Security Controls
The full category x type matrix, cell by cell
SY0-701 Objective 1.1 asks you to compare and contrast ten control words it names in one breath: "technical, preventive, managerial, deterrent, operational, detective, physical, corrective, compensating, and directive"[1], and the trick is seeing that they are not one flat list but two independent axes. The overview established that split: four categories (technical, managerial, operational, physical) crossed with six types (preventive, deterrent, detective, corrective, compensating, directive), so every control gets one label from each. This section fills in the full grid so you can place any control the exam throws at you into exactly one cell on each axis, with a concrete example for every combination that actually occurs. The matrix below lays out those two axes as a grid: the four categories run down the side, the six types across the top, and every control occupies exactly one cell.
Why every control needs both labels
The category answers how is this control implemented, and CompTIA pins each category to an implementer. Technical (sometimes called logical) controls are enforced by hardware, software, or firmware with no human in the loop at execution time. Managerial controls are administrative: they are the policies, risk assessments, and planning documents that govern the program. Operational controls are executed by people as part of day-to-day work. Physical controls are tangible barriers in the real world. The type answers what does this control do relative to an incident: stop it, discourage it, discover it, repair it, substitute for a missing control, or instruct people. Because the axes are orthogonal, the same purpose shows up across multiple categories, and the same category hosts multiple purposes.
The grid, with one worked example per realistic cell
| Preventive | Deterrent | Detective | Corrective | Compensating | Directive | |
|---|---|---|---|---|---|---|
| Technical | Firewall rule / ACL; MFA enforcement | Login banner warning of monitoring | IDS, SIEM alert, log review | IPS resets the session; restore from backup; patch the exploited flaw | Network segmentation while a patch is pending; extra monitoring | System-enforced password-policy prompt |
| Managerial | Pre-employment background check; security policy that mandates an architecture | Published sanction / disciplinary policy | Periodic access review; internal audit | Updated risk-treatment plan after an incident | Documented exception with added oversight | Acceptable-use policy; standards & procedures |
| Operational | Security-awareness training before access; guard who refuses tailgaters | Visible guard patrol | Guard watching CCTV; log monitoring shift | Incident-response team executing the runbook | Manual review step replacing an unavailable automated check | Posted operating procedure staff must follow |
| Physical | Locked door, bollard, mantrap, fence | "Beware of dog" / no-trespassing sign, visible fence | CCTV recording, motion sensor, door-contact alarm | Fire suppression discharging; backup generator starting | Security guard in place of a broken badge reader | Signage directing visitors to check in |
Read the grid as examples, not as the only valid answer per cell. A stem supplies the emphasis that fixes the type. The cells that trip people up are the duplicates, where one mechanism lands in several type columns of the same category row. A guard, for instance, sits in three operational cells at once (preventive, deterrent, and detective) and how to pick between them is Classifying any control on both axes (Step 4). CompTIA expects you to name the type the scenario stresses.
CCTV is the canonical "category fixed, type varies" trap
A closed-circuit camera is technical by category in CompTIA's framing (it is a hardware/software system), and that does not change. What changes is its type: a camera that merely records for later review is detective; a prominently visible camera meant to make attackers think twice is deterrent; it is never preventive on its own, because recording an intrusion does not stop it. The frequent wrong answer marks CCTV as preventive. Recognise that recording is after-the-fact discovery, so the type is detective (or deterrent if visibility is the point), never preventive.
Compensating is not "a second layer"
The single most over-selected wrong type is compensating. A compensating control is a deliberate substitute chosen because the required primary control genuinely cannot be implemented, for example, isolating a legacy server on its own VLAN with heightened monitoring because the vendor patch breaks the application. It is not just "another preventive control you added for depth." If the primary control is present and you are merely layering, the added control is preventive/detective/etc. in its own right, not compensating. The exam tell for compensating is explicit infeasibility language: "cannot patch right now," "the vendor no longer supports," "in place of," "as an alternative to."
