What Is Security control? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
A security control is something you put in place to protect your computer systems and data from threats. It could be a firewall that blocks bad traffic, a password policy that makes people use strong passwords, or a security camera that monitors a server room. These controls work together to reduce the risk of cyber attacks and data breaches.
Common Commands & Configuration
aws config put-config-rule --config-rule file://s3-bucket-public-read-prohibited.jsonDeploys an AWS Config rule that evaluates S3 buckets for public read access, acting as a detective control for governance compliance.
AWS SAA and Security+ exams test understanding of automated compliance checks. This command demonstrates how to apply a preventive/detective control using AWS Config.
New-AzPolicyAssignment -Name 'RequireMFAForAdmins' -PolicyDefinitionId '/providers/Microsoft.Authorization/policyDefinitions/xxx' -Scope '/subscriptions/xxx'Assigns an Azure Policy that requires multi-factor authentication for all administrative accounts, a preventive control.
Azure AZ-104 and SC-900 exams test identity governance. This command shows how policy enforces control at scale.
Set-MpPreference -DisableRealtimeMonitoring $falseEnables Microsoft Defender real-time monitoring on Windows, a detective/preventive control against malware.
MD-102 and Security+ exams test endpoint security controls. Realtime monitoring is a critical preventive control.
New-NetFirewallRule -DisplayName 'Block RDP from Internet' -Direction Inbound -LocalPort 3389 -Protocol TCP -Action BlockCreates a Windows firewall rule blocking inbound RDP from any source, a preventive network control.
CISSP and CySA+ exams test network segmentation. This command demonstrates a manual preventive control.
aws s3api put-bucket-policy --bucket my-secure-bucket --policy file://policy.jsonApplies a bucket policy that restricts access based on source IP or principal, a preventive control for data protection.
AWS SAA exams often ask about S3 security. This command implements a preventive access control.
Enable-AzureRmAutomaticUpdate -VMName 'WebServer01' -ResourceGroupName 'ProdRG'Enables automatic patch management for an Azure VM, a corrective control that keeps the system secure.
AZ-104 and MS-102 exams test patch management as a security control. Automation reduces human error.
Get-MpThreatDetection | Where-Object {$_.InitialDetectionDateTime -gt (Get-Date).AddDays(-7)}Queries Microsoft Defender for threats detected in the last 7 days, a detective control for incident response.
MD-102 and SC-900 exams test detection capabilities. This command helps investigate threats.
Security control appears directly in 227exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
Security controls are a foundational concept in almost every major IT certification exam. For the CompTIA Security+ (SY0-601), the concept of security controls is covered in Domain 2 (Architecture and Design) and Domain 3 (Implementation). You need to know the different categories (preventive, detective, etc.) and types (administrative, technical, physical) of controls, as well as how to apply them in scenarios. Expect questions like "Which of the following is an example of a detective technical control?" or "A company implements a security guard. What type of control is this?"
For the ISC2 CISSP exam, security controls are central to all eight domains, but especially Domain 3 (Security Architecture and Engineering) and Domain 7 (Security Operations). The CISSP uses the NIST SP 800-53 framework extensively. You must be able to classify controls according to the NIST families and understand the control categories. You may get a question about selecting compensatory controls when a primary control is not feasible. The CISSP also expects you to understand how controls are selected based on risk assessment.
For the AWS Certified Solutions Architect Associate (SAA-C03), security controls are part of the Well-Architected Framework's Security Pillar. You need to understand AWS services as security controls. For example, AWS Identity and Access Management (IAM) is a preventive technical control for access. AWS CloudTrail is a detective technical control for logging. AWS Shield is a preventive technical control against DDoS attacks. Questions often ask you to select the most appropriate AWS service to implement a specific type of control.
For the Microsoft exams like MD-102 (Endpoint Administrator), MS-102 (Microsoft 365 Administrator), and SC-900 (Security, Compliance, and Identity Fundamentals), security controls are implemented through Microsoft 365 Defender, Azure Active Directory (now Entra ID), Intune, and compliance policies. You need to know how Conditional Access (a preventive technical control) works, how Data Loss Prevention (DLP) (a detective/preventive control) is configured, and how Mobile Device Management (MDM) (administrative and technical) enforces policies.
For the CompTIA CySA+ (CS0-002, CS0-003), the focus is on detective and preventive controls. You will analyze logs, configure intrusion detection systems, and perform vulnerability management, all of which are security controls. Questions often involve selecting the best control to mitigate a specific vulnerability identified in a scan.
for any exam that touches on security, understanding security controls is not optional. They are the vocabulary of the field. You will be tested on your ability to identify, classify, and recommend the appropriate control for a given scenario. It is not enough to know what a firewall is; you must know that it is a preventive technical control and when to use it versus other controls like an IPS.
Simple Meaning
Imagine you are building a fortress to protect a treasure. You would use many different kinds of defenses. A high wall stops invaders from walking in. A moat makes it hard to reach the wall. Guards check everyone who wants to enter. Locks on the treasure chest keep the gold safe even if someone gets inside. You also have rules – like no keys left in the lock overnight – and procedures – like how to sound an alarm if someone tries to break in. All of these things are security controls.
In the IT world, the treasure is your data and your computer systems. The threats could be hackers, viruses, human error, or even natural disasters like a flood. Security controls are all the measures you take to protect that treasure. They are not just one thing but a whole collection of tools, policies, and people.
