. a policy that says only authorized personnel can enter the server room (administrative control).

Administrative controlvsGovernance

Governance is the overarching framework of policies, roles, and responsibilities that guide an organization's security strategy. Administrative controls are specific measures within that framework. Governance sets the direction, while administrative controls are the tactical tools to implement that direction.

A corporate security policy (governance) includes an acceptable use policy (administrative control).

Administrative controlvsProcedures

Procedures are step-by-step instructions to perform a task. They are a subset of administrative controls. Administrative controls also include policies, standards, guidelines, training, and other people-focused measures. Not all administrative controls are procedures.

A procedure for resetting a password vs. a policy that requires passwords to be changed every 90 days.

Must Know for Exams

For the CISSP exam, administrative controls are a foundational concept tested across multiple domains, especially Domain 1: Security and Risk Management. The exam expects you to understand the difference between administrative, technical, and physical controls, and to be able to classify given examples into the correct category. You might see questions that ask which type of control a specific measure represents, or which control is most appropriate for a given risk scenario. For instance, a question might describe a situation where an employee's access was not revoked after termination, and ask which administrative control should have prevented it. The answer would be a 'user access review policy' or a 'termination procedure.'

The exam also tests your ability to apply administrative controls in the context of governance frameworks like ISO 27001, NIST, or COBIT. You may be asked to identify which documents (policies, standards, procedures) belong to the administrative control family. Another common question pattern involves separation of duties. For example, a scenario might describe a single person who can both initiate and approve a financial transaction. The question asks what administrative control is missing. The answer is separation of duties, which is an administrative control designed to prevent fraud.

the CISSP exam often presents questions about defense in depth and the layers of security. Administrative controls are one layer. You need to know that they are the first line of defense, shaping behavior, but they must be supported by technical and physical controls. Exam questions may also ask about the relationship between administrative controls and due care/due diligence. Implementing administrative controls demonstrates that an organization has taken reasonable steps to protect assets. Without them, an organization could be found negligent in a legal proceeding.

The difficulty level of these questions on the exam is typically intermediate. They test recall and application. You don't need to memorize every policy name, but you must be able to classify controls correctly. The most common mistake students make is confusing administrative controls with technical controls. For example, thinking that a firewall is an administrative control when it is actually technical. Another trap is assuming that training is a technical control, when it is clearly administrative. Practice with sample questions and pay attention to the wording: if the measure involves people, rules, or documentation, it is likely administrative.

Simple Meaning

Think of administrative controls as the rulebook for a secure library. In a library, you have walls and locks (technical controls) and guards (physical controls), but you also need rules: who can borrow books, how long they can keep them, what happens if a book is lost, and how the librarian checks that everyone follows the rules. Those rules are administrative controls. In IT security, administrative controls are the written policies, procedures, and guidelines that shape human behavior. For example, a company might have a policy that says all employees must change their passwords every 90 days. That policy is an administrative control. It doesn't enforce itself-no software automatically forces the change unless a technical control is added-but it sets the expectation and provides a basis for action if someone doesn't comply.

Another example is security awareness training. A company can require every new hire to complete a course on phishing emails. That training is an administrative control. It reduces the chance that an employee will click on a malicious link. Without the training, employees might not know what to look for. Administrative controls also include procedures like background checks before hiring, user account review every quarter, and incident response plans. They are the human side of security. They are often the cheapest to implement but can be the hardest to enforce because they rely on people following rules consistently. In a real IT environment, administrative controls form the foundation of a security program. They define what is acceptable, what is not, and what happens when rules are broken. They are essential for compliance with standards like ISO 27001, NIST, and HIPAA, and they are a core topic in the CISSP exam.

Full Technical Definition

Administrative controls, also known as management controls, are a category of security controls defined in frameworks such as NIST SP 800-53 and ISO 27001. They are primarily focused on the management of risk through policy, procedure, and personnel practices. Unlike technical controls (e.g., firewalls, encryption) or physical controls (e.g., locks, guards), administrative controls rely on human action and organizational processes. They include security policies, standards, baselines, guidelines, and procedures. These documents define the rules for how information assets should be protected, who has access, and what steps should be taken in response to security incidents.

Key components of administrative controls include the separation of duties, least privilege, job rotation, and mandatory vacation policies. Separation of duties ensures that no single person has complete control over a critical function, reducing the risk of fraud or error. Least privilege restricts user access rights to the minimum necessary to perform their job. Job rotation and mandatory vacations help detect irregularities because another person takes over the role and may notice problems. These controls are often implemented through formal access control policies, user provisioning and de-provisioning processes, and periodic access reviews.

