Domain 1: General Security Concepts Module 1 of 61

Security Control Categories and Types

Security+ Domain 1 — General Security Concepts A — Security Foundations 10–14 minutes

What the Exam Is Really Testing

CompTIA does not just want you to list control types from a textbook.

It wants you to prove you can do this:

Given a scenario, select the right category and type of security control to address a specific risk.

That means you need to understand the difference between what a control is made of (its category) and what a control does (its type). You need to read a scenario, identify the gap, and pick the control that fills it.

This is the foundation of everything in Security+. Controls appear in every single domain. If you cannot classify them correctly here, you will struggle with questions across the entire exam.

Control Categories: What the Control Is Made Of

Security controls fall into four categories. Think of these as the material or nature of the control.

Technical Controls

These are implemented through technology. Hardware, software, firmware — anything that a system enforces automatically.

  • Firewalls blocking unauthorized traffic
  • Encryption protecting data at rest
  • Intrusion detection systems alerting on anomalies
  • Access control lists restricting file permissions
  • Antivirus software quarantining malware

Technical controls operate without human intervention once configured. That is their strength and their defining characteristic.

Managerial Controls

These are administrative decisions documented in policies, procedures, and risk assessments. They govern how the organization approaches security.

  • Security policies and standards
  • Risk assessments and risk management frameworks
  • Security awareness training programs
  • Vulnerability management procedures
  • Incident response plans
Managerial controls tell people what to do. Technical controls make systems do it.

Operational Controls

These are carried out by people in their daily work. They are the human processes that support security.

  • Security guards performing badge checks
  • Operators reviewing logs daily
  • Change management review boards
  • Backup verification procedures
  • Patch management scheduling

The distinction from managerial: operational controls are the execution. Managerial controls are the governance. A policy says "perform background checks." The operational control is actually performing them.

Physical Controls

These protect the physical environment and assets.

  • Fences, gates, and bollards
  • Locked server rooms
  • Security cameras (CCTV)
  • Badge readers and mantraps
  • Environmental controls (fire suppression, HVAC)

Control Types: What the Control Does

Every control — regardless of category — serves a functional purpose. CompTIA tests six control types.

Preventive

Stops an incident before it occurs. This is the first line of defense.

  • Firewall rules blocking known bad IPs (technical + preventive)
  • Security awareness training reducing phishing clicks (managerial + preventive)
  • Locked doors preventing unauthorized entry (physical + preventive)

Detective

Identifies that an incident has occurred or is occurring. Detective controls do not stop anything — they alert you.

  • IDS generating alerts on suspicious traffic (technical + detective)
  • Log review identifying unauthorized access (operational + detective)
  • Motion sensors detecting movement in restricted areas (physical + detective)

Corrective

Minimizes the impact of an incident after it has occurred. These controls fix or restore.

  • Restoring from backup after ransomware (technical + corrective)
  • Patching a vulnerability after exploitation (operational + corrective)
  • Rebuilding a compromised server (technical + corrective)

Deterrent

Discourages an attacker from attempting an action. Deterrents work through the perception of consequences.

  • Warning banners on login screens (technical + deterrent)
  • Visible security cameras (physical + deterrent)
  • Acceptable use policies with stated consequences (managerial + deterrent)
Deterrent controls do not prevent or detect. They discourage. If the attacker ignores the deterrent, it has no further effect.

Compensating

An alternative control used when the primary control is not feasible. Compensating controls provide a comparable level of protection through a different approach.

  • Using application whitelisting when a system cannot be patched
  • Implementing additional monitoring when separation of duties is impossible
  • Requiring manager approval when automated controls are unavailable

Key point: compensating controls exist because the ideal control cannot be implemented. They are not inferior — they are necessary alternatives.

Directive

Directs or mandates specific behavior. Directive controls tell people what they must do.

  • Policies requiring complex passwords
  • Compliance requirements mandating encryption
  • Signs instructing visitors to check in at reception

The Matrix: Categories Meet Types

The real power of this framework is the intersection. Every control sits in a matrix: one category and one (or more) types.

