CompTIA Security+ SY0-601: Compare and Contrast Various Types of Controls
Security Controls: How to Classify Them for Security+
For Security+ exam prep, the safest way to think about controls is with two questions: what is the control, and what does it do? CompTIA commonly tests both ideas. A control may be administrative, operational, technical, or physical, and its primary function may be preventive, detective, corrective, deterrent, compensating, or recovery. In real environments, taxonomies vary a little by framework or vendor, so the exam usually wants the best fit based on the scenario.
Controls exist because organizations are managing risk. Threats usually go hunting for weaknesses, and that’s where the risk to confidentiality, integrity, and availability really starts. Controls can cut the odds, reduce the impact, and make the environment a whole lot harder to break into, but they don’t eliminate risk entirely. Whatever remains is residual risk, which is why layered security matters. Risk treatment may include mitigating, transferring, avoiding, or accepting risk, but the control itself is usually part of mitigation.
One version note: this article is written to stay useful for Security+ learners without overclaiming exact objective wording for a single exam release. The control concepts here are consistent with Security+ style questions, even though wording can differ between versions.
The Two-Axis Model: Category and Function
Category asks what kind of control it is:
- Administrative: policies, standards, governance, training, approvals
- Operational: processes people perform day to day
- Technical: hardware/software enforcing security
- Physical: facility and environmental safeguards
Function asks what the control primarily does:
- Preventive: block or reduce the chance of success
- Detective: identify suspicious or unwanted activity
- Corrective: contain or remediate the issue
- Deterrent: discourage someone from trying
- Compensating: provide alternate protection when the preferred control is not feasible
- Recovery: restore systems, data, or operations
Some broader security literature also uses directive controls for governance and instruction. If you see that term in other study materials, it usually overlaps with administrative guidance. For Security+ questions, focus on the listed functions above unless the scenario clearly points elsewhere.
A control can have more than one effect. CCTV is usually detective, but visible cameras also deter. A firewall is primarily preventive, even though its logs may feed a detective process. The exam usually wants the control’s primary purpose in context.
Control Categories
Administrative controls are management and governance artifacts: policies, standards, procedures, guidelines, risk assessments, training, exception handling, and access reviews. A useful distinction is this: the procedure document is administrative, but executing that procedure is operational. Risk assessments are also administrative; they inform control selection rather than acting as classic detective controls.
High-yield terms:
- Policy: high-level management intent
- Standard: mandatory specific requirement
- Procedure: documented step-by-step instructions
- Guideline: recommended practice
Administrative controls also include least privilege, need to know, and separation of duties. Least privilege just means giving people only the minimum access they need to do their job — nothing more, nothing less. Need to know further limits access to information required for a specific task. Separation of duties prevents one person from controlling an entire sensitive process alone. Job rotation and mandatory vacation are classic detective-oriented administrative controls because they can expose fraud.
Operational controls are the executed processes: patching, account provisioning and deprovisioning, log review, backup jobs, media handling, incident response, and disaster recovery execution. If the scenario says “the team performs,” “the analyst reviews,” or “the admin executes,” operational is often the right category.
Technical controls are enforced by systems and software: MFA, IAM, ACLs, firewalls, IDS/IPS, NAC, VPN, encryption, DLP, EDR, SIEM, allowlisting, segmentation, and file integrity monitoring. For exam purposes, VPN and encryption usually get classified as preventive technical controls, but here’s the nuance: VPN mainly protects data in transit and the access path, while encryption is mostly about confidentiality and can also support integrity when it’s implemented the right way. And honestly, neither one is a magic shield if the keys, endpoints, or identities are already compromised.
Physical controls protect facilities, hardware, and availability. Think locks, badge readers, mantraps, fences, guards, turnstiles, CCTV, lighting, bollards, safes, and visitor logs. Also include environmental controls: HVAC, humidity monitoring, fire suppression, water leak detection, UPS, and generators. Those matter because availability is part of security too.
