What are management controls?

Management controls describe the governance, policy, planning, and oversight activities that an organization uses to manage risk to its information systems. They’re about how security is run: setting security policies, performing risk assessments, authorizing systems to operate, and continuously monitoring and adjusting the security program. These controls guide and oversee how other safeguards are applied, rather than being a specific safeguard built into hardware or software. That’s why this option is the best fit: it emphasizes managing risk within the information system security program itself. The other choices point to protections that are implemented directly by the system or by the physical environment—hardware protections, technical controls built into software or firmware, and physical security of facilities—which are distinct from the governance and risk-management focus of management controls.