MyCertStack logoMyCertStack

    1: 1.0 General Security Concepts

    Types of Security Controls

    Security controls exist to reduce the likelihood that a threat exploits a vulnerability, or to reduce the impact when one does. They are the units a security program is actually built out of: firewall rules, written policies, guard schedules, lock bollards, awareness training campaigns. The taxonomy you must internalize for this study area is not optional academic background. The exam writes its hardest items by stating a business scenario and then asking which category and type of control best matches the stated risk and stated constraint, and the items deliberately separate the CATEGORY axis (how the control is implemented) from the TYPE axis (what the control does in the chain of events around an incident). Many candidates who already work in security every day still lose points here because they conflate the two axes.

    The category axis describes the operational substance of the control. A control's category does not change with the threat being defended against; it changes with how the organization implements it. The four official categories are technical, managerial, operational, and physical. Technical controls are implemented through hardware, software, or firmware: a firewall ruleset, an antivirus engine, a TPM-backed disk encryption configuration, a network access control posture check. Managerial controls are administrative in nature; they describe how the organization governs risk in writing: a risk assessment, an acceptable use policy, a security architecture review process. Operational controls are the human procedures and processes a workforce follows day to day: an incident response runbook, an offboarding checklist, an awareness training program, a change advisory board meeting. Physical controls protect the building, the racks, and the people: bollards, fences, video surveillance, electronic badge readers, and a manned guard post.

    The type axis is the kill-chain axis. A control's type tells you when in the timeline of an incident the control acts: before the attempt (preventive, deterrent, directive), during the attempt (detective), or after the attempt (corrective, compensating). Preventive controls block the unwanted action from succeeding, for example a stateful firewall blocking outbound TCP/3389 from a workstation segment. Deterrent controls discourage the actor from attempting the action in the first place, for example posted warning signs at a perimeter or visible video cameras at a loading dock. Detective controls find the action after it starts or after it ends, for example a SIEM correlation rule alerting on impossible travel logins, or a file-integrity monitoring agent flagging an unexpected change to a system binary. Corrective controls restore the system to a known good state after an incident, for example a tested backup restoration, a forensic re-image, or a configuration management push that re-applies the secure baseline. Compensating controls substitute for a primary control that the organization cannot apply for a documented reason; a compensating control should provide equivalent risk reduction, not just any related activity. Directive controls tell people what they must do; they are the formal "thou shalt" statements such as standards, procedures, and contractual obligations.

    The single most reliable way to keep the two axes straight is to ask yourself two questions about every control: first, "What is the substance of this control?" (technical/managerial/operational/physical), and second, "Where in the timeline does it act?" (preventive/deterrent/detective/corrective/compensating/directive). Every control on the exam has exactly one answer to each question, and almost every distractor in the exam pool is built by swapping the answer to one question for the answer to the other.

    Category axis: technical, managerial, operational, physical

    Technical controls are everywhere in a hybrid environment and they tend to dominate a junior practitioner's mental model of security, which is part of why they show up as distractors when the right answer is actually managerial or operational. A web application firewall blocking SQL injection patterns is technical. A privileged access management vault that injects ephemeral credentials into a database session is technical. A cryptographic algorithm whitelist enforced by a TLS terminator is technical. The defining trait is enforcement by a machine; if a process server is making the decision automatically, the control is technical.

    Managerial controls are written, governing, and reviewed at the program or executive level. Risk assessments, system security plans, third-party vendor due diligence questionnaires, formal access reviews signed off by data owners, and the security policy framework itself are managerial. The defining trait is that the control governs how decisions are made, who is accountable, and what is acceptable; nobody plugs a managerial control into a wall.

    Operational controls live in human hands. The pattern is "a person follows a documented procedure." Onboarding a new joiner with a printed checklist is operational; the segregation of duties between the user-creation analyst and the access-approval manager is operational; an out-of-hours rotation of on-call security responders is operational. Operational controls are the most commonly miscategorized in practice because the tooling they sit on top of is technical: a SIEM is a technical control, but the analyst rotation that triages SIEM alerts is operational.

    Physical controls keep humans, hardware, and the local environment safe and sound. Bollards at a vehicle approach, K-rated barriers, anti-passback turnstiles, badge-controlled door locks with vestibules, CCTV with motion analytics, fenced perimeters with razor wire, and a uniformed guard at a reception desk are physical. Environmental controls such as HVAC, fire suppression, and uninterruptible power supplies also sit in this category for exam purposes; the key is that the control is acting on the physical world rather than on bits.

    💡 Exam Trap: A scenario tells you that a company "issues a written remote-work standard requiring employees to use a corporate VPN before connecting to internal systems." The written standard itself is a managerial control (because it is a written governance document). The VPN is the technical enforcement that the standard mandates. Items often offer "Technical" as the seductive wrong answer because the VPN is technical; the correct answer for the written standard is Managerial.

    💡 Exam Trap: When a scenario describes a "security guard performing visual inspections of bags at the entrance," the category is Physical, not Operational. Operational versus Physical is decided by what the control acts on, not by whether a human performs it. A human guarding a door is acting on the physical environment, so the control is physical.

    Type axis: preventive, deterrent, detective, corrective, compensating, directive

    Preventive controls stop an action from succeeding. The action may still be attempted, but it does not produce its intended effect. A firewall rule that denies inbound SMB from the internet is preventive. Full-disk encryption is preventive against an attacker who steals the laptop. A signed code-only execution policy is preventive against running unapproved binaries.