Control Functions at a Glance
| Function | What it does | Examples | Common clue words |
|---|---|---|---|
| Preventive | Stops or reduces likelihood | MFA, firewall, segmentation, locks, least privilege | block, require, restrict, enforce |
| Detective | Identifies activity or conditions | IDS, SIEM, CCTV, log review, FIM, account audit | alert, monitor, review, identify |
| Corrective | Fixes or contains the problem | Disable account, reimage host, remove malware, config fix | remediate, contain, isolate, disable |
| Deterrent | Discourages attempts | Warning banners, visible guards, signage, lighting | warn, discourage, visible, monitored |
| Compensating | Alternative when preferred control is not feasible | Jump host, network isolation, extra logging, virtual patching | legacy, cannot support, alternative, workaround |
| Recovery | Restores service, data, or operations | Backups, failover, rebuild, alternate site activation | restore, recover, resume, failover |
The most commonly confused pair is corrective vs recovery. Corrective fixes the bad condition; recovery brings business operations or data back. Reimaging an infected laptop is corrective. Restoring the user’s files from backup is recovery.
High-Yield Control Map
| Control | Category | Primary Function | Exam Trap |
|---|---|---|---|
| Security awareness training | Administrative | Preventive | Not technical just because it reduces attacks |
| Policy / standard | Administrative | Preventive | Do not confuse with procedure execution |
| Account review | Operational / administrative oversight | Detective | Review activity vs policy requiring review |
| Patch management | Operational | Preventive | Policy is administrative; patching work is operational |
| MFA | Technical | Preventive | Logs do not make it detective |
| Firewall | Technical | Preventive | Logging supports detective processes but is not the primary function |
| IDS | Technical | Detective | If the question says block, choose IPS instead |
| IPS | Technical | Preventive | It detects and blocks, but prevention is the best fit |
| SIEM | Technical | Detective | Response automation usually belongs to SOAR/integrations |
| EDR | Technical | Detective / corrective | More than simple antivirus |
| Backups | Operational | Recovery | Backups do not prevent ransomware |
| CCTV | Physical | Detective | Visible cameras may also deter |
| Mantrap | Physical | Preventive | Used to stop tailgating |
| Guard | Physical | Deterrent / detective | Can also actively prevent entry depending on role |
Implementation Details That Matter
Patch management is more than “install updates.” A solid patch workflow usually goes something like this: identify the vulnerabilities, judge how serious they are and how exposed the system is, test the patch, get the change approved, deploy it during a maintenance window, verify it worked, and keep a rollback plan handy just in case. Vulnerability scanning supports this process as a detective and operational activity.
Backup strategy needs more than a backup product. You need to know the difference between full, incremental, and differential backups, set retention rules, protect copies offline, offsite, or immutable, and actually test restores instead of assuming they’ll work. Recovery planning also uses RPO and RTO: recovery point objective is acceptable data loss, and recovery time objective is acceptable downtime. BCP keeps the business operating; DR restores IT systems.
Account lifecycle management should start with an HR or management trigger, require approval, assign the correct role, enforce least privilege, review access periodically, and remove access quickly when roles change or employment ends. Emergency or break-glass accounts are a special case, so they need extra logging and a lot more review than normal.
Firewall and ACL logic are best understood with deny-by-default thinking. Permit only required traffic, review rule order, document business justification, and remove stale rules. Rule sprawl is a common real-world failure.
NAC can make decisions using identity, certificates, device posture, compliance state, VLAN assignment, quarantine networks, and remediation workflows. If a device fails the checks, NAC might toss it into a restricted network instead of giving it full access.
DLP works best when data is classified and policies are tuned. It can inspect data at rest, in motion, and in use across email, endpoints, web traffic, and cloud apps. Untuned DLP creates noise and user frustration.
Monitoring Tools: Know the Differences
IDS watches traffic and alerts. IPS is inline and can block. SIEM centralizes logs, normalizes events, correlates activity, and alerts analysts. SOAR automates response actions using playbooks. EDR focuses on endpoint telemetry and response such as host isolation or process termination. XDR extends visibility across multiple domains. Security+ often tests these by wording: “alert only” suggests IDS or SIEM; “automatically blocks” suggests IPS; “isolates infected endpoint” suggests EDR.
These tools depend on good inputs. A SIEM can miss attacks if the log sources aren’t onboarded, timestamps are off, or the correlation rules are too weak to catch what’s happening. IDS and IPS can both generate a mess of false positives if the signatures aren’t tuned properly. EDR can be bypassed or ignored if policies are too permissive. A control that exists but is not maintained is a common exam theme.