Classifying any control on both axes
Given an arbitrary control, you should be able to assign its category and its type mechanically, then sanity-check the pair against how CompTIA frames the control families. This section is the four-step procedure plus the framework anchor; the figure below traces the same Step 1 to Step 4 path.
Step 1 - category from the implementer
Ask who or what enforces this at the moment it acts:
- Enforced by hardware/software/firmware with no person required at execution -> technical (firewall, MFA, encryption, ACL, IDS/IPS, antivirus).
- A document, policy, plan, or governance activity -> managerial (risk assessment, security policy, background-check policy, change-management approval gate).
- A person performing a task -> operational (awareness training delivery, log-review shift, incident-response execution, a guard's actions).
- A tangible real-world barrier or device -> physical (fence, lock, bollard, mantrap, badge reader, CCTV hardware, fire suppression).
Watchpoints: a policy that mandates a firewall is managerial (the document), while the firewall itself is technical. Awareness training is operational because people deliver and consume it, even though its subject is technical. A badge-reader system is physical (the door hardware) even though software drives it. CompTIA classifies access-control hardware at the door as physical.
Step 2 - type from the timing word
Ask what does it do relative to the incident, and match the scenario's verb:
| Scenario language | Type |
|---|---|
| "stop / block / prevent before it happens" | Preventive |
| "discourage / make them think twice / warn off" | Deterrent |
| "detect / alert / discover / identify after the fact" | Detective |
| "recover / restore / remediate / fix the damage" | Corrective |
| "instead of / cannot implement the required control, so we..." | Compensating |
| "policy / procedure / standard that tells staff what to do" | Directive |
Step 3 - cross-check against the control framework
The SY0-701 taxonomy is the security-industry vocabulary CompTIA tests, and it maps cleanly onto the catalog in NIST's Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5)[2], which organises every control into named families such as Access Control, Audit and Accountability, Contingency Planning, Incident Response, and Physical and Environmental Protection. The mapping is intuitive: NIST's Physical and Environmental Protection family is where most CompTIA physical controls live; Access Control and System and Communications Protection hold technical preventive controls; Audit and Accountability holds technical detective controls; Contingency Planning and Incident Response hold corrective controls; and the Planning, Program Management, and policy families hold managerial/directive controls. You do not need the two-letter family identifiers for SY0-701, but recognising that a real control catalog spreads controls across the whole threat lifecycle reinforces why defense in depth wants a deliberate mix of types rather than a stack of preventive controls.
Step 4 - resolve multi-membership by emphasis
Many real controls satisfy more than one type. The rule is: the category is usually fixed, the type follows the scenario's stated objective. A guard is always operational; whether you label the guard preventive (turning people away at the gate), deterrent (visibly patrolling), or detective (spotting an anomaly) depends on the verb the sentence emphasises. A backup is always technical; it is preventive against data loss in principle but the exam almost always frames restoring from backup as corrective (it acts after the incident). When two types seem to fit, pick the one the verb in the stem emphasises. Treat the result as compensating only when it is a substitute for a primary control the scenario says is infeasible; otherwise it is not compensating and keeps the type it earned in Step 2.
Exam-pattern recognition for SY0-701 control questions
Objective 1.1 is part of Domain 1, which is 12% of the scored SY0-701 exam[1], and control-classification items follow a handful of repeatable shapes. Naming the pattern lets you answer on recognition rather than recall; each pattern just reuses the category step and type step from Classifying any control on both axes above.
Pattern 1 - "What category is this control?"
The stem names one mechanism and the four options are the categories (technical / managerial / operational / physical). Decide by the implementer (Step 1 above), and watch the two classic traps: (a) a policy that mandates a technical control is managerial, not technical (the document is the control, not the firewall it requires); (b) security-awareness training is operational, not technical, because people deliver and perform it. A fence, lock, or bollard is physical; encryption, ACLs, and MFA are technical.
Pattern 2 - "What type is this control?"
The stem names a mechanism plus its purpose, and the options are the six types. Match the timing word (Step 2 above). The highest-frequency distractors all dress an after-the-fact or warn-only control as preventive:
- CCTV / a camera offered as preventive -> wrong; recording is detective, visibility is deterrent (see the CCTV trap in The full category x type matrix).
- A login banner / warning sign offered as preventive -> wrong; it only discourages, so it is deterrent.
- Restore-from-backup or patch-the-flaw offered as preventive -> wrong; it acts after the incident, so it is corrective.
- Any "extra layer" offered as compensating when no primary control is infeasible -> wrong; it keeps its own type. Compensating needs the explicit "cannot implement the required control" / "in place of" language from The full category x type matrix.
Pattern 3 - "Pick the BEST control for this objective"
The stem states a goal and asks which control fits. Translate the goal into a type first, then a category, then to the specific option:
- "We need to discourage people from entering the data center" -> deterrent -> a visible sign or guard, not a lock (a lock is preventive).
- "We need to detect unauthorised changes" -> detective -> file-integrity monitoring / audit logging, not a firewall.
- "We cannot apply the vendor patch but must reduce exposure" -> compensating -> segmentation or added monitoring, explicitly because the patch (the primary control) is infeasible.
- "We need staff to know what is and is not allowed" -> directive -> an acceptable-use policy, not a technical block.
Pattern 4 - the "two correct-sounding" multi-membership item
The stem describes a guard, a camera, or a backup, and two of the six types both look right. Apply the Step 4 rule from Classifying any control on both axes: the category is fixed, so read the verb the stem emphasises to pick the type. A visible guard at the gate is deterrent; the same guard checking badges and turning people away is preventive; the same guard noticing and reporting an anomaly is detective. There is no single universally-correct type. A backup follows the same test: it is corrective when the scenario is about recovering after data loss, because the exam rewards the after-the-incident framing.
Pattern 5 - the framework / coverage question
A stem describes an environment that relies entirely on preventive technical controls and asks what is missing or weakest. The exam-correct instinct is defense in depth: a healthy program deliberately spans the threat lifecycle, so the gap is usually detective controls (you cannot see an incident you failed to prevent) and corrective controls (you cannot recover from one). This mirrors how the NIST SP 800-53 catalog[2] spreads controls across families covering identification, protection, detection, response, and recovery rather than concentrating them in one place. The wrong answer adds yet another preventive control; the right answer adds the missing lifecycle stage.
Control types: purpose, timing, and example
| Control type | Purpose | When it acts (vs. incident) | Example (with category) |
|---|---|---|---|
| Preventive | Stop an incident from occurring | Before | Firewall rule / ACL (technical); locked door (physical) |
| Deterrent | Discourage an attacker from attempting | Before | “Beware of dog” / trespassing sign (physical); visible patrol (operational) |
| Detective | Discover an incident in progress or afterward | During / after | IDS, log review (technical); CCTV monitoring (technical/operational) |
| Corrective | Remediate and restore after an incident | After | Restore from backup, patch the flaw (technical); IPS session reset (technical) |
| Compensating | Substitute when the primary control is infeasible | Before (as an alternative) | Segmentation or extra monitoring in place of an unavailable patch (technical) |
| Directive | Steer behaviour through instruction | Before (ongoing) | Acceptable-use policy, posted procedure (managerial) |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Category and type are two independent axes
Every SY0-701 security control carries one category (who or what enforces it: technical, managerial, operational, or physical) and one type (what it does about an incident: preventive, deterrent, detective, corrective, compensating, or directive). The axes are orthogonal: re-stating a control's purpose never moves its category. A host firewall is technical and preventive; a recording CCTV camera is technical and detective; both stay technical whatever their type.
Trap Letting a control's type drag its category along: calling a CCTV camera "physical" because it watches a door, when CompTIA classes the hardware/software system as technical.
4 questions test this
- A company configures a deny-by-default firewall at its network perimeter that blocks all unauthorized inbound connections. How should this…
- During a risk assessment, a security engineer must classify two controls: a perimeter firewall blocking unauthorized traffic, and a…
- A data center administrator installs a next-generation firewall at the network perimeter to block all unauthorized inbound traffic based on…
- A data center uses proximity badge readers at entry doors and deploys an inline IPS on the core network switch. Which pair of…
- Six control types map to the threat lifecycle
The six SY0-701 types track an incident across time: preventive stops it before it happens, deterrent discourages the attempt, detective discovers it during or after, corrective remediates and restores afterward, compensating substitutes when the required control can't be used, and directive steers behaviour through instruction. Pairing the missing stage to the scenario is the whole game: most stems hinge on before-vs-during-vs-after timing.
2 questions test this
- Technical controls are enforced by hardware, software, or firmware
A control is technical (also called logical) when hardware, software, or firmware enforces it with no person needed at the moment it acts: firewall rules, ACLs, MFA enforcement, encryption, IDS/IPS, and antivirus all qualify. The mechanism runs itself once configured, which is what separates it from an operational control a human performs.
Trap Calling a technical control operational because a person configured or installed it - the category follows who enforces it at run time (the machine), not who set it up.
5 questions test this
- A company configures a deny-by-default firewall at its network perimeter that blocks all unauthorized inbound connections. How should this…
- A security team reviews two detective systems in its data center environment: CCTV cameras monitoring the server room entrance and a…
- During a risk assessment, a security engineer must classify two controls: a perimeter firewall blocking unauthorized traffic, and a…
- A data center administrator installs a next-generation firewall at the network perimeter to block all unauthorized inbound traffic based on…
- A data center uses proximity badge readers at entry doors and deploys an inline IPS on the core network switch. Which pair of…
- Managerial controls are the policies and governance documents
Managerial (administrative) controls are the policies, standards, risk assessments, plans, and approval gates that govern the security program: a security policy, a background-check policy, or a change-management sign-off. The control is the document or decision itself, not whatever technology it tells the organization to deploy.
Trap Classifying a policy by the technology it mandates: a standard that requires a firewall is managerial; the firewall it calls for is technical.
7 questions test this
- A company adopts a risk management framework that requires departments to identify, assess, and report risks to executive leadership…
- A CISO publishes a risk management framework that defines how security risks must be identified, assessed, and treated across the…
- A security manager performs a comprehensive risk assessment to evaluate threats and vulnerabilities across the organization's…
- An organization's security policy requires all employees to complete annual phishing awareness training. The security operations team…
- An organization's CISO selects the NIST Risk Management Framework to guide enterprise-wide risk identification, assessment, and control…
- The CISO publishes an updated acceptable use policy (AUP) that specifies how employees must handle corporate data and use company systems.…
- A security manager uses the NIST Risk Management Framework to conduct a formal risk assessment, document identified threats and…
- Operational controls are tasks people carry out
Operational controls are executed by people as part of day-to-day work: delivering security-awareness training, working a log-review shift, a guard checking badges, or an IR team running the runbook. Security-awareness training stays operational even though its subject is technical, because people deliver and consume it; the category follows who acts, not the topic.
Trap Marking security-awareness training technical because its subject matter is technical - the category follows who performs the control (people), making it operational.
6 questions test this
- An organization has the following security controls in place: A) A board-approved information security policy; B) Daily security log…
- During an audit, a security analyst reviews a documented procedure that guides the security operations center through specific steps for…
- A company delivers quarterly phishing simulation exercises to all employees to help them recognize social engineering attacks before a real…
- A security team delivers quarterly phishing simulation exercises to all employees, teaching them to identify and report suspicious emails…
- A security team conducts monthly classroom sessions teaching employees to recognize social engineering attacks, handle data properly, and…
- An organization's security policy requires all employees to complete annual phishing awareness training. The security operations team…
- Physical controls are tangible real-world barriers
Physical controls are tangible barriers and devices in the real world: fences, locks, bollards, access-control vestibules, badge readers, fire suppression, and CCTV hardware. CompTIA treats access-control hardware at the door (a badge reader, for instance) as physical even though software drives it, because the enforcement object is a physical device at a physical boundary.
