Introduction

In today's digital world, organizations must protect their systems, networks, and sensitive data from different types of cyber threats. To achieve this, companies use multiple layers of protection known as security controls.

Security controls are an important part of cybersecurity because they help organizations prevent attacks, detect suspicious activity, reduce risks, and protect valuable information. These controls also support company policies and improve the overall security environment.

In this chapter, we will explore different types of security controls used in cybersecurity, including technical, managerial, operational, and physical controls. We will also understand the difference between preventive, deterrent, detective, corrective, compensating, and directive controls.

Understanding these concepts is important because organizations rely on these controls every day to secure their environments and reduce security risks.

Real-World Example

A company may use:

  • Firewalls to block unauthorized access
  • CCTV cameras to monitor physical areas
  • Security policies to guide employees
  • Backup systems to recover lost data

All of these are examples of security controls working together to improve security.

Control Categories

The four main control categories are technical, managerial, operational, and physical controls. Each category focuses on a different area of security within an organization and helps improve protection, efficiency, and compliance.

In this section, we will understand the first category: technical controls.

Technical Controls

Technical controls are security measures that use technology to protect systems, networks, software, and data from cyber threats.

The main goal of technical controls is to:

  • Reduce vulnerabilities
  • Prevent unauthorized access
  • Protect sensitive information
  • Improve overall system security

Organizations use technical controls to strengthen their technical infrastructure and reduce security risks.

Examples of Technical Controls

Firewalls

Firewalls are security tools used to protect computer networks from unauthorized access. They monitor incoming and outgoing network traffic and help block suspicious or harmful connections.

Example: If a hacker tries to access a company's internal server, the firewall can block the malicious connection and prevent unauthorized access.

Data Encryption

Encryption converts readable data into coded information so unauthorized users cannot understand it.

Even if attackers intercept the data, they cannot read it without the correct decryption key.

Example: When users enter login credentials on an online banking website, encryption helps protect usernames and passwords during transmission.

Technical controls are an important part of cybersecurity because they help organizations secure systems, protect sensitive data, and reduce the chances of cyberattacks.

Managerial Controls

Managerial controls are security measures created and managed by an organization's management team to reduce risks and guide employees.

These controls include policies, procedures, planning, and monitoring activities that help employees follow organizational goals and security requirements.

The main purpose of managerial controls is to:

  • Reduce organizational risks
  • Improve decision-making
  • Guide employee activities
  • Support security and compliance

Managerial controls help organizations maintain a structured and secure working environment.

Examples of Managerial Controls

Performance Reviews

Performance reviews are regular evaluations of employee performance. They help management provide feedback, set goals, and identify areas that need improvement.

Example: A security analyst's performance review may identify weaknesses in incident handling and recommend additional cybersecurity training.

Risk Assessments

Risk assessments help organizations identify, evaluate, and reduce potential security risks.

They help management:

  • Identify vulnerabilities
  • Understand possible threats
  • Measure risk impact
  • Create mitigation strategies

Example: A company may conduct a risk assessment before moving sensitive data to the cloud to identify possible security concerns.

Code of Conduct

A code of conduct is a set of rules and ethical guidelines that employees must follow inside an organization.

It helps:

  • Promote professional behavior
  • Reduce misconduct
  • Improve security awareness

Example: A company's code of conduct may prohibit employees from sharing passwords or installing unauthorized software on company devices.

Managerial controls are important because they help organizations create security policies, manage risks, and guide employees toward secure and responsible behavior.

Operational Controls

Operational controls focus on the day-to-day activities and processes that keep an organization running smoothly. These controls are mainly carried out by people inside the organization to ensure security, efficiency, and proper execution of tasks.

The main purpose of operational controls is to:

  • Maintain daily security operations
  • Improve productivity and efficiency
  • Ensure policies are properly followed
  • Reduce human-related security risks

Operational controls are important because they directly involve employees and real-time security actions.

Examples of Operational Controls

Incident Response Procedures

Incident response procedures define a step-by-step process for handling security incidents or cyberattacks.

They help organizations:

  • Detect security incidents
  • Respond quickly
  • Reduce damage
  • Restore normal operations

Example: If a company detects ransomware on a system, the incident response procedure will guide the security team to isolate the infected device, remove the malware, and recover data from backups.

Security Awareness Training

Security awareness training teaches employees about cyber threats, safe practices, and company security policies.

It helps:

  • Reduce human errors
  • Improve threat awareness
  • Promote safe behavior

Example

Employees are trained to recognize phishing emails so they do not accidentally click malicious links or share sensitive information.

User Access Management

User access management controls who can access systems, applications, and data within an organization.

It includes:

  • Creating user accounts
  • Assigning permissions
  • Removing access when no longer needed
  • Regular access reviews

Example

When an employee leaves a company, their access to company systems is immediately removed to prevent unauthorized access.

Operational controls are essential because they ensure that security policies are properly executed in real-world daily operations and help protect the organization from human and technical risks.

Physical Controls

Physical controls focus on protecting an organization's tangible assets, buildings, equipment, and physical locations. These controls are designed to prevent unauthorized physical access, improve safety, and reduce security risks inside and outside a facility.

The main purpose of physical controls is to:

  • Prevent unauthorized entry
  • Protect physical assets and infrastructure
  • Improve on-site safety
  • Support overall security systems

Physical controls are a key part of cybersecurity because many attacks can start with physical access to systems.

Examples of Physical Controls

Access Control Vestibule

An access control vestibule is a small, secure entry area with two doors. A person must pass through one door before the second door opens.

This creates a controlled buffer zone for security checks.

Example

An employee must scan their ID card before entering a secure data center, ensuring only authorized personnel gain access.

Biometric Locks

Biometric locks use unique human features such as fingerprints, face recognition, or iris scans for access control.

Example

A server room only opens after fingerprint verification of authorized IT staff.

Security Guards / Personnel

Security guards monitor entry points and ensure only authorized individuals enter restricted areas.

They also respond to suspicious activity and enforce security policies.

Example

A guard stops an unknown person from entering a restricted IT operations room without proper identification.

Security Fences

Security fences act as physical barriers to prevent unauthorized access to a facility.

They can be strengthened with additional protections like barbed wire.

Example

A company's data center is surrounded by fencing to prevent intruders from physically accessing critical infrastructure.

CCTV Surveillance Systems

CCTV cameras monitor and record activities in important areas such as entrances, hallways, and parking zones.

Example

Security teams review CCTV footage to investigate unauthorized access attempts.

Mantraps

A mantrap is a controlled entry system where only one person can enter at a time using two interlocking doors.

Example

Only one employee can enter the secure server room after successful authentication, preventing tailgating.

Vehicle Barriers

Vehicle barriers control or block unauthorized vehicles from entering restricted areas.

Example

A company uses automatic gates to prevent unauthorized vehicles from entering its data center premises.

Tamper-Evident Seals

These seals show visible signs if someone tries to open or access a secured object.

Example

A sealed server box shows visible damage if someone tries to open it without permission.

Panic Buttons / Alarms

Panic buttons allow employees to quickly alert security teams in case of emergencies.

Example

An employee presses a panic button if they notice an unauthorized person inside a secure facility.

Physical controls are essential because they protect the physical layer of security, ensuring that attackers cannot bypass systems by simply gaining physical access.

Control Types

Control types are an important part of cybersecurity and management systems. They help organizations reduce risks, protect assets, and ensure that operations run smoothly.

Each control type has a different purpose in preventing, detecting, or responding to security issues.

Preventive Controls

Preventive controls are designed to stop problems before they happen.

They reduce the chance of security incidents by blocking or minimizing threats in advance.

Example

  • Firewalls blocking unauthorized network access
  • Employee security training to avoid mistakes
  • Access control lists (ACLs) restricting permissions

Deterrent Controls

Deterrent controls are used to discourage people from attempting harmful actions.

They create fear of consequences or detection.

Example

  • Warning signs in secure areas
  • Surveillance cameras
  • Strong password policies

Detective Controls

Detective controls are used to identify and detect security incidents after they happen.

They help organizations find suspicious activity quickly.

Example

  • Security logs monitoring
  • Financial audits
  • SIEM systems

Corrective Controls

Corrective controls are used to fix problems after a security issue occurs.

They help restore systems and reduce damage.

Example

  • System backups
  • Software patching
  • Malware removal

Compensating Controls

Compensating controls are alternative security measures used when primary controls are not possible.

Example

  • Extra approval steps for transactions
  • Backup authentication methods
  • Increased monitoring

Cybersecurity Example

If biometric login is unavailable, a company uses OTP-based authentication instead.

Directive Controls

Directive controls provide rules, instructions, and guidelines for users and employees.

Example

  • Security policies
  • Standard operating procedures (SOPs)
  • Code of conduct

Cybersecurity Example

A company policy instructs employees not to share passwords or install unauthorized software.

Summary

In this chapter, we explored the main control categories used to maintain security, efficiency, and stability within an organization.

We learned that:

  • Technical controls use technology to protect systems, networks, and data
  • Managerial controls define policies, procedures, and governance to guide decision-making
  • Operational controls support day-to-day security activities and processes
  • Physical controls protect physical assets, buildings, and infrastructure

All of these control categories work together to form a strong security framework. This combination helps organizations reduce risks, prevent security incidents, and maintain a safe working environment.

Understanding these concepts is important because they form the foundation of Security+ SY0–701 Exam Objective 1.1 and help build a strong base for more advanced cybersecurity topics.

Exam Objectives 1.1

Compare and contrast various types of security controls.

Categories of security controls: Technical controls: Technology-based measures such as firewalls and encryption Managerial controls: Policies, procedures, and guidelines for security management Operational controls: Day-to-day security practices such as monitoring and access management Physical controls: Measures to safeguard physical assets and premises Types of security controls: Preventive controls: Aimed at preventing security incidents Deterrent controls: Intended to discourage potential attackers Detective controls: Focused on identifying and detecting security incidents Corrective controls: Implemented after an incident to mitigate the impact Compensating controls: Alternative measures to compensate for inadequate primary controls Directive controls: Policies or regulations providing specific guidance

Chapter 1 is now complete

It's time to check how well you understood the concepts you've just learned.

👉 This is where real learning begins — not by reading, but by testing your knowledge.

To assess your understanding of Security Controls, click below and attempt the Chapter Review Questions.

🔗 Chapter 1 Review Questions (MCQs) → Click Here

👉 If this chapter helped you thoroughly understand security controls, feel free to share it with others who are starting their cybersecurity journey or revising for the Security+ certification.