Which type of controls provide guidelines or mandates actions based on policy?

Directive controls are designed to provide specific guidelines, policies, or mandates for actions that must be taken to maintain security and compliance within an organization. These controls reflect the organization's objectives and expectations, directly shaping behavior by indicating what employees are required or encouraged to do.

For instance, a directive control could take the form of a security policy that requires employees to create complex passwords and change them every three months. By outlining clear instructions and expectations, directive controls help to establish a culture of compliance and proactive security measures within the organization.

On the other hand, preventative controls focus on stopping potential security incidents before they occur, while corrective controls are intended to repair or mitigate damage after an incident has occurred. Compensating controls are alternative measures used when primary controls are not feasible or effective. While all these controls are important for a robust security posture, directive controls specifically emphasize the establishment of policies and guidelines that must be followed.