Which category of security controls focuses on policies, procedures, and awareness training?

Administrative controls are crucial in establishing a framework for an organization's security posture. They encompass the development and implementation of policies, procedures, and guidelines that govern security practices within an organization. This category focuses on the human element of security, as it aims to ensure that employees are aware of their roles and responsibilities regarding protecting organizational assets.

For instance, administrative controls often include security policies that outline acceptable use, incident response protocols, and data protection measures. Training and awareness programs fall under this category as well, as they help employees understand and adhere to security practices, fostering a culture of security within the organization.

The effectiveness of technical and physical controls—those focused on hardware and software protections, as well as physical security measures—hinges on the adherence to the administrative controls put in place. Thus, without strong administrative controls, the implementation of technical and physical security measures could be undermined, leading to potential vulnerabilities.