Domain 1 of 5 · Chapter 1 of 4

Security Controls

The full category x type matrix, cell by cell

SY0-701 Objective 1.1 asks you to compare and contrast ten control words it names in one breath: "technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, and directive"[1], and the trick is seeing that they are not one flat list but two independent axes. The overview established that split: four categories (technical, managerial, operational, physical) crossed with six types (preventive, deterrent, detective, corrective, compensating, directive), so every control gets one label from each. This section fills in the full grid so you can place any control the exam throws at you into exactly one cell on each axis, with a concrete example for every combination that actually occurs. The matrix below lays out those two axes as a grid: the four categories run down the side, the six types across the top, and every control occupies exactly one cell.

Why every control needs both labels

The category answers how is this control implemented, and CompTIA pins each category to an implementer. Technical (sometimes called logical) controls are enforced by hardware, software, or firmware with no human in the loop at execution time. Managerial controls are administrative: they are the policies, risk assessments, and planning documents that govern the program. Operational controls are executed by people as part of day-to-day work. Physical controls are tangible barriers in the real world. The type answers what does this control do relative to an incident: stop it, discourage it, discover it, repair it, substitute for a missing control, or instruct people. Because the axes are orthogonal, the same purpose shows up across multiple categories, and the same category hosts multiple purposes.

The grid, with one worked example per realistic cell

Preventive Deterrent Detective Corrective Compensating Directive
Technical Firewall rule / ACL; MFA enforcement Login banner warning of monitoring IDS, SIEM alert, log review IPS resets the session; restore from backup; patch the exploited flaw Network segmentation while a patch is pending; extra monitoring System-enforced password-policy prompt
Managerial Pre-employment background check; security policy that mandates an architecture Published sanction / disciplinary policy Periodic access review; internal audit Updated risk-treatment plan after an incident Documented exception with added oversight Acceptable-use policy; standards & procedures
Operational Security-awareness training before access; guard who refuses tailgaters Visible guard patrol Guard watching CCTV; log monitoring shift Incident-response team executing the runbook Manual review step replacing an unavailable automated check Posted operating procedure staff must follow
Physical Locked door, bollard, mantrap, fence "Beware of dog" / no-trespassing sign, visible fence CCTV recording, motion sensor, door-contact alarm Fire suppression discharging; backup generator starting Security guard in place of a broken badge reader Signage directing visitors to check in

Read the grid as examples, not as the only valid answer per cell. A stem supplies the emphasis that fixes the type. The cells that trip people up are the duplicates, where one mechanism lands in several type columns of the same category row. A guard, for instance, sits in three operational cells at once (preventive, deterrent, and detective) and how to pick between them is Classifying any control on both axes (Step 4). CompTIA expects you to name the type the scenario stresses.

CCTV is the canonical "category fixed, type varies" trap

A closed-circuit camera is technical by category in CompTIA's framing (it is a hardware/software system), and that does not change. What changes is its type: a camera that merely records for later review is detective; a prominently visible camera meant to make attackers think twice is deterrent; it is never preventive on its own, because recording an intrusion does not stop it. The frequent wrong answer marks CCTV as preventive. Recognise that recording is after-the-fact discovery, so the type is detective (or deterrent if visibility is the point), never preventive.

Compensating is not "a second layer"

The single most over-selected wrong type is compensating. A compensating control is a deliberate substitute chosen because the required primary control genuinely cannot be implemented, for example, isolating a legacy server on its own VLAN with heightened monitoring because the vendor patch breaks the application. It is not just "another preventive control you added for depth." If the primary control is present and you are merely layering, the added control is preventive/detective/etc. in its own right, not compensating. The exam tell for compensating is explicit infeasibility language: "cannot patch right now," "the vendor no longer supports," "in place of," "as an alternative to."

Type axis - what the control does to a threat Preventive Deterrent Detective Corrective Compensating Directive Category axis - who or what implements it Technical Managerial Operational Physical The two axes are orthogonal: every control takes one category label and one type label. The same purpose recurs down a column; the same category hosts many purposes across a row.
The control taxonomy as two independent axes: four categories (who implements) down the side, six types (what it does) across the top.