Administrative controls also encompass security awareness and training programs. These are ongoing initiatives to educate employees about security risks and their responsibilities. For example, an organization might require annual training on data classification and handling procedures. Incident response plans, business continuity plans, and disaster recovery plans are also administrative controls because they define the steps an organization will take before, during, and after a security event.

From a compliance perspective, administrative controls are critical for demonstrating due diligence and due care. Regulatory frameworks like HIPAA, PCI DSS, and GDPR mandate specific administrative controls, such as risk assessments, security policies, and employee training. In CISSP exam terms, administrative controls fall under Domain 1 (Security and Risk Management) and are often tested as part of the overarching concept of security governance. They are contrasted with technical and physical controls in the context of defense in depth. A well-designed security program uses a balanced mix of all three control types. Without administrative controls, technical and physical controls lack the guidance needed to be effective. For example, a firewall (technical control) is useless if there is no policy defining which traffic is allowed or denied. Administrative controls provide the rationale and rules that drive technical configurations.

Real-Life Example

Imagine you live in a neighborhood with a community swimming pool. The pool is surrounded by a fence with a locked gate (physical control). There is also a camera that records who enters (technical control). However, the pool also has a set of rules posted on the wall: no running, no diving in shallow water, children under 12 must be accompanied by an adult, and the pool closes at dusk. Those rules are administrative controls. They don't physically stop someone from running, but they set expectations and provide a basis for the lifeguard to enforce safety. If someone runs and slips, the rule exists so that the lifeguard can take action and the pool management can show they took reasonable steps to prevent accidents.

Now translate that to an IT environment. The fence and camera are like a firewall and intrusion detection system. The pool rules are like a company's acceptable use policy that says employees cannot install unauthorized software, cannot share passwords, and must lock their screens when leaving their desks. Without the rules, the technical controls would be less effective because people would not know what is expected. The rules also serve as evidence of due care if an incident occurs. In an exam context, when you hear 'administrative control,' think of the policies, procedures, and training that guide human behavior. They are the 'soft' controls that make the 'hard' controls work correctly.

Why This Term Matters

Administrative controls matter because security is ultimately a people problem. No matter how advanced your firewall, encryption, or antivirus software is, a single employee clicking a phishing link can compromise an entire network. Administrative controls address this by shaping how people think and act. They provide a framework for decision-making: what data can be shared, who can access it, and how incidents should be handled. Without administrative controls, security becomes reactive and chaotic. For example, if an organization has no policy on remote work, employees might use insecure Wi-Fi networks, expose sensitive data, and create vulnerabilities that technical controls cannot fully mitigate.

In practice, administrative controls are the first line of defense because they prevent risky behaviors before they occur. Security awareness training reduces the likelihood of successful social engineering attacks. Background checks reduce the risk of insider threats. Access review processes ensure that former employees no longer have access to systems. These controls are also essential for compliance with laws and regulations. Auditors routinely check for evidence of written policies, training records, and documented procedures. Without them, an organization can face fines, legal liability, and reputational damage.

administrative controls are cost-effective. Implementing a policy costs relatively little compared to purchasing and maintaining complex security technology. They also adapt easily to changing circumstances. When a new threat emerges, an organization can update its policies and retrain staff faster than it can deploy new hardware. For IT professionals, understanding administrative controls is crucial because they are the foundation of a security program. Even if you are a technical specialist, you need to know how policies translate into technical requirements. For example, a policy that requires encryption of data at rest leads to a technical control like BitLocker or FileVault. The administrative control drives the technical implementation.

How It Appears in Exam Questions

Administrative controls appear in exam questions primarily in three formats: scenario-based classification, gap analysis, and best practice selection. In scenario-based classification, you are given a description of a security measure and asked to identify its type. For example: 'An organization requires all employees to complete an annual security awareness training. What type of control is this?' The correct answer is an administrative control. The distractors might include technical control (like encryption) or physical control (like a lock).

In gap analysis questions, you might be presented with a situation where a security incident occurred because a control was missing. For example: 'A company suffered a data breach when an employee's credentials were used after termination. Which administrative control should have been in place?' The answer would be a termination checklist or user de-provisioning procedure. Another example: 'An employee was able to approve their own purchase order, leading to fraud. What administrative control was lacking?' Answer: separation of duties.

Troubleshooting questions are less common for administrative controls because they are procedural rather than technical, but they do appear. For example: 'After a security audit, several employees were found to have excessive permissions. Which administrative control needs improvement?' The correct answer would be periodic access reviews or a least privilege policy.

