Quick review: Security Controls – ISC2 CC

What you really need to know

Security controls are measures used to reduce risