Home > Glossary > Certified in Cybersecurity > Administrative Controls

📖 What is Administrative Controls?

Security controls that focus on personnel and business practices, such as policies, procedures, and security awareness training.

🥋 Sensei Says:

"Also known as 'Managerial Controls.' They are the 'rules' on paper."

📚 Certification: Certified in Cybersecurity (CC)

🔑 What are the Key Concepts of Administrative Controls?

▸ Administrative controls are foundational, establishing the framework for all other security controls (technical & physical).
▸ Policies define *what* is expected; procedures detail *how* to achieve compliance with those policies.
▸ Security awareness training aims to reduce human error, a significant factor in many security breaches.
▸ Regular review and updates of policies and procedures are crucial to maintain effectiveness against evolving threats.
▸ Documentation is key – well-defined controls are easier to audit and demonstrate compliance with regulations.

🎯 How does Administrative Controls appear on the CC Exam?

You may be asked to identify which type of control (administrative, technical, or physical) is best suited to mitigate a risk related to employee negligence, such as phishing susceptibility.

A scenario might describe a company undergoing a security audit – expect questions about the documentation required to demonstrate effective administrative controls.

Expect questions about the order in which controls should be implemented; administrative controls are typically the first step.

❓ Frequently Asked Questions

How do administrative controls interact with technical controls?

Administrative controls *enable* technical controls. For example, a policy requiring strong passwords (administrative) is enforced by a password complexity setting (technical).

What's the difference between a policy, a standard, and a procedure?

A policy is a high-level statement of intent. A standard is a specific requirement to meet the policy. A procedure details the steps to follow the standard.

Are administrative controls enough on their own to secure an organization?

No. Administrative controls are essential, but they must be combined with technical and physical controls to create a layered defense-in-depth security posture.

Related Terms from Certified in Cybersecurity

Identification Physical Controls Recovery Time Objective (RTO) Encryption Defense in Depth Symmetric Encryption

📝 Related Study Guides

Study Guide 8 min read

ISC2 CC Certification Guide: Your Free Entry into Cyber

The ISC2 Certified in Cybersecurity (CC) is a free, entry-level certification designed for beginners. It covers five core domains—Security Principles, BCP/DR, Access Control, Network Security, and Security Operations—via a 100-question exam. It's the ideal starting point for career changers to build a foundation without financial barriers.

Exam Tips 8 min read

ISC2 CC Exam Domains: What You Need to Know to Pass

The ISC2 CC exam consists of five domains: Security Principles, Business Continuity (BC), Disaster Recovery (DR), and Incident Response (IR), Access Controls, Network Security, and Security Operations. To pass, you must master the CIA Triad and security governance, while prioritizing high-weight domains through targeted practice and domain-specific analytics.

Comparison 8 min read

CISSP vs CISM: Which Certification Should You Pursue in 2026?

Choose CISSP if you want broad technical security expertise across eight domains, including cryptography, network security, and software development. Choose CISM if you're focused on information security management, governance, and risk management from a leadership perspective. CISSP is ideal for hands-on security architects, while CISM is designed for security managers and directors.