Which statement best describes operational controls?

Operational controls are the day-to-day actions, procedures, and processes people carry out to protect an organization’s information and systems. They hinge on the human element—staff implementing policies, following documented procedures, performing training, conducting access reviews, managing changes, backing up data, and responding to incidents. Automation can support these controls, but the execution and oversight come from people applying the procedures consistently and handling any exceptions. That reliance on people to implement and maintain the ongoing security activities is what makes this description the best fit. The other descriptions are too narrow: describing them as solely automatic and software-based would point to technical controls, which are about automated safeguards implemented in systems. Saying they’re hardware-based only ignores the procedural and human aspects that operational controls require. Finally, saying they aren’t part of risk management is inaccurate since operational controls exist to reduce risk and are a key part of the risk management process.