Trap Reclassifying a badge reader as technical because software drives it - CompTIA treats the device enforcing entry at a physical boundary as physical.
3 questions test this
- A security team reviews two detective systems in its data center environment: CCTV cameras monitoring the server room entrance and a…
- During a risk assessment, a security engineer must classify two controls: a perimeter firewall blocking unauthorized traffic, and a…
- A data center uses proximity badge readers at entry doors and deploys an inline IPS on the core network switch. Which pair of…
- Pick the type from the scenario's timing word
Match the stem's verb to the type: stop or block before → preventive; discourage, warn off, make them think twice → deterrent; detect, alert, discover, identify after the fact → detective; recover, restore, remediate, fix the damage → corrective; instead of a control you cannot implement → compensating; a policy or procedure telling staff what to do → directive. The verb the question emphasizes, not the device named, decides the type.
6 questions test this
- A security team monitors completion rates of mandatory security awareness training and reports employees who missed the deadline to…
- A company delivers quarterly phishing simulation exercises to all employees to help them recognize social engineering attacks before a real…
- A company configures a deny-by-default firewall at its network perimeter that blocks all unauthorized inbound connections. How should this…
- A data center administrator installs a next-generation firewall at the network perimeter to block all unauthorized inbound traffic based on…
- A security team delivers quarterly phishing simulation exercises to all employees, teaching them to identify and report suspicious emails…
- A security team conducts monthly classroom sessions teaching employees to recognize social engineering attacks, handle data properly, and…
- Compensating means a substitute for a control you can't use
A compensating control is one employed in lieu of a required control, providing equivalent or comparable protection, typically because the primary control can't be implemented, such as isolating a legacy server on its own VLAN with extra monitoring when a vendor patch breaks the app. It is the most over-selected wrong answer, so the exam tell is explicit substitution language: "cannot patch right now," "the vendor no longer supports it," "in place of," "as an alternative to." Without that signal, a different type is correct.
Trap Reaching for compensating on any layered defense: without explicit "in lieu of" or "cannot implement the required control" language in the stem, it is over-selected and wrong.
7 questions test this
- During a compliance audit, an assessor evaluates an alternative control deployed because the organization has a documented technical…
- A payment card processor operates a legacy mainframe that cannot support the encryption algorithm required by its compliance framework. The…
- An organization's security policy mandates biometric scanners for server room access, but installation is delayed by six months. In the…
- During a PCI DSS assessment, an auditor finds that a legacy point-of-sale terminal cannot support the required multifactor authentication…
- Which statement BEST describes the defining characteristic that differentiates compensating controls from deterrent and directive control…
- During a compliance audit, an organization demonstrates that its legacy mainframe cannot support required password complexity standards.…
- A company's legacy point-of-sale system cannot support the encryption standard required by PCI DSS. The security team deploys additional…
- An extra layer is not automatically a compensating control
A control added purely for defense-in-depth, while the required primary control is present and working, is preventive, detective, or whatever it does in its own right, not compensating. Compensating applies only when the primary control is being substituted for; a second layer stacked on a functioning first layer never qualifies on that basis alone.
Trap Calling a redundant second layer compensating because it backs up the first - compensating requires substituting for an absent or infeasible primary control, not reinforcing a working one.
- Directive controls instruct people what to do
Directive controls steer behaviour through instruction: an acceptable-use policy, a posted operating procedure, a standard staff must follow, or an onboarding requirement. The tell is language about telling people what is and isn't allowed; the answer is the instruction itself, not a technical mechanism that enforces it. A firewall blocking the traffic is technical/preventive, while the policy that says "don't use unauthorized apps" is directive.
Trap Picking the technical control that enforces a rule instead of the directive - the policy telling staff what to do is directive, while the firewall enforcing it is technical/preventive.
