To counteract security risks, security measures, also known as security controls, are rolled out. These security controls can be subdivided into preventive, detective and corrective as well as organizational and technical. Different frameworks and standards provide security controls with different levels of granularity. But what systematic procedure is necessary to determine security controls and are these pre-defined security controls sufficient? These questions are to be answered using an example in the area of identity management for servers.



  • Literature research on security controls
  • Comparison of standards such as ISO 27001, CIS and NIST 800-53v5 for one given scenario
  • Analysis of the scenario for additionally required security controls
  • Categorization of these security controls
  • Development of a generic procedure for determining the required security controls



  • Previous knowledge in these areas is helpful for a quick introduction to the topic, but not absolutely necessary: Identity Management, IT Security



Dr. Daniela Pöhn (