Classifying any control on both axes

Given an arbitrary control, you should be able to assign its category and its type mechanically, then sanity-check the pair against how CompTIA frames the control families. This section is the four-step procedure plus the framework anchor; the figure below traces the same Step 1 to Step 4 path.

Step 1 - category from the implementer

Ask who or what enforces this at the moment it acts:

  • Enforced by hardware/software/firmware with no person required at execution -> technical (firewall, MFA, encryption, ACL, IDS/IPS, antivirus).
  • A document, policy, plan, or governance activity -> managerial (risk assessment, security policy, background-check policy, change-management approval gate).
  • A person performing a task -> operational (awareness training delivery, log-review shift, incident-response execution, a guard's actions).
  • A tangible real-world barrier or device -> physical (fence, lock, bollard, mantrap, badge reader, CCTV hardware, fire suppression).

Watchpoints: a policy that mandates a firewall is managerial (the document), while the firewall itself is technical. Awareness training is operational because people deliver and consume it, even though its subject is technical. A badge-reader system is physical (the door hardware) even though software drives it. CompTIA classifies access-control hardware at the door as physical.

Step 2 - type from the timing word

Ask what does it do relative to the incident, and match the scenario's verb:

Scenario language Type
"stop / block / prevent before it happens" Preventive
"discourage / make them think twice / warn off" Deterrent
"detect / alert / discover / identify after the fact" Detective
"recover / restore / remediate / fix the damage" Corrective
"instead of / cannot implement the required control, so we..." Compensating
"policy / procedure / standard that tells staff what to do" Directive

Step 3 - cross-check against the control framework

The SY0-701 taxonomy is the security-industry vocabulary CompTIA tests, and it maps cleanly onto the catalog in NIST's Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5)[2], which organises every control into named families such as Access Control, Audit and Accountability, Contingency Planning, Incident Response, and Physical and Environmental Protection. The mapping is intuitive: NIST's Physical and Environmental Protection family is where most CompTIA physical controls live; Access Control and System and Communications Protection hold technical preventive controls; Audit and Accountability holds technical detective controls; Contingency Planning and Incident Response hold corrective controls; and the Planning, Program Management, and policy families hold managerial/directive controls. You do not need the two-letter family identifiers for SY0-701, but recognising that a real control catalog spreads controls across the whole threat lifecycle reinforces why defense in depth wants a deliberate mix of types rather than a stack of preventive controls.

Step 4 - resolve multi-membership by emphasis

Many real controls satisfy more than one type. The rule is: the category is usually fixed, the type follows the scenario's stated objective. A guard is always operational; whether you label the guard preventive (turning people away at the gate), deterrent (visibly patrolling), or detective (spotting an anomaly) depends on the verb the sentence emphasises. A backup is always technical; it is preventive against data loss in principle but the exam almost always frames restoring from backup as corrective (it acts after the incident). When two types seem to fit, pick the one the verb in the stem emphasises. Treat the result as compensating only when it is a substitute for a primary control the scenario says is infeasible; otherwise it is not compensating and keeps the type it earned in Step 2.

Step 1 - category from the implementer technical / managerial / operational / physical Step 2 - type from the timing word preventive / deterrent / detective / corrective / directive Step 3 - cross-check against the framework NIST SP 800-53 control families Step 4 - resolve multi-membership category fixed; type follows the emphasised verb. Required primary control infeasible? Yes - infeasible No Compensating substitute for the primary control Not compensating preventive / deterrent / detective A guard is always operational; preventive, deterrent, or detective follows the emphasised verb.
The four-step classification procedure: category from the implementer, type from the timing word, cross-check against NIST families, then resolve multi-membership.

Exam-pattern recognition for SY0-701 control questions

Objective 1.1 is part of Domain 1, which is 12% of the scored SY0-701 exam[1], and control-classification items follow a handful of repeatable shapes. Naming the pattern lets you answer on recognition rather than recall; each pattern just reuses the category step and type step from Classifying any control on both axes above.

Pattern 1 - "What category is this control?"