    Deterrent controls reduce the probability that the actor tries the action at all. They depend on the actor believing the control exists and weighing the cost against the reward. Visible CCTV cameras at a loading dock, "no trespassing" signage at a fence, banner warnings on a login screen stating that activity is monitored, and well-publicized criminal-referral policies all act as deterrents. Detection cameras can be detective at the same time, but the deterrent value comes from being seen.

    Detective controls find that an event happened. They do not stop the event; they emit a signal. SIEM correlation, IDS in monitoring mode, antivirus alerts after a malicious file lands, audit log review, and badge-swipe reports that get reconciled against shift schedules are all detective. The signal must reach a responder for the control to deliver value.

    Corrective controls return the system to a known good state. A backup restoration after ransomware, a configuration management run that re-applies the gold image, a wiping of a lost mobile device, a re-issuing of compromised certificates from a fresh root of trust, are corrective. Corrective controls assume detection already happened.

    Compensating controls fill a gap when the primary control cannot be implemented for a documented reason. The defining traits are that the gap is documented, the compensation is approved, and the residual risk is accepted in writing. A payment terminal that cannot run an EDR agent because of vendor lock-in might be compensated by aggressive network segmentation plus packet capture on the upstream switch. Compensating is the most commonly misused term in practice; do not call any "extra" control "compensating," only the substitute for a missing primary control.

    Directive controls instruct people on what to do. Standards, procedures, statements of policy, training requirements, and contractual obligations are directive. A directive control sets the rule; technical, operational, or physical controls then enforce it. The directive on its own changes behaviour through expectation and accountability, not through enforcement.

    ⚠️ Anti-Pattern: Labelling "any second control we happened to install" as Compensating. A compensating control is specifically a substitute for an unavailable primary control, and it must be documented as such in the risk register or system security plan. Calling a defense-in-depth layer "compensating" without a documented primary-control gap is a common but technically wrong characterisation; the exam will mark it wrong.

    Category and type together: a comparison matrix

    The two axes are independent, which is why every real-world control has a (category, type) pair. The matrix below shows how common controls land. Use this to drill the pairing pattern; on the exam you will be asked to read a scenario and produce both axis answers.

    Control exampleCategoryType
    Stateful firewall blocking unsolicited inbound TCPTechnicalPreventive
    Posted "Trespassers will be prosecuted" sign at the perimeterPhysicalDeterrent
    Visible CCTV camera with a recording lightPhysicalDeterrent and Detective
    SIEM correlation rule alerting on impossible travelTechnicalDetective
    Tested restoration from offline backup after ransomwareTechnicalCorrective
    Quarterly access review signed by the data ownerManagerialDetective
    Acceptable use policy distributed at hireManagerialDirective
    Onboarding checklist run by HR for every new joinerOperationalPreventive
    Network segmentation around a legacy unpatched controllerTechnicalCompensating
    Vehicle bollards at the data-center loading dockPhysicalPreventive
    Awareness training campaign on phishingOperationalDirective
    Security guard performing badge checks at receptionPhysicalPreventive
    File-integrity monitoring alert on a system binary changeTechnicalDetective
    Privileged access management with just-in-time approvalsTechnicalPreventive
    Banner warning on login: "activity is monitored"TechnicalDeterrent

    Decision tree: which control type to recommend

    Many scenario items describe an unmet risk and ask which type of control would best address it. The decision is driven by the stage of the attack you want to act on, not by which technology brand is popular.

    Capability comparison: what each type does and does NOT do

    TypeActs whenOutcomeCommon error
    PreventiveBefore the action landsAction does not occurCalling a monitoring tool "preventive"
    DeterrentBefore the action is attemptedActor chooses not to attemptTreating an invisible control as a deterrent
    DetectiveDuring or after the actionSignal raised for responseForgetting the response side of the control
    CorrectiveAfter the action is overSystem returns to a known good stateMixing corrective with compensating
    CompensatingSubstitute for missing primaryEquivalent risk reductionLabelling any extra layer compensating
    DirectiveSets the rulePeople know the expectationStopping at directive with no enforcement

    🎯 Scenario: A regional clinic has a legacy radiology workstation that cannot install the corporate EDR agent because the vendor will void support. The security architect places the workstation on its own VLAN, applies an explicit firewall ruleset that only permits DICOM traffic to the imaging server, and adds full packet capture on the upstream switch with retention for 30 days. The category here is Technical; the type is Compensating, because the controls substitute for the missing primary endpoint protection. The decision is documented in the risk register, the data owner accepts the residual risk in writing, and the compensating control is re-evaluated at the next risk review.

    📊 Limit: The official exam objectives list exactly four categories (Technical, Managerial, Operational, Physical) and exactly six types (Preventive, Deterrent, Detective, Corrective, Compensating, Directive). No other category or type names are valid; choices such as "Administrative" or "Recovery" are intentional distractors and should be rejected on sight.

    💡 Exam Trap: The exam often pairs a deterrent option ("posted sign") with a detective option ("camera recording the area") on the same scenario. If the question asks which BEST reduces the probability that the actor attempts the action, choose the deterrent. If it asks which BEST helps an investigator after the act, choose the detective. Read the verb in the stem before locking in.

    Decision Anchor. Choose the category by asking what the control's substance is: code and configuration is Technical, written governance is Managerial, human procedure is Operational, the physical world is Physical. Choose the type by asking when in the timeline of an attack the control acts. Choose Compensating only when a primary control is documented as unavailable, and Directive only when the control is the rule itself rather than the enforcement.


    Continue with the interactive course

    Track your progress, jump into practice questions and use the Shark AI tutor inside the CompTIA - Security+ learning hub.