Compare Security Controls for Security+ (SY0-701)
Learn how Security+ classifies technical, managerial, operational, physical, preventive, detective, corrective, compensating, deterrent, and directive controls.
Security+ uses control language constantly, and weak answers often fail because they classify the control incorrectly before they ever evaluate the scenario. CompTIA is not just asking you to memorize labels. It wants you to identify what kind of control you are looking at, what outcome it is trying to create, and why one control family is stronger than another in context.
IDS / IPS: Intrusion detection and intrusion prevention systems for spotting or stopping suspicious network activity.
ACL: Access control list, a rule set that allows or denies traffic or access attempts.
What CompTIA is really testing
The current objectives expect you to compare control categories such as technical, managerial, operational, physical, preventive, detective, corrective, deterrent, compensating, and directive. In practice, that means you need to read a choice like “mandatory security awareness training” or “IPS rule update” and immediately recognize both its function and its control family.
The exam move behind the terminology
Security+ usually hides one extra judgment behind control labels:
- which control is strongest for the stated goal
- which control is operating at the right layer
- whether the answer is describing the control’s form, its purpose, or both
That is why a policy, a firewall rule, a warning banner, and a recovery script can all be “controls” while solving very different problems.
Two control lenses matter
Security+ normally applies two overlapping lenses:
- What form does the control take? Technical, managerial, operational, or physical.
- What is the control trying to do? Prevent, detect, correct, deter, compensate, or direct.
You can describe the same control using both lenses. A badge reader is a physical control and usually a preventive control. A log-review process is an operational control and usually a detective control.
Control classification table
| Control type | What it usually means | Typical examples |
|---|---|---|
| Technical | Enforced by technology or system configuration | MFA, IDS/IPS, encryption, EDR, ACLs |
| Managerial | Driven by policy, governance, and oversight | risk register, policy, standards, approval board |
| Operational | Performed through people and process | incident runbooks, awareness training, job rotation |
| Physical | Protects facilities or physical assets | locks, fences, bollards, cameras, guards |
Functional control table
| Functional type | What it does | Typical examples |
|---|---|---|
| Preventive | Stops or reduces the chance of an event | MFA, allow-listing, network segmentation |
| Detective | Identifies that something happened | SIEM alert, camera review, tripwire |
| Corrective | Restores or fixes after an event | restoring from backup, reimaging a host |
| Deterrent | Discourages bad behavior | warning banners, visible cameras |
| Compensating | Substitutes when the ideal control is not possible | extra monitoring when a patch is delayed |
| Directive | Tells people what they must do | policies, procedures, standards |
Fast chooser table
| If the question is really asking… | Strongest control tendency |
|---|---|
| stop the event before it happens | preventive |
| notice or prove that it happened | detective |
| restore service or correct the state after it happened | corrective |
| define what people must do | directive |
| discourage misuse visibly | deterrent |
| cover a gap when the preferred control is unavailable | compensating |
Why the distinction matters
Security+ loves answer choices that all look “security-related” but solve different problems:
- if the scenario says reduce the chance of compromise, a preventive control is usually stronger than a detective one
- if the scenario says prove what happened, detective and logging controls matter more
- if the scenario says the preferred control is not feasible, a compensating control may be the right answer
Small classification example
1control:
2 form: operational
3 function: directive
4 example: incident-response playbook
What to notice:
- one control can be described across both lenses
- that is exactly the kind of distinction Security+ wants you to make quickly
- many missed questions come from classifying a control by vibe instead of by purpose
Quick scenario pattern
If a company cannot patch a business-critical system immediately, “install the missing patch” is not yet an available answer in the real world. Security+ may then reward a compensating move such as tighter segmentation, additional monitoring, or restricting access until the corrective control can be applied.
Control stacking is normal
The best answer is often not one control. It is the correct layer of control:
- directive: policy says privileged access needs MFA
- technical: MFA is enforced on the admin portal
- detective: failed MFA attempts create an alert
- corrective: compromised accounts are disabled and reset
That layered model is why CompTIA expects you to know control categories instead of only product names.
Harder scenario question
A hospital cannot patch a legacy imaging server immediately because vendor certification is still pending. Security staff add network restrictions, additional logging, and tighter access until the approved fix can be installed. Which label is strongest for those temporary measures?
A. Corrective only B. Compensating controls C. Physical controls D. Deterrent controls
Best answer: B. The preferred corrective action is delayed, so the temporary measures are compensating controls that reduce risk until full remediation is possible.
Common traps
- treating “managerial” as less important because it is not a device
- assuming every alerting tool is preventive
- confusing compensating with corrective
- forgetting that physical controls still matter in exam scenarios involving data centers, devices, or offices
What strong answers usually do
- classify the control before judging whether it fits the scenario
- prefer the control that achieves the asked outcome, not the one that sounds most powerful
- recognize that one control can be described by both form and function
- accept layered answers when the prompt implies policy, tooling, detection, and recovery all matter
Quiz
Continue with 1.2 Security Principles & Zero Trust to connect control classification to the principles those controls are trying to enforce.