The best indication that an information security control is no longer relevant is that it does not support a specific business function. Information security controls are implemented to protect business processes and functions. If a control no longer aligns with or supports the business objectives, it has lost its relevance. While cost efficiency, management support, and technology obsolescence are factors to consider, the primary purpose of any control is to protect and enable business functions.