Some questions ask you to select the best combination of controls for a given scenario. For instance: 'A company wants to protect customer data. Which set of controls provides a balanced approach?' Options might include administrative controls (like a data classification policy), technical controls (like encryption), and physical controls (like locked server room doors). The correct answer usually includes all three types, emphasizing defense in depth.

Remember that the CISSP and other security exams are heavy on conceptual understanding. You will rarely be asked to recite a specific policy name. Instead, you need to understand the role administrative controls play in the overall security program. Pay attention to keywords like policy, procedure, training, awareness, background check, separation of duties, least privilege, job rotation, and mandatory vacation. These are all strong indicators of administrative controls.

Study CISSP

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are the IT manager at a mid-sized accounting firm. The company handles sensitive financial data for clients. Recently, you became aware that one of your senior accountants, John, has been working remotely from a coffee shop using an unsecured Wi-Fi network. John is accessing client tax returns and financial statements over this connection. There is no company policy that explicitly prohibits working from public Wi-Fi, and there is no technical control in place to force a VPN connection. When you ask John why he is working that way, he says he thought it was fine because no one told him otherwise.

This scenario highlights the absence of an administrative control. If the company had a remote work policy that clearly stated all remote connections must use a VPN and that public Wi-Fi is prohibited unless a VPN is active, John would have known the rule. The policy would also provide grounds for corrective action. Without that administrative control, you have no way to enforce the desired behavior. You might decide to implement a technical control-like a firewall rule that blocks all traffic not going through a VPN-but that alone may not address the root cause, which is the lack of awareness and guidance.

In an exam question, this type of scenario would ask what the company should do first. The best answer is to develop and implement a remote access policy (an administrative control) and then complement it with technical controls. The exam tests your ability to prioritize. Administrative controls often come first because they define the rules, and then technical controls enforce them. This scenario also demonstrates how administrative controls can prevent security incidents before they happen. Without a policy, employees may unknowingly introduce risk. With a policy, they have clear guidance and the organization can demonstrate due care.

Common Mistakes

Confusing administrative controls with technical controls

Technical controls are implemented through hardware or software (e.g., firewalls, encryption). Administrative controls are based on policies and procedures. Mixing them up leads to incorrect answers in classification questions.

Ask yourself: Is this a rule or process done by people? If yes, it's administrative. If it's a piece of technology, it's technical.

Thinking that training is a technical control

Training is a process that involves people learning and following guidelines. It is not implemented through technology. Many learners incorrectly classify it under technical controls because they associate it with computer-based training platforms, but the platform is just a delivery method.

Focus on the purpose: training changes human behavior, not system configuration. Therefore, it is administrative.

Believing that administrative controls are optional or less important than technical controls

Administrative controls are foundational. Without policies, technical controls often lack direction and enforcement authority. Many compliance frameworks require administrative controls as a primary element.

Remember that security governance starts with policies. Technical controls are implemented to enforce policies, not the other way around.

Assuming that all policies are administrative controls

While policies are administrative controls, the term administrative control is broader and includes procedures, standards, guidelines, training, background checks, and more. Not every document is a policy.

Broaden your understanding: any human-focused security measure that is procedural or policy-based is an administrative control.

Ignoring the role of administrative controls in incident response

Incident response plans are administrative controls, but some learners think incident response is purely technical (like running malware scans). The plan itself is a procedure, hence administrative.

Classify incident response procedures as administrative because they define steps for people to follow, even if technical tools are used during execution.

Exam Trap — Don't Get Fooled

{"trap":"A question describes a company that implemented a firewall and an intrusion detection system, and asks for an 'additional administrative control' to improve security. Many learners incorrectly choose 'update the firewall rules' thinking it is administrative.","why_learners_choose_it":"They see 'update' and think of a procedure, but updating firewall rules is a technical task, not an administrative control.

The administrative control would be the policy that defines when and how to update the rules.","how_to_avoid_it":"Look for answers that involve rules, policies, training, or processes. For this trap, the correct answer is likely 'develop an access control policy' or 'implement security awareness training.'

Step-by-Step Breakdown

1

Identify the risk

The first step in implementing administrative controls is to identify what needs protection and what the potential threats are. This often involves a risk assessment. Understanding the risk helps determine which policies and procedures are needed.

2

Develop a policy

Create a formal document that states the organization's position on a specific security issue, such as acceptable use, access control, or data classification. The policy should be approved by management and clearly communicated.

3

Create supporting standards and procedures

Policies are high-level; they need detailed standards (specific requirements) and procedures (step-by-step instructions) for implementation. For example, a password policy might be supported by a standard that specifies minimum length and complexity.

