Which operational control is primarily about awareness and training?

The key idea here is that this control centers on people and their behavior. Awareness and training focus on ensuring everyone knows what security requires and has the skills to carry it out, from recognizing phishing attempts to following access procedures and handling data properly. This makes it the primary control for educating and preparing personnel to act securely, which is essential because human behavior is a major factor in security outcomes. In contrast, other controls deal with different aspects: configuring and maintaining system settings safely falls under configuration management, planning for emergencies and recoveries belongs to contingency planning, and having a prepared, coordinated approach to detecting and responding to incidents is the realm of incident response. Since the question emphasizes awareness and training, the control that directly addresses those needs is the Awareness & Training control.