There are three main types of security controls, and they are often explained with a simple analogy: a locked door. The first is a physical control, like the lock itself. The second is a technical control, like a keypad that only opens after you enter a code. The third is an administrative control, like a rule that says only certain people are allowed to have the code.
But the analogy can be extended. A security guard is a physical control (a person) but also enforces administrative controls (checking IDs). A fence is a physical control. A firewall on your computer is a technical control that blocks unwanted internet traffic. A company policy that says you must change your password every 90 days is an administrative control.
More importantly, security controls are not just about prevention. Some controls are designed to detect when something bad is happening, like an alarm system. Others are designed to respond to an incident, like a fire extinguisher. And some are designed to help you recover after an incident, like a backup of all your important files.
For example, a firewall is a preventive technical control. An intrusion detection system (IDS) is a detective technical control. A disaster recovery plan is a corrective administrative control. You need all of them because no single control is perfect. Layering them is called defense in depth.
So when you hear the term security control, think of it as any measure, whether it is a tool, a rule, or a person, that helps keep your data and systems safe from threats. The goal is to reduce risk to an acceptable level, not to eliminate all risk, because that is impossible.
Full Technical Definition
A security control is a mechanism, policy, or procedure that mitigates risk to an information system. Risk is the potential for loss or damage when a threat exploits a vulnerability. Security controls are the countermeasures that reduce that risk. They are defined and categorized in various frameworks such as NIST SP 800-53, ISO/IEC 27001, and the CIS Controls.
Security controls are most commonly categorized by their function: preventive, detective, deterrent, corrective, recovery, and compensatory. Preventive controls attempt to stop an incident before it happens. Detective controls identify that an incident has occurred or is occurring. Deterrent controls discourage potential attackers from attempting an attack. Corrective controls fix systems after an incident. Recovery controls bring operations back to normal after a disruption. Compensatory controls are alternative controls when a primary control is not feasible.
Another critical categorization is by type: physical, technical, and administrative. Physical controls protect physical assets, such as locks, fences, guards, and biometric scanners. Technical controls, also called logical controls, protect digital assets, such as firewalls, encryption, intrusion detection systems, and access control lists (ACLs). Administrative controls are policies, procedures, training, and background checks.
In practice, security controls are implemented based on a risk assessment. For example, if a risk assessment shows that unauthorized remote access is a high risk, an organization might implement a technical control like a VPN (Virtual Private Network) with multi-factor authentication (MFA). They would also implement an administrative control like a policy that mandates the use of the VPN and MFA. A physical control might not be directly relevant here, but if the VPN server is in a data center, a physical control like a locked rack would protect the server.
Security controls are not static. They must be monitored, tested, and updated. For example, an antivirus software (a preventive technical control) must have its virus definitions updated regularly. A firewall rule set must be reviewed periodically to ensure it is not too permissive. A company policy (administrative control) must be updated when the law changes or when new threats emerge.
Standards like ISO 27001 require organizations to select controls from Annex A, which lists 114 controls across 14 domains. NIST SP 800-53 has hundreds of controls organized into families like Access Control (AC), Audit and Accountability (AU), and Contingency Planning (CP). The CIS Controls provide a prioritized list of 18 key controls that are very practical for implementation.
When studying for IT certification exams like the CISSP or Security+, you must understand the different categories and types of controls. For example, the CISSP exam often asks to classify a control as administrative, technical, or physical, and also as preventive, detective, or corrective. The Security+ exam (SY0-601) covers both the NIST and the ISO frameworks as well as the concept of defense in depth, which is the strategic layering of different types of controls.
Implementation of security controls often involves specific protocols and technologies. Firewalls use stateful packet inspection (SPI) to prevent unauthorized traffic. Encryption uses algorithms like AES-256 to protect data at rest and TLS 1.3 for data in transit. Multi-factor authentication (MFA) combines something you know (password), something you have (smartphone), and something you are (fingerprint). These are all technical controls. Each has its own configuration, management, and lifecycle.
Understanding security controls also involves understanding their limitations. No control is perfect. An administrative policy is only effective if people follow it and are trained. A technical control like a firewall can be misconfigured. Physical controls can be bypassed. That is why you need multiple layers of controls, a concept known as defense in depth, and why continuous monitoring is essential.
Real-Life Example
Think about how you protect your home when you go on vacation. You do not just lock the front door and hope for the best. You probably use several security controls together, because each one helps in a different way.
First, you lock all doors and windows. That is a preventive physical control – it physically stops someone from just walking in. But a determined thief might break a window, so you also have a home security alarm. That is a detective technical control – it detects if a window is broken or a door is opened and alerts you and the police. The alarm also acts as a deterrent, because the monitoring company sticker on your window might make a thief think twice.
You also might have a rule that you never post your vacation dates on social media. That is an administrative control you enforce yourself. You might ask a neighbor to pick up your mail and newspapers, so it does not pile up and signal that you are away. That is another administrative control. If the power goes out while you are away, and the alarm system has a backup battery, that is a recovery control that keeps the system working.
Now, map this back to IT. Your home is the data center or the server. The locks are the firewall and the access control lists. The alarm system is the intrusion detection system (IDS). The monitoring company sticker is a deterrent control, like a banner on a login page warning that unauthorized access is prohibited. The rule about not posting on social media is an acceptable use policy in a company. The neighbor picking up mail is like a log review process that detects anomalies. The backup battery for the alarm is an uninterruptible power supply (UPS) for servers.
You also have a safe for your valuables inside the house. That is like encryption. Even if a thief gets past the locks and alarm, the safe still protects your jewelry. In IT, even if an attacker bypasses the firewall and IDS, encryption can make the stolen data unreadable.
Finally, you probably have a plan for what to do if a break-in happens – call the police, call your insurance company. That is like an incident response plan, which is a corrective and recovery control. In IT, you have a disaster recovery plan and business continuity plan.
So, just as a secure home uses a combination of physical locks, electronic alarms, and smart rules, a secure IT environment uses a combination of physical, technical, and administrative security controls. The principle is exactly the same: layering defenses so that if one fails, another one is there to protect your most valuable assets.
Why This Term Matters
Security controls are the fundamental building blocks of any cybersecurity program. Without them, data is exposed to threats like unauthorized access, theft, destruction, or corruption. In a practical IT context, security controls are what make compliance with regulations like GDPR, HIPAA, or PCI DSS possible. For example, if you handle credit card data, PCI DSS requires specific controls like encryption, access controls, and regular security audits. If you are a healthcare provider, HIPAA requires controls like audit logs and unique user IDs. Failing to implement proper controls can lead to data breaches, massive fines, and loss of customer trust.
In day-to-day IT operations, security controls are part of almost every task. When you create a user account and assign permissions, you are implementing an access control (technical). When you require multi-factor authentication (MFA) for remote access, you are implementing a technical control. When you run a vulnerability scan, that is a detective technical control. When you review logs for suspicious activity, that is also detective but performed by a person (administrative detective). When you apply a security patch, that is a corrective control.
Security controls are also essential for risk management. You cannot eliminate all risks, but you can reduce them to an acceptable level by choosing the right controls. This is at the core of the risk management framework. A security professional's job is to understand the organization's risks and then select, implement, and maintain the controls that best address those risks. This requires knowledge of the types of controls, their strengths and weaknesses, and how they interact.
understanding security controls is critical for system design. When you design a network architecture, you decide where to place firewalls, where to put intrusion detection systems, how to segment the network, and what kind of encryption to use. All these are security control decisions. A poorly designed system with missing or weak controls can be exploited easily.
Finally, security controls are not just a set of tools. They include people and processes. A state-of-the-art firewall is ineffective if no one knows how to configure it correctly or if the configuration is never reviewed. An encryption policy is useless if users do not understand how to encrypt their files. Therefore, security controls also involve training, awareness, and governance. This holistic view is what makes security a discipline rather than just a tech problem.
How It Appears in Exam Questions
In certification exams, questions about security controls appear in several common patterns. The most common is the classification question. You are given a scenario or a list of actions and asked to identify the type of control. For example, "A security guard checks identification at the entrance. This is an example of what type of control?" The correct answer is physical preventive. Another example: "A company deploys an intrusion detection system. What category of control does this represent?" The correct answer is detective technical.
Another pattern is scenario-based implementation. You are told about a risk or a vulnerability and asked which control would best mitigate it. For example, "A company is concerned about sensitive data being exfiltrated via email. Which control should they implement?" The answer could be Data Loss Prevention (DLP) software, which is a preventive/detective technical control. Or "A company wants to ensure that employees cannot use weak passwords. Which control is most appropriate?" Answer: a password policy (administrative preventive) combined with enforcement through technical controls like account lockout.
A third pattern is the troubleshooting or analysis question. You are given logs or a system description and asked which control failed. For example, "A user was able to access a restricted server. The logs show no authentication failures. Which control likely failed?" Answer: the access control list (ACL) or the firewall rule (preventive technical) was misconfigured.
There are also questions that test your understanding of control categories in depth. For instance, "Which of the following is a deterrent control as opposed to a preventive control?" Deterrent controls do not actually stop an attack, they discourage it. A warning sign is deterrent, a fence is preventive. Or, "What type of control is a backup generator?" Answer: a recovery control (since it helps restore power after an outage).
Finally, some questions ask about the concept of defense in depth. "Which principle is demonstrated by having a firewall, an IDS, and encryption all protecting the same data?" Answer: defense in depth, which is layering multiple security controls.
You should also expect questions that require you to differentiate between similar controls. For instance, the difference between an intrusion detection system (IDS) and an intrusion prevention system (IPS). The IDS is detective, while the IPS is preventive. Another example: the difference between a vulnerability scan (detective) and a penetration test (detective but more active and often includes exploitation).
To prepare, practice classifying controls for everything you study. Every time you learn a new security tool or policy, ask yourself: Is it physical, technical, or administrative? Is it preventive, detective, deterrent, corrective, recovery, or compensatory? This mental habit will serve you well in any exam.
Practise Security control Questions
Test your understanding with exam-style practice questions.
Example Scenario
Imagine you are a security analyst for a mid-sized company called TechMart. The company has an e-commerce website and stores customer data including names, addresses, and credit card numbers. One morning, you receive an alert from the company's intrusion detection system (IDS) that there was a failed login attempt from an unknown IP address on the database server. You start an investigation.
You first check the logs. The IDS recorded 10 failed login attempts over 5 minutes. The logs show that the username 'admin' was used. The IP address is from a foreign country where TechMart does no business. This looks like a brute force attack. The IDS is acting as a detective technical control – it detected the malicious activity.
But you notice that the account lockout policy did not trigger. After 3 failed attempts, the account should have been locked. This is a failure of an administrative control (account lockout policy) that should have been enforced by the system (technical control). You realize that the account lockout threshold was set too high, or maybe it was not configured at all. The system's password policy (another administrative control) might also be weak, allowing the 'admin' account to have a weak password.
To prevent this from happening again, you recommend implementing multiple controls. First, you enforce an account lockout policy after 3 failed attempts (preventive administrative, enforced technically). Second, you require multi-factor authentication (MFA) for the 'admin' account (preventive technical). Third, you configure the firewall to block traffic from that foreign country (preventive technical). Fourth, you set up a rule to alert you immediately when multiple failed login attempts occur (detective technical). Finally, you conduct a training session for all administrators on the importance of strong passwords (preventive administrative).
This scenario shows how a detection event (IDS alert) leads to the discovery of missing or weak controls, and then to the implementation of a layered set of controls to mitigate the risk.
Common Mistakes
Confusing 'preventive' and 'deterrent' controls, thinking they mean the same thing.
A deterrent control discourages an attack but does not physically stop it. A preventive control actively blocks the attack. For example, a 'Beware of Dog' sign is deterrent; a locked gate is preventive. Many learners see both as stopping attacks and fail to differentiate.
Remember: Deterrent is about discouraging (a warning sign), preventive is about stopping (a lock or firewall). Think of the word 'deter' meaning to discourage, not to physically prevent.
Thinking that a firewall is always a 'detective' control because it logs traffic.
A firewall's primary function is to block or allow traffic based on rules. That is its preventive function. Even though it may also log traffic (which is detective), its classification is based on its primary purpose. A control can have multiple functions, but exam questions often ask for the primary or best fit.
When classifying a control, ask 'What is this control designed to do first?' If it blocks, it is preventive. If it only alerts, it is detective. A firewall is designed to block first, log second.
Assuming all technical controls are automated and all administrative controls are just paperwork.
Technical controls are indeed usually automated, but administrative controls include training, policy development, and incident response procedures, which are not just 'paperwork.' They are active practices that require human effort. Both are equally important.
Think of administrative controls as the 'people and process' side. They are rules and procedures that people follow. Technical controls are tools and systems that enforce or support those rules.
Believing that a single control is sufficient to protect an asset.
This violates the principle of defense in depth. No single control is perfect. A firewall can be misconfigured, a password can be stolen, a security guard can be distracted. Multiple layers of controls reduce the risk of a complete failure.
Always think in layers. For any valuable asset, imagine a 'what if' scenario for each control. If the firewall fails, what else protects the data? That second control is another layer.
Mixing up 'corrective' and 'recovery' controls.
Corrective controls fix the damage after an incident, like restoring a file from backup. Recovery controls are about returning to normal operations, like a backup generator. They are closely related, but corrective aims to reverse the harm, while recovery aims to restore service continuity.
Think of corrective as 'fixing the problem' (e.g., patching a vulnerability). Think of recovery as 'getting back to normal' (e.g., restoring from backup).
Forgetting that physical controls are a category of security controls, not separate from them.
Some learners focus only on technical controls like firewalls and encryption, ignoring physical controls like locks, cameras, and guards. In reality, physical security is critical, especially for data centers and endpoints.
Every time you think of a security control, consciously ask if there is a physical aspect. For example, encryption protects data, but if someone steals the laptop, that is a physical breach. The laptop's lock is a physical control.
Exam Trap — Don't Get Fooled
{"trap":"The exam gives a list of controls and asks you to identify which one is 'administrative' but includes 'firewall rules' and 'access control lists' in the options. The learner sees 'rules' and 'lists' as administrative and chooses them, but they are technical controls implemented in a system.","why_learners_choose_it":"The word 'rules' and 'lists' sound like policies or administrative documents.
Learners think of the policy itself, not the technical implementation. They forget that a firewall rule is a technical control because it is configured in software and operates automatically.","how_to_avoid_it":"Remember the distinction: Administrative controls are about human behavior and organizational processes.
Technical controls are about technology configurations. A firewall rule is a technical control because it is a software configuration. The policy that requires the rule is administrative, but the rule itself is technical."
Commonly Confused With
A countermeasure is essentially a synonym for a security control. However, 'countermeasure' is often used in a more specific military or intelligence context, implying a direct action against a specific threat. In IT, 'security control' is the broader, more standard term used in frameworks like NIST. Both mean a safeguard against risk.
A firewall is both a security control and a countermeasure against network intrusions.
Safeguard is also a synonym for security control, but it can sometimes imply a more passive measure, like an insurance policy. In risk management, a safeguard is anything that reduces risk. Security control is the preferred term in most certification frameworks, but you will see 'safeguard' used in ISO 27001 and older texts.
Encryption is a safeguard that protects data confidentiality, and it is also a security control.
A policy is an administrative security control. It is a document that defines rules and expectations. A security control is the broader category that includes policies, but also includes the technical tools and physical measures that enforce those policies. Not all controls are policies, but all policies are controls.
A password policy (administrative control) sets the rule, but the system enforcing minimum password length is a technical control.
A procedure is a step-by-step guide on how to implement a policy or perform a task. It is a type of administrative security control. A security control can be a procedure (like how to respond to an incident), but it can also be a tool (like a firewall). The key is that procedures are about actions people take, not about technology.
The procedure for resetting a password is an administrative control, while the tool that sends the reset email is a technical control.
Defense in depth is not a single control, but a strategy of layering multiple security controls. It is the principle behind having firewalls, IDS, encryption, and policies all protecting the same data. Learners often confuse the strategy with the individual controls themselves.
A castle uses a moat (physical), a portcullis (physical), a watchtower (physical/detective), and guards (administrative). That is defense in depth. Each element is a security control.
Step-by-Step Breakdown
Identify Assets and Risks
The first step is to determine what you are protecting (assets) and what threats exist (risks). For example, you identify that customer payment data (asset) is at risk from hackers (threat). Without this step, you cannot choose the right controls.
Select Control Type by Function
Based on the risk, decide what function the control should perform. Do you need to prevent the attack (preventive), detect it (detective), or recover from it (corrective)? Often you will need a combination. For payment data, you need preventive controls (firewall) and detective controls (intrusion detection).
Choose Control Category
Decide if the control should be physical, technical, or administrative. For example, you might choose a technical control like encryption for the data and an administrative control like a policy requiring encryption. Physical controls might be used for the servers storing the data.
Implement the Control
This is the deployment phase. For a technical control, you install and configure the software or hardware. For an administrative control, you write the policy and train staff. For a physical control, you install locks, cameras, or barriers.
Document the Control
You must record what controls have been implemented, why they were chosen, and how they are configured. This documentation is essential for audits, compliance, and troubleshooting. For example, a firewall rule base should be documented with a purpose for each rule.
Monitor the Control
After implementation, continuously monitor the control to ensure it is working as intended. A firewall should be monitored for blocked traffic patterns. Logs should be reviewed. Detection controls must generate alerts. This step often involves a Security Information and Event Management (SIEM) system.
Review and Update the Control
Security controls are not static. New vulnerabilities emerge, technology changes, and business requirements evolve. The control must be reviewed periodically (e.g., annually) and updated. For example, firewall rules should be pruned to remove stale rules. Policies should be revised when the organization grows.
Test the Control
Periodically test the control to verify it is effective. This could be through vulnerability scanning (for technical controls), tabletop exercises (for administrative controls), or physical penetration testing (for physical controls). Testing reveals weaknesses that need to be addressed.
Respond to Control Failures
When a control fails (e.g., an intrusion bypasses the firewall), you must have a process to respond. This is where corrective and recovery controls come into play. You fix the failed control and implement additional layers if needed.
Repeat the Cycle
Risk management and security control selection is a continuous cycle. As new risks emerge, you return to step one and reassess. This ensures your security posture stays effective over time.
Practical Mini-Lesson
Security controls are not just theoretical concepts; they are deployed daily by IT professionals. As a system administrator, you regularly interact with security controls. For example, when you create a new user in Active Directory, you assign group memberships. That is an access control (technical preventive). When you enable auditing on a sensitive folder, that is a detective control. When you apply a Group Policy Object (GPO) that sets a password complexity requirement, that is a technical preventive control that enforces an administrative policy.
In practice, a common challenge is balancing security with usability. A very strict control might frustrate users, causing them to find workarounds (like writing passwords on sticky notes). This is why security professionals must understand not just how to implement controls, but how to design them in a way that does not hinder productivity too much. For example, implementing single sign-on (SSO) with multi-factor authentication (MFA) can provide strong security without requiring users to remember multiple passwords.
Another practical consideration is cost. Every security control has a cost, whether it is the price of a license, the time to configure it, or the maintenance overhead. Organizations with limited budgets must prioritize the most critical controls. This is often done using a risk-based approach: implement controls for the highest risks first. For example, a small business might not have a budget for an expensive SIEM, but they can still implement strong password policies, enable logging on critical servers, and regularly review those logs manually (though it is less efficient).
Configuration management is another key practice. Every configuration change to a security control should be documented, tested, and approved. For instance, if you need to open a port in the firewall for a new application, you should submit a change request, get it approved, make the change, and then monitor for unintended consequences. This prevents mistakes that create vulnerabilities.
Finally, automation is increasingly important. Tools like Ansible, Terraform, or cloud-native services can automate the deployment and configuration of security controls. For example, you can write a script that automatically enables encryption on all new cloud storage buckets as soon as they are created. This ensures that controls are applied consistently and reduces the chance of human error.
What can go wrong? A common issue is over-reliance on a single control. If you only have a firewall and it fails, you have no protection. Another common issue is misconfiguration. For instance, a firewall rule that is too permissive can render the firewall useless. A third issue is lack of monitoring. You might have an IDS, but if no one is watching the alerts, it is just a noise generator. The practical lesson is that security controls require not just deployment, but ongoing care: monitoring, maintenance, and improvement.
Understanding Security Control Classification Frameworks
Security controls form the backbone of any governance, risk, and compliance (GRC) strategy. In the context of security governance, controls are typically classified using established frameworks such as NIST SP 800-53, ISO 27001, and the CIS Controls. The most common approach, especially for certifications like CISSP and Security+, is to categorize controls by their nature: preventive, detective, corrective, deterrent, compensating, and directive.
