Please specify on which type of context organisation has its own controls and on which not?
Answer: For different contexts you can consider banks, hospitals and internet providers. All of them have specific business requirements to drive information security. Banks need to protect account holders financial data, hospitals need to protect patient's health data, and internet providers must protect users data flow. All of them must protect confidentiality, integrity and availability, but for different information, and in different degrees, so they will require different controls set and security levels.
For example, the acceptable delay in providing information for a internet user can be completely different from a hospital patient, leading to a different set of controls.
Regarding responsibility for controls, organizations that run its own IT infrastructure owns much more controls than those which outsource them, for example, by adopting a Software as a Service Solution.