The stem names one mechanism and the four options are the categories (technical / managerial / operational / physical). Decide by the implementer (Step 1 above), and watch the two classic traps: (a) a policy that mandates a technical control is managerial, not technical (the document is the control, not the firewall it requires); (b) security-awareness training is operational, not technical, because people deliver and perform it. A fence, lock, or bollard is physical; encryption, ACLs, and MFA are technical.

Pattern 2 - "What type is this control?"

The stem names a mechanism plus its purpose, and the options are the six types. Match the timing word (Step 2 above). The highest-frequency distractors all dress an after-the-fact or warn-only control as preventive:

  • CCTV / a camera offered as preventive -> wrong; recording is detective, visibility is deterrent (see the CCTV trap in The full category x type matrix).
  • A login banner / warning sign offered as preventive -> wrong; it only discourages, so it is deterrent.
  • Restore-from-backup or patch-the-flaw offered as preventive -> wrong; it acts after the incident, so it is corrective.
  • Any "extra layer" offered as compensating when no primary control is infeasible -> wrong; it keeps its own type. Compensating needs the explicit "cannot implement the required control" / "in place of" language from The full category x type matrix.

Pattern 3 - "Pick the BEST control for this objective"

The stem states a goal and asks which control fits. Translate the goal into a type first, then a category, then to the specific option:

  • "We need to discourage people from entering the data center" -> deterrent -> a visible sign or guard, not a lock (a lock is preventive).
  • "We need to detect unauthorised changes" -> detective -> file-integrity monitoring / audit logging, not a firewall.
  • "We cannot apply the vendor patch but must reduce exposure" -> compensating -> segmentation or added monitoring, explicitly because the patch (the primary control) is infeasible.
  • "We need staff to know what is and is not allowed" -> directive -> an acceptable-use policy, not a technical block.

Pattern 4 - the "two correct-sounding" multi-membership item

The stem describes a guard, a camera, or a backup, and two of the six types both look right. Apply the Step 4 rule from Classifying any control on both axes: the category is fixed, so read the verb the stem emphasises to pick the type. A visible guard at the gate is deterrent; the same guard checking badges and turning people away is preventive; the same guard noticing and reporting an anomaly is detective. There is no single universally-correct type. A backup follows the same test: it is corrective when the scenario is about recovering after data loss, because the exam rewards the after-the-incident framing.

Pattern 5 - the framework / coverage question

A stem describes an environment that relies entirely on preventive technical controls and asks what is missing or weakest. The exam-correct instinct is defense in depth: a healthy program deliberately spans the threat lifecycle, so the gap is usually detective controls (you cannot see an incident you failed to prevent) and corrective controls (you cannot recover from one). This mirrors how the NIST SP 800-53 catalog[2] spreads controls across families covering identification, protection, detection, response, and recovery rather than concentrating them in one place. The wrong answer adds yet another preventive control; the right answer adds the missing lifecycle stage.

Control types: purpose, timing, and example

Control typePurposeWhen it acts (vs. incident)Example (with category)
PreventiveStop an incident from occurringBeforeFirewall rule / ACL (technical); locked door (physical)
DeterrentDiscourage an attacker from attemptingBefore“Beware of dog” / trespassing sign (physical); visible patrol (operational)
DetectiveDiscover an incident in progress or afterwardDuring / afterIDS, log review (technical); CCTV monitoring (technical/operational)
CorrectiveRemediate and restore after an incidentAfterRestore from backup, patch the flaw (technical); IPS session reset (technical)
CompensatingSubstitute when the primary control is infeasibleBefore (as an alternative)Segmentation or extra monitoring in place of an unavailable patch (technical)
DirectiveSteer behaviour through instructionBefore (ongoing)Acceptable-use policy, posted procedure (managerial)