Preventive controls, such as firewalls and access control lists, aim to stop incidents before they occur. Detective controls, like intrusion detection systems and audit logs, identify ongoing or past malicious activity. Corrective controls, including backups and incident response plans, restore normal operations after an incident.
Deterrent controls, like warning banners and security guards, discourage potential attackers. Compensating controls provide alternative protection when a primary control cannot be implemented, such as using multi-factor authentication when smart cards are not feasible. Directive controls, such as security policies and procedures, define acceptable behavior.
In governance, moreover, controls are often aligned with three functional categories: administrative (policies, training, risk assessments), technical (encryption, firewalls, IDS), and physical (locks, cameras, biometrics). For the AWS SAA exam, understanding these categories helps in designing secure architectures where controls are layered to provide defense in depth. For the CISSP, candidates must know how to select and implement controls based on risk assessments and legal requirements.
For the CySA+ and Security+, exam questions often ask you to match a given scenario with the correct control type. For example, a question might describe a firewall as a preventive technical control, or an incident response plan as a corrective administrative control. The key is to remember that no single control is sufficient; a robust security posture requires a combination of all types, implemented according to the organization's risk appetite and compliance obligations.
Controls are not static; they must be continuously monitored and updated through change management and vulnerability assessments. In real-world governance, controls are documented in a System Security Plan (SSP) and are subject to audit. If a control fails, compensating controls must be activated to bridge the gap.
In cloud environments like Azure and AWS, control implementation often involves services such as AWS Config, Azure Policy, and Security Center, which automate compliance checks. For the SC-900 and MS-102 exams, you need to know how Microsoft 365 Defender and Azure Sentinel serve as detective and corrective controls. Unserstanding this taxonomy not only helps you pass exams but also prepares you to design resilient security architectures that withstand evolving threats.
Security Control Implementation Lifecycle and Governance
The lifecycle of a security control extends from initial design through decommissioning, and is a critical concept in security governance. The process typically begins with a risk assessment that identifies assets, threats, vulnerabilities, and potential impacts. Based on this assessment, security requirements are defined, and appropriate controls are selected from frameworks such as NIST SP 800-53 or ISO 27001.
For example, if a high-risk data asset is identified, a preventive control like encryption (data-at-rest and in-transit) might be selected. The next phase is implementation, which includes configuration, deployment, and integration with existing systems. In cloud environments, this often involves using Infrastructure as Code (IaC) tools like Terraform or AWS CloudFormation to ensure consistent and repeatable deployments.
Testing is critical before going live: controls must be verified to work as intended without breaking business processes. For instance, a network firewall rule might be tested in a staging environment before applying to production. After deployment, the control enters the monitoring and maintenance phase.
This is where automated tools like Azure Policy, AWS Config, or Defender for Cloud continuously assess compliance with control baselines. Alerts are generated if a control drifts from its desired state, such as when an S3 bucket becomes public unintentionally. In governance, this phase also includes periodic control reviews and audits, often tied to frameworks like SOC 2 or PCI DSS.
If a control is found to be ineffective or obsolete, remediation actions are taken, which may involve updating configurations, applying patches, or replacing the control entirely. Decommissioning, the final phase, occurs when a control is no longer needed, for example, when a system is retired. Proper decommissioning ensures that security is not inadvertently weakened; for instance, removing old firewall rules that might leave a gap.
For the AZ-104 and AWS SAA exams, you can expect questions about how to automate the control lifecycle using Azure Policy or AWS Config rules. For the CISSP, you need to understand the governance aspects, including change management and the role of the CISO in approving control changes. Real-world governance also requires documentation at every step: risk registers, control catalogs, and evidence of control effectiveness.
In exams like CySA+, scenarios often present a situation where a control fails during an audit, and you must choose the correct remediation step. Remember that controls are not set-and-forget; they require ongoing investment in people, process, and technology. A missing patch or misconfiguration can undo all preventive measures.
The best approach is to integrate security controls into DevOps pipelines (DevSecOps) so that security is built in from the start, a concept heavily tested in modern cloud certifications.
Security Control Cost, Efficiency, and Risk Trade-offs
One of the most challenging aspects of security governance is balancing the cost of security controls against the risks they mitigate. Organizations have limited budgets, and spending on controls must be justified through a cost-benefit analysis. This is a core competency for security leaders and is frequently tested on the CISSP and Security+ exams.
The cost of a control includes not only the purchase or licensing fee but also implementation, training, maintenance, and opportunity costs. For example, implementing a full-scale SIEM system can be expensive due to log storage, analyst hours, and constant tuning. On the other hand, the cost of not implementing a control is the potential loss from a security incident, including data breach fines, reputational damage, and operational disruption.
The equation is not always straightforward: a small business may decide that a low-cost detective control like log monitoring is sufficient, while a financial institution may need expensive preventive controls like hardware security modules (HSMs). In cloud environments, cost is often a major driver. For the AWS SAA and Azure AZ-104 exams, you must understand how to choose cost-effective controls.
For instance, using AWS WAF and AWS Shield for DDoS protection can be more cost-efficient than building a custom solution. Similarly, Azure DDoS Protection Standard provides a cost-effective way to mitigate large-scale attacks. However, if the risk of DDoS is low, the control may not be justified.
Another key concept is the efficiency of controls: a control that is too complex or slow may be bypassed by users, leading to shadow IT or workarounds. For example, overly restrictive firewall rules might cause employees to use personal devices or unapproved cloud services. Effective governance requires that controls are both preventive and usable.