Compensating Controls and Legacy Systems
A compensating control is not just any extra control. A compensating control is basically an alternate measure you use when the preferred control just isn’t realistic, but it still needs to reduce the risk for the original goal in a meaningful way. In compliance-heavy environments, it usually has to be documented, justified, approved, and reviewed so nobody can act like it was handled casually.
A typical legacy-system approach usually looks something like this:
- Identify the unsupported control, such as MFA or modern EDR
- Reduce exposure with segmentation or a jump host
- Restrict administration and access windows
- Increase logging and monitoring
- Document exception, residual risk, and retirement plan
That is the logic Security+ expects when the scenario says “legacy,” “vendor appliance,” or “cannot support.”
Framework and Compliance Context
Controls are also shaped by governance requirements. NIST provides widely used cybersecurity frameworks and control catalogs. ISO 27001/27002 defines an information security management approach and reference controls. PCI DSS is a payment-card security standard. HIPAA is a regulation requiring safeguards for protected health information. SOC 2 is an attestation framework based on trust services criteria. They’re definitely not identical, but they all push organizations toward specific control choices, evidence collection, and validation.
Evidence can include access review records, training completion reports, firewall rule reviews, restore test results, incident tickets, and change approvals. A control is stronger when you can prove it exists, is operating, and is reviewed.
Two Security+ Scenarios
Ransomware in a hybrid environment: the best answer is layered. Awareness training helps prevent initial clicks. EDR detects and may isolate the host. Segmentation reduces lateral movement. SIEM helps correlate activity. Immutable, offline, or offsite backups support recovery. If the question emphasizes restoring encrypted data, recovery controls matter most. If it emphasizes stopping spread, preventive and corrective controls matter more.
Legacy application cannot support MFA: do not choose MFA if the scenario explicitly says it is unsupported. Better answers include jump host access, network isolation, PAM restrictions, enhanced logging, and formal exception handling. That is a compensating-control question.
How to Answer Control Questions on Exam Day
- Ask whether the question is about what the control is or what it does.
- Then watch for clue verbs like block, detect, remediate, discourage, substitute, and restore, because those words usually point you toward the right answer.
- And don’t ignore the constraints in the scenario — maybe it’s a legacy system, remote users, physical access, a compliance requirement, or just a very low tolerance for downtime.
- Separate documentation from execution: plan/policy is administrative; performing the process is operational.
- Pick the best primary answer, not every technically possible effect.
Common confusion pairs:
- Administrative vs operational: policy versus performing the process
- Preventive vs deterrent: blocks versus discourages
- Detective vs corrective: identifies versus fixes
- Corrective vs recovery: remediate versus restore
- SIEM vs SOAR: alerting/correlation versus automated response
- Least privilege vs need to know: minimum permissions versus minimum information access
Troubleshooting Weak Controls
If a control exists but is ineffective, ask why. Missed SIEM alerts usually come down to something simple but painful, like missing log sources, bad parsing, or rules that just haven’t been tuned well enough. Failed recoveries usually mean the backups weren’t tested, the repositories were still reachable by ransomware, or the retention setup wasn’t strong enough. Stale access often points to broken offboarding or weak recertification. NAC problems may come from posture-agent failure, certificate issues, or VLAN misassignment. Physical failures often come from badge sharing, tailgating, or unreviewed visitor logs. Security+ questions often hide the real issue in poor implementation rather than absence of technology.
Rapid-Fire Practice
- MFA for remote admins = technical, preventive
- Monthly privileged access review = operational, detective
- Warning login banner = administrative/technical, deterrent
- Reimage compromised laptop = operational, corrective
- Restore database from immutable backup = operational, recovery
- Mantrap at data center entrance = physical, preventive
- Jump server for unsupported legacy app = technical, compensating
- SIEM correlation rule for brute-force attempts = technical, detective
Final Takeaway
Security+ control questions get easier when you classify every answer on two axes: category and function. Administrative controls set the direction, operational controls carry it out, technical controls enforce it, and physical controls protect the facility and keep things available. Preventive controls block, detective controls identify, corrective controls fix, deterrent controls discourage, compensating controls substitute, and recovery controls restore. Keep residual risk in mind, think in layers, and choose the answer that best matches the scenario’s main goal and constraints.