Definition: Security control already existed and implemented in the IT system. Note: The existence and strength of security control in the IT system need to be clarified during the SA&A process.