Compensating controls can sometimes provide a more cost-efficient alternative, such as using multi-factor authentication instead of expensive biometric systems. For the MS-102 and SC-900 exams, understanding how Microsoft’s security products balance cost and efficiency is essential. For example, Microsoft 365 Business Premium includes security controls like Conditional Access and Microsoft Defender for Office 365 at a lower tier cost compared to E5 licenses.
In exam scenarios, you might be asked to recommend a control based on a given budget and risk profile. The correct answer often involves selecting a detective control over a preventive one if the risk is low, or choosing a compensating control when the primary control is too expensive. Governance frameworks like NIST require a cost-benefit analysis as part of the risk management process, documented in the risk register.
Failing to consider cost can lead to underfunded security programs or wasteful spending. For the CySA+, you must analyze trade-offs when recommending remediation after a vulnerability scan: patching all systems immediately may be too disruptive, so a compensating control like a host-based firewall might be a better interim solution. Overall, understanding the economic dimension of security controls is what separates a good security architect from a great one.
Continuous Monitoring and Automation of Security Controls
Continuous monitoring is a fundamental principle of security governance, ensuring that controls remain effective over time despite changing threats and environments. Manual checks are no longer sufficient; automation is key to achieving real-time visibility and rapid response. For the AWS SAA, MD-102, and AZ-104 exams, you must understand how cloud-native services enable automated compliance monitoring.
For example, AWS Config continuously tracks resource configurations and evaluates them against desired policies, such as requiring S3 buckets to be private. If a bucket becomes public, AWS Config can trigger an automatic remediation action via AWS Lambda or CloudFormation. In Azure, Azure Policy similarly enforces compliance rules, and Azure Security Center provides a dashboard of control effectiveness.
For the SC-900 and MS-102 exams, you need to know how Microsoft 365 Defender integrates with Microsoft Sentinel to automate detection and response. Defender for Cloud Apps can monitor user activity and apply Conditional Access policies to enforce controls automatically. The goal of automation is to reduce the mean time to detect (MTTD) and mean time to respond (MTTR).
In a governance framework, continuous monitoring also generates audit evidence required by compliance standards like PCI DSS, HIPAA, or SOC 2. Automated logging, using services like AWS CloudTrail, Azure Monitor, and Microsoft 365 Audit Log, captures every control-related event. These logs can be ingested into a SIEM for correlation and alerting.
For example, if a firewall rule is changed without authorization, the SIEM can trigger an alert and even initiate a rollback. Automation also extends to patch management: tools like AWS Systems Manager Patch Manager and Azure Update Management can schedule and deploy patches automatically, ensuring that preventive controls (patching vulnerabilities) are maintained. In real-world governance, however, automation must be carefully designed to avoid false positives that can lead to alert fatigue or inadvertent service disruption.
A common exam topic is the principle of least privilege in automation: service accounts used for automated remediation must have only the permissions needed. For the CySA+ and Security+, you will encounter scenarios where a control fails due to a misconfiguration that was not caught by monitoring. The correct response is often to improve monitoring by adding a specific alert or changing a policy.
For the CISSP, the focus is on the governance structure: who reviews monitoring reports, how often, and how exceptions are handled. Another key aspect is the use of security orchestration, automation, and response (SOAR) tools. While not always covered in foundational exams, SOAR is relevant for the CISSP and advanced roles.
SOAR platforms take automated response a step further by integrating multiple controls into playbooks. For example, if an intrusion detection system (IDS) detects a potential breach, a SOAR playbook might automatically isolate the affected host, block the IP address at the firewall, and notify the incident response team. For exam preparation, remember that continuous monitoring is not just a technical activity but a governance process that requires defined metrics, reporting cadence, and accountability.
In many exams, you will be asked to choose the best way to ensure a control is working: scanning logs, using automated compliance tools, or running periodic penetration tests. The best answer typically involves a combination of automated monitoring and periodic manual validation. Ultimately, automation allows organizations to maintain a strong security posture at scale, which is essential in modern cloud and hybrid environments.
Troubleshooting Clues
Misconfigured Security Control - Policy Drift
Symptom: An AWS Config rule that previously passed compliance now shows 'Noncompliant' for a resource without any obvious manual changes.
Policy drift occurs when a resource's configuration changes due to automated processes, updates, or unintentional modifications by other services. For example, an IAM role may be updated by another automation script that overrides the original control.
Exam clue: In AWS SAA exams, policy drift is a common scenario. The correct solution is often to enable AWS Config auto-remediation or use CloudFormation StackSets to enforce consistent configurations.
Security Control Failure Due to Network Segmentation
Symptom: Firewall rules are in place, but an internal host is still able to reach an external malicious IP on port 443.
This may indicate that a firewall rule is misordered, or that a default allow rule exists before the block rule. The rule might not be applied to the correct subnet or network interface. In Azure NSGs, rule priority is critical: lower numbers are evaluated first.
Exam clue: AZ-104 and Security+ exams test NSG rule evaluation order. The answer often involves checking rule priority or ensuring the rule is applied to the correct subnet.
Intrusion Detection System (IDS) Not Alerting on Known Attack
Symptom: A penetration test using a known SQL injection payload does not trigger an IDS alert, and no logs appear.
