Which of the following extends from items?

Controls extend from items because they are designed to help manage and mitigate risks associated with specific items within an organization. In the context of risk management, an "item" could refer to any asset, process, or configuration that requires oversight and protection to ensure compliance with regulations and protect against vulnerabilities.

Controls are measures or mechanisms put in place to ensure that these items are operating correctly and in alignment with organizational governance and regulatory requirements. By linking controls to items, organizations can ensure that they are appropriately monitoring and addressing risks associated with their assets.

In contrast, citations, issues, and policies play different roles within risk and compliance management. Citations typically refer to references or acknowledgments of existing regulations or standards. Issues are typically identified problems that need resolution but may not directly link to underlying items or controls. Policies serve as guiding principles or frameworks but do not extend from items in the way controls do. Their relationship is more about guidance and compliance rather than direct management or mitigation of risks associated with specific items.