Decision tree

Axis 1 — CATEGORY (assign exactly one) Who or what enforces it at the moment it acts? HW / SW / firmware Document / policy A person, a task Tangible barrier Technical firewall, MFA, ACL, IDS Managerial policy, risk assessment Operational guard, awareness training Physical fence, lock, mantrap, CCTV Axis 2 — TYPE (match the scenario's timing word) What does it do relative to the incident? stop / block before discourage / warn off detect / alert after recover / restore / remediate / fix policy / procedure / standard for staff Preventive firewall rule, lock, MFA Deterrent sign, visible guard Detective IDS, log review, CCTV Corrective restore backup, patch flaw Directive acceptable-use policy Compensating gate (only when a required primary control is infeasible) Is a required primary control genuinely infeasible (“cannot patch”, “in place of”, “as an alternative to”)? Yes No — just layering Compensating (segmentation, extra monitoring) NOT compensating — keep its own type

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Category and type are two independent axes

Every SY0-701 security control carries one category (who or what enforces it: technical, managerial, operational, or physical) and one type (what it does about an incident: preventive, deterrent, detective, corrective, compensating, or directive). The axes are orthogonal: re-stating a control's purpose never moves its category. A host firewall is technical and preventive; a recording CCTV camera is technical and detective; both stay technical whatever their type.

Trap Letting a control's type drag its category along: calling a CCTV camera "physical" because it watches a door, when CompTIA classes the hardware/software system as technical.

4 questions test this
Six control types map to the threat lifecycle

The six SY0-701 types track an incident across time: preventive stops it before it happens, deterrent discourages the attempt, detective discovers it during or after, corrective remediates and restores afterward, compensating substitutes when the required control can't be used, and directive steers behaviour through instruction. Pairing the missing stage to the scenario is the whole game: most stems hinge on before-vs-during-vs-after timing.

2 questions test this
Technical controls are enforced by hardware, software, or firmware

A control is technical (also called logical) when hardware, software, or firmware enforces it with no person needed at the moment it acts: firewall rules, ACLs, MFA enforcement, encryption, IDS/IPS, and antivirus all qualify. The mechanism runs itself once configured, which is what separates it from an operational control a human performs.

Trap Calling a technical control operational because a person configured or installed it - the category follows who enforces it at run time (the machine), not who set it up.

5 questions test this
Managerial controls are the policies and governance documents

Managerial (administrative) controls are the policies, standards, risk assessments, plans, and approval gates that govern the security program: a security policy, a background-check policy, or a change-management sign-off. The control is the document or decision itself, not whatever technology it tells the organization to deploy.

Trap Classifying a policy by the technology it mandates: a standard that requires a firewall is managerial; the firewall it calls for is technical.

7 questions test this
Operational controls are tasks people carry out

Operational controls are executed by people as part of day-to-day work: delivering security-awareness training, working a log-review shift, a guard checking badges, or an IR team running the runbook. Security-awareness training stays operational even though its subject is technical, because people deliver and consume it; the category follows who acts, not the topic.

Trap Marking security-awareness training technical because its subject matter is technical - the category follows who performs the control (people), making it operational.

6 questions test this
Physical controls are tangible real-world barriers

Physical controls are tangible barriers and devices in the real world: fences, locks, bollards, access-control vestibules, badge readers, fire suppression, and CCTV hardware. CompTIA treats access-control hardware at the door (a badge reader, for instance) as physical even though software drives it, because the enforcement object is a physical device at a physical boundary.

Trap Reclassifying a badge reader as technical because software drives it - CompTIA treats the device enforcing entry at a physical boundary as physical.

3 questions test this
Pick the type from the scenario's timing word

Match the stem's verb to the type: stop or block before → preventive; discourage, warn off, make them think twice → deterrent; detect, alert, discover, identify after the fact → detective; recover, restore, remediate, fix the damage → corrective; instead of a control you cannot implement → compensating; a policy or procedure telling staff what to do → directive. The verb the question emphasizes, not the device named, decides the type.

6 questions test this
Compensating means a substitute for a control you can't use

A compensating control is one employed in lieu of a required control, providing equivalent or comparable protection, typically because the primary control can't be implemented, such as isolating a legacy server on its own VLAN with extra monitoring when a vendor patch breaks the app. It is the most over-selected wrong answer, so the exam tell is explicit substitution language: "cannot patch right now," "the vendor no longer supports it," "in place of," "as an alternative to." Without that signal, a different type is correct.