6 questions test this
- A regulatory body mandates that all financial institutions maintain a written information security program and requires employees to follow…
- An organization publishes a mandatory policy requiring all employees to store work documents exclusively on company-approved cloud…
- An organization's acceptable use policy instructs employees to lock workstations when unattended and prohibits connecting personal devices…
- A CISO publishes a mandatory standard requiring all employees to use approved encrypted channels when transmitting sensitive data and to…
- The CISO publishes an updated acceptable use policy (AUP) that specifies how employees must handle corporate data and use company systems.…
- An organization distributes a mandatory acceptable use policy requiring all employees to use only approved software, access corporate…
- Recording CCTV is detective, never preventive on its own
A closed-circuit camera is technical by category and stays that way. A camera that records for later review is detective; a prominently visible one meant to scare off intruders is deterrent. CCTV is never preventive by itself (recording an intrusion documents it but does nothing to stop it) so "CCTV = preventive" is a stock wrong answer.
Trap Calling a camera preventive: it records or deters but cannot physically block entry, so its type is detective or deterrent, not preventive.
- A login banner or warning sign is deterrent, not preventive
A login banner warning of monitoring, a "Beware of dog" sign, or a no-trespassing sign only discourages. It does nothing to physically block, so its type is deterrent, not preventive. Contrast a lock, which physically stops entry and is therefore preventive; the test is whether the control stops the act or merely warns against it.
Trap Marking a warning banner or no-trespassing sign preventive - it only discourages and cannot stop the act, so its type is deterrent.
3 questions test this
- A company places signs outside its server room that read 'RESTRICTED AREA — All Activity Monitored — Unauthorized Access Subject to…
- A security manager installs prominent signs at all facility entrances warning that the premises are under 24-hour video surveillance and…
- A company displays a banner on all workstation login screens stating that unauthorized access is prohibited and that all user activity is…
- Restore-from-backup and patching are corrective
Restoring from backup, patching the exploited flaw, and an IPS resetting a malicious session all act after the incident, so they are corrective, not preventive. CompTIA frames restoring from backup as corrective even though a backup arguably "prevents" permanent data loss. Reward the after-the-incident action the stem describes, not the backup's general purpose.
Trap Marking restore-from-backup as preventive because backups guard against data loss: the recovery action happens after the incident, making it corrective.
- A policy that mandates a technical control is managerial
A policy or standard that requires a firewall is managerial: the document is the control. The firewall it calls for is technical. Classify the mandate by what it is (a governing document), never by the technology it happens to demand.
Trap Calling a standard technical because it mandates a firewall - the governing document is managerial regardless of the technology it requires.
- Resolve multi-membership by the emphasised verb
Many real controls fit more than one type, so the category is usually fixed and the type follows the scenario's stated objective. A guard is always operational but reads as preventive (turning people away), deterrent (visibly patrolling), or detective (spotting an anomaly) depending on the sentence's emphasis. Anchor on the verb the stem stresses, and never default to compensating unless substitution language is explicit.
- The taxonomy maps onto NIST SP 800-53 control families
The SY0-701 category/type vocabulary lines up with NIST SP 800-53 Rev. 5 control families: Physical and Environmental Protection ≈ physical; Access Control and System and Communications Protection ≈ technical preventive; Audit and Accountability ≈ technical detective; Contingency Planning and Incident Response ≈ corrective; Planning and Program Management policy families ≈ managerial/directive. The mapping is for understanding only: you don't need the two-letter family identifiers for SY0-701.
- Defense in depth wants a deliberate mix of types
A program leaning entirely on preventive technical controls is brittle, and the exam-correct gap is usually missing detective controls (you can't see an incident you failed to prevent) and corrective controls (you can't recover from one). The right answer adds the absent lifecycle stage rather than stacking yet another preventive control on top of the ones already there.
Trap Answering a defense-in-depth gap with another preventive control: the missing piece is almost always the detective or corrective stage, not more prevention.