A firewall is technical and preventive. A security camera can be physical and detective (recording intrusions) or physical and deterrent (visible presence discouraging attempts). An acceptable use policy is managerial and directive.

CompTIA expects you to navigate this matrix in scenario questions. You will be given a situation and asked to pick the best control. Understanding both dimensions is mandatory.

Pattern Recognition

Security+ questions on controls follow predictable patterns:

  • Scenario-based selection: "A company wants to prevent unauthorized access to the server room. Which control type is MOST appropriate?" (preventive + physical)
  • Classification questions: "An organization deploys a SIEM to monitor network traffic. This is BEST described as..." (technical + detective)
  • Compensating control triggers: Whenever a question mentions that a preferred control cannot be implemented, the answer is a compensating control
  • Multiple correct-sounding answers: All four options may be real controls, but only one matches both the category and type the scenario requires

Trap Patterns

Common wrong answers and why they are wrong:

  • Confusing deterrent with preventive: A login banner does not prevent access — it warns. If you can still log in, it is deterrent, not preventive
  • Confusing detective with corrective: An IDS detects. It does not fix. If the question asks what happened after detection, that is corrective territory
  • Choosing technical when operational fits better: "A security analyst reviews logs daily" is operational, not technical. The tool is technical; the human process is operational
  • Ignoring compensating control signals: If the question says "the organization cannot implement X," the answer almost always involves a compensating control

Scenario Practice

Question 1

A hospital cannot patch a legacy medical device due to manufacturer restrictions. The device contains sensitive patient data and connects to the internal network.

Which control type should the security team implement?

A. Deploy a deterrent banner on the device login screen
B. Place the device on an isolated network segment with additional monitoring
C. Create a policy requiring staff to only use the device for approved purposes
D. Install an intrusion detection system on the device itself

Answer & reasoning

Correct: B

The key phrase is "cannot patch." This signals a compensating control. Network segmentation and monitoring provide an alternative safeguard when the ideal control (patching) is not feasible.

A is deterrent only and does not protect patient data. C is directive but does not mitigate the technical vulnerability. D is impractical on a device with manufacturer restrictions.

Question 2

An organization installs visible security cameras at all building entrances. No security personnel actively monitor the camera feeds in real time.

What type of control do these cameras PRIMARILY represent?

A. Detective control that identifies unauthorized physical access attempts
B. Preventive control that blocks unauthorized individuals from entering
C. Deterrent control that discourages unauthorized entry through visible presence
D. Corrective control that enables the organization to respond after incidents

Answer & reasoning

Correct: C

The critical detail is that nobody monitors the feeds in real time. Without active monitoring, the cameras are not functioning as detective controls. Their primary function is deterrence through visibility.

If the question said feeds are actively monitored, the answer would shift to detective.

Question 3

After a ransomware incident, a company restores affected systems from verified backup images and applies the latest security patches before reconnecting them to the network.

Which control type does this process BEST represent?

A. Preventive control designed to stop ransomware from executing
B. Compensating control implemented because primary defenses were inadequate
C. Detective control that identified the ransomware infection in the environment
D. Corrective control that restores systems to a secure operational state

Answer & reasoning

Correct: D

Restoring from backup and patching after an incident is textbook corrective. The incident already happened. The goal is to minimize damage and restore normal operations.

Preventive would have stopped the ransomware before execution. Detective would have identified the infection. Compensating is an alternative when the primary control is unavailable.

Key Takeaway

Security controls are classified on two axes: what the control is made of (category) and what the control does (type). Every scenario question on the Security+ exam requires you to evaluate both dimensions. Read the scenario, identify the gap, determine whether the situation calls for prevention, detection, correction, deterrence, compensation, or direction — and then match it to the right category. The matrix is your decision framework.

Next Module Module 2: The CIA Triad and Fundamental Security Concepts