Trap Reaching for compensating on any layered defense: without explicit "in lieu of" or "cannot implement the required control" language in the stem, it is over-selected and wrong.

7 questions test this
An extra layer is not automatically a compensating control

A control added purely for defense-in-depth, while the required primary control is present and working, is preventive, detective, or whatever it does in its own right, not compensating. Compensating applies only when the primary control is being substituted for; a second layer stacked on a functioning first layer never qualifies on that basis alone.

Trap Calling a redundant second layer compensating because it backs up the first - compensating requires substituting for an absent or infeasible primary control, not reinforcing a working one.

Directive controls instruct people what to do

Directive controls steer behaviour through instruction: an acceptable-use policy, a posted operating procedure, a standard staff must follow, or an onboarding requirement. The tell is language about telling people what is and isn't allowed; the answer is the instruction itself, not a technical mechanism that enforces it. A firewall blocking the traffic is technical/preventive, while the policy that says "don't use unauthorized apps" is directive.

Trap Picking the technical control that enforces a rule instead of the directive - the policy telling staff what to do is directive, while the firewall enforcing it is technical/preventive.

6 questions test this
Recording CCTV is detective, never preventive on its own

A closed-circuit camera is technical by category and stays that way. A camera that records for later review is detective; a prominently visible one meant to scare off intruders is deterrent. CCTV is never preventive by itself (recording an intrusion documents it but does nothing to stop it) so "CCTV = preventive" is a stock wrong answer.

Trap Calling a camera preventive: it records or deters but cannot physically block entry, so its type is detective or deterrent, not preventive.

A login banner or warning sign is deterrent, not preventive

A login banner warning of monitoring, a "Beware of dog" sign, or a no-trespassing sign only discourages. It does nothing to physically block, so its type is deterrent, not preventive. Contrast a lock, which physically stops entry and is therefore preventive; the test is whether the control stops the act or merely warns against it.

Trap Marking a warning banner or no-trespassing sign preventive - it only discourages and cannot stop the act, so its type is deterrent.

3 questions test this
Restore-from-backup and patching are corrective

Restoring from backup, patching the exploited flaw, and an IPS resetting a malicious session all act after the incident, so they are corrective, not preventive. CompTIA frames restoring from backup as corrective even though a backup arguably "prevents" permanent data loss. Reward the after-the-incident action the stem describes, not the backup's general purpose.

Trap Marking restore-from-backup as preventive because backups guard against data loss: the recovery action happens after the incident, making it corrective.

A policy that mandates a technical control is managerial

A policy or standard that requires a firewall is managerial: the document is the control. The firewall it calls for is technical. Classify the mandate by what it is (a governing document), never by the technology it happens to demand.

Trap Calling a standard technical because it mandates a firewall - the governing document is managerial regardless of the technology it requires.

Resolve multi-membership by the emphasised verb

Many real controls fit more than one type, so the category is usually fixed and the type follows the scenario's stated objective. A guard is always operational but reads as preventive (turning people away), deterrent (visibly patrolling), or detective (spotting an anomaly) depending on the sentence's emphasis. Anchor on the verb the stem stresses, and never default to compensating unless substitution language is explicit.

The taxonomy maps onto NIST SP 800-53 control families

The SY0-701 category/type vocabulary lines up with NIST SP 800-53 Rev. 5 control families: Physical and Environmental Protection ≈ physical; Access Control and System and Communications Protection ≈ technical preventive; Audit and Accountability ≈ technical detective; Contingency Planning and Incident Response ≈ corrective; Planning and Program Management policy families ≈ managerial/directive. The mapping is for understanding only: you don't need the two-letter family identifiers for SY0-701.

Defense in depth wants a deliberate mix of types

A program leaning entirely on preventive technical controls is brittle, and the exam-correct gap is usually missing detective controls (you can't see an incident you failed to prevent) and corrective controls (you can't recover from one). The right answer adds the absent lifecycle stage rather than stacking yet another preventive control on top of the ones already there.

Trap Answering a defense-in-depth gap with another preventive control: the missing piece is almost always the detective or corrective stage, not more prevention.

Also tested in

References

  1. CompTIA Security+ (SY0-701) certification
  2. Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5)