4

Communicate and train

Employees must know the policies and understand their responsibilities. This step involves security awareness training, distributing policy documents, and ensuring all stakeholders are aware of the rules.

5

Enforce compliance

Policies without enforcement are ineffective. This step might involve automated technical controls (e.g., blocking non-compliant actions) or manual audits and reviews. Enforcement can also include disciplinary measures for non-compliance.

6

Monitor and review

Administrative controls need ongoing monitoring to ensure they remain effective and aligned with changing risks. Periodic reviews of policies, training effectiveness, and compliance rates help identify areas for improvement.

7

Update as needed

Security threats, business processes, and regulations evolve. Policies and procedures must be revised to stay relevant. This step ensures that administrative controls continue to protect the organization adequately.

Practical Mini-Lesson

In practice, administrative controls are the backbone of an organization's security program. They start with the board and executive leadership defining the security vision and risk appetite through policies. For example, a company might have an Information Security Policy that states 'All sensitive data must be encrypted both in transit and at rest.' That is a high-level administrative control. From there, the IT team develops procedures: how to configure encryption, which tools to use, how to manage encryption keys. The policy drives the technical implementation.

What professionals need to know is that administrative controls are not static. They require regular updates. When a new regulation like GDPR came into effect, organizations had to update their data protection policies and procedures. That was an administrative control change. Similarly, when a new type of cyber threat emerges, like a specific phishing campaign, security awareness training content must be updated. This is a practical, ongoing responsibility for security professionals.

One of the biggest challenges with administrative controls is enforcement. People often ignore policies if they perceive them as inconvenient. For example, a policy that requires two-factor authentication might meet resistance from users who find it annoying. A security professional needs to balance security requirements with usability. Sometimes, the solution is to combine administrative controls with technical controls that make compliance easier, like single sign-on with automatic two-factor prompts.

Another practical consideration is documentation for audits. Auditors will ask for evidence that policies exist, that training was conducted, and that reviews were performed. This means keeping records: signed policy acceptance forms, training completion reports, meeting minutes from access review meetings, and logs of disciplinary actions. Without these records, an organization cannot prove it has implemented administrative controls.

What can go wrong? The most common failure is that policies are written but never communicated or enforced. They become 'shelfware'-documents that sit on a shelf (or a shared drive) and are ignored. Another failure is that policies are too vague or too restrictive, causing confusion or resistance. A well-written administrative control should be clear, specific, and achievable. Finally, a lack of management support can undermine administrative controls. If senior leaders do not follow the policies themselves, no one else will take them seriously.

Memory Tip

Think 'People, Papers, Processes' – the three Ps of administrative controls. If it involves training someone, writing a rule, or following a procedure, it's administrative.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is an example of an administrative control in cybersecurity?

A common example is a company's acceptable use policy that defines what employees can and cannot do with company devices and networks.

How are administrative controls different from technical controls?

Administrative controls are based on human processes and policies, while technical controls are implemented through software or hardware, like firewalls and encryption.

Why are administrative controls important for certification exams like CISSP?

Because they are a core concept in security governance, and exam questions often require you to classify controls and understand their role in defense in depth.

Can administrative controls be automated?

The enforcement of an administrative control can be automated through technical controls, but the policy or procedure itself remains administrative.

What happens if an organization has no administrative controls?

Without administrative controls, there are no rules or guidance for employees, leading to inconsistent security practices, higher risk, and potential non-compliance with regulations.

Are security awareness training and background checks considered administrative controls?

Yes, both are classic examples of administrative controls because they involve human processes to reduce risk.

What is the relationship between administrative controls and due care?

Implementing administrative controls demonstrates that an organization has taken reasonable precautions (due care) to protect its assets and stakeholders.

Summary

Administrative controls are the policies, procedures, training, and human-focused measures that form the foundation of an organization's security program. They are distinct from technical and physical controls because they rely on people following rules rather than on hardware or software enforcement. In the context of the CISSP exam, understanding administrative controls is essential because they appear in multiple domains and are frequently tested in classification, scenario, and best-practice questions.

Remember the three Ps: People, Papers, Processes. If a security measure involves training someone, writing a rule, or following a procedure, it is an administrative control. Common examples include security policies, access review procedures, separation of duties, and employee background checks. These controls are cost-effective, adaptable, and crucial for compliance with regulations and standards.

For exam success, focus on being able to distinguish administrative controls from technical and physical controls. Practice with scenario questions that ask you to identify missing controls or recommend the best control for a given situation. Avoid the common mistake of classifying training or policies as technical controls. With a clear understanding of administrative controls, you will be able to answer a wide range of questions and apply this knowledge in real-world IT security roles.