The IDS signature database may be outdated, or the sensor may be placed on the wrong network segment. It could also be that the traffic is encrypted and the IDS cannot inspect it.
Exam clue: CISSP and CySA+ exams test placement of detective controls. The correct solution might be to update signatures or use a network tap for inline inspection.
Application Control Bypass via PowerShell
Symptom: AppLocker is configured to block executables, but an attacker runs a malicious script using PowerShell.
AppLocker by default does not restrict scripts unless specifically configured with script rules. PowerShell can also bypass restrictions using command-line parameters like -ExecutionPolicy Bypass.
Exam clue: MD-102 and Security+ exams test application control weaknesses. The answer often involves extending controls to PowerShell execution policies or using WDAC (Windows Defender Application Control).
Compliance Control Failure - Missing Encryption on Azure Storage
Symptom: Azure Policy reports that a storage account does not have infrastructure encryption enabled, even though the admin thought it was set.
Infrastructure encryption is a separate setting from the default Azure Storage encryption. It must be explicitly enabled at account creation time and cannot be changed later.
Exam clue: AZ-104 and SC-900 exams test encryption controls. The solution is to recreate the storage account with infrastructure encryption enabled, or use a different control like Azure Policy to deny non-compliant creations.
DLP Policy Not Triggering on Sensitive Data in Email
Symptom: A Data Loss Prevention policy is configured in Microsoft 365 to block credit card numbers, but an email containing such numbers is sent out without alert.
The DLP policy may be in test mode (not enforced), the email might be encrypted and not scanned, or the sensitive info type definition may not match the exact format (e.g., spaces in the number).
Exam clue: MS-102 and SC-900 exams test DLP policy configuration. Candidates must check policy mode, scoping, and sensitive info type accuracy.
Conditional Access Policy Not Applying to Guest Users
Symptom: An Azure Conditional Access policy requiring MFA for external access does not trigger when a guest user signs in.
Conditional Access policies must explicitly include 'Guest or external users' in the assignment scope. By default, they often apply only to member users.
Exam clue: SC-900 and MS-102 exams test identity governance. The correct fix is to modify the policy to include external users.
Memory Tip
Think of the acronym 'PAD' to remember the three categories: Physical, Administrative, and Detect... wait, that is not right. Use 'TPA' - Technical, Physical, Administrative, in that order. For the functions, remember 'PDDRCC' - Preventive, Detective, Deterrent, Recovery, Corrective, Compensatory. Or use the mnemonic 'People Do Dumb Random Computing Chores' as a silly way to remember the first letters: Preventive, Detective, Deterrent, Recovery, Corrective, Compensatory.
Learn This Topic Fully
This glossary page explains what Security control means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →MD-102MD-102 →MS-102MS-102 →AZ-104AZ-104 →SC-900SC-900 →SY0-701CompTIA Security+ →SAA-C03SAA-C03 →220-1102CompTIA A+ Core 2 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
A/B testing is a controlled experiment that compares two versions of a single variable to determine which one performs better against a predefined metric.
Quick Knowledge Check
1.Which type of security control is designed to reduce the impact of an incident after it has occurred?
2.A company has a budget constraint and cannot afford a full SIEM. They decide to implement manual log review as a detective control. This is an example of which type of control?
3.In AWS, which service is used to continuously monitor resource configurations against security baselines and report non-compliance?
4.An organization's firewall blocks inbound traffic on port 3389 to prevent RDP attacks. This is an example of which control combination?
5.If a security control fails during an audit, which governance document should document the compensating control used?
Frequently Asked Questions
What is the difference between a security control and a security measure?
They are essentially the same thing. 'Security control' is the more formal term used in risk management frameworks and certification exams. 'Security measure' is a more general term. Both refer to any action, device, or policy that reduces risk.
Can a single tool be both a preventive and a detective control?
Yes, many tools have multiple functions. For example, an intrusion prevention system (IPS) can both detect malicious traffic (detective) and block it (preventive). However, when asked in an exam, the classification is typically based on the primary function. The IPS is primarily preventive. A firewall with logging is primarily preventive, but its logging function is detective.
Are encryption keys considered security controls?
The key itself is not a control; it is a credential. The encryption algorithm and the key management system are the security controls. A key management policy (administrative control) dictates how keys are generated, stored, and rotated. The encryption software is a technical control.
What is a compensatory control?
A compensatory control is an alternative control used when the primary control is not feasible or cost-effective. For example, if you cannot implement a biometric scanner due to budget constraints, you might use a longer, more complex password policy as a compensatory control. Compensatory controls must provide a similar level of protection.
How do I know which control to implement for a given risk?
First, identify the risk (threat and vulnerability). Then, decide what outcome you need: prevent, detect, correct, etc. Then choose the most appropriate type (physical, technical, administrative) based on cost, feasibility, and effectiveness. Always consider layering multiple controls (defense in depth).
Is a security policy a control?
Yes, a security policy is an administrative control. It is a document that establishes rules and expectations. However, a policy is only effective if it is enforced by technical controls or followed by people. A policy without enforcement is often just a piece of paper.
What is the most important security control?
There is no single most important control; it depends on the context. However, many professionals consider access control (ensuring only authorized people can access resources) as fundamental. Multi-factor authentication (MFA) is often cited as a highly effective control. But defense in depth means no single control is sufficient.