The type of control that makes use of policies, DRPs, and BCPs is managerial control.

What the question is asking

  • Policies are high-level rules and guidelines set by management to govern security and operations.
  • DRPs (Disaster Recovery Plans) and BCPs (Business Continuity Plans) are strategic documents that define how an organization prepares for, responds to, and recovers from disruptions.
  • These are all part of the governance and oversight layer rather than hands-on technical configuration.

Why it is managerial control

  • Managerial controls focus on defining, approving, and enforcing organizational rules, risk management strategies, and compliance requirements.
  • DRPs and BCPs are created, owned, and maintained by management to ensure resilience and continuity of critical business functions after incidents.
  • Technical and operational controls implement details (like system settings or daily procedures), but they operate within the framework set by these managerial documents.

Related control types (for context)

  • Technical controls : Firewalls, encryption, access control lists, IDS/IPS, and other software/hardware protections.
  • Operational controls : Day-to-day procedures, training, incident response runbooks, backups execution, and monitoring tasks carried out by staff.
  • Preventative controls : Measures designed specifically to stop incidents (e.g., locks, patching, input validation), which may be guided by policies but are not the policies themselves.

So, when you see policies + DRPs + BCPs grouped together in an exam- style question, the correct answer category is managerial control.

TL;DR:
Which type of control makes use of policies, DRPs, and BCPs?
Managerial control.

Information gathered from public forums or data available on the internet and portrayed here.