Controls are risk reduction measures. They may be manual, automated, or both. Controls may be directly enumerated, but are often documented as an interrelated set of risk management instructions that include strategic assertions, delegation of security roles and responsibilities, workflow, technology configurations and automation, step‐by‐step procedures, and general advice. These documents are classified into risk appetite, policies, processes, standards, procedures, or guidelines, respectively. Controls are interactive by design. They are composed at different levels of enterprise organizational structure and addressed to different organizational constituents whose interactions render the controls effective. The risk appetite comes from the top and is colloquially referred to as “tone at the top.” It is the executive management articulation of the extent to which a risk may be deemed acceptable. Cybersecurity risk is reduced via chains of controls woven across document subjects and types.