measure that maintains and/or modifies risk
Note 1 to entry: Controls include, but are not limited to, any process, policy (3.1.24), device, practice or other conditions and/or actions which maintain and/or modify risk.
Note 2 to entry: Controls may not always exert the intended or assumed modifying effect.
[SOURCE: ISO 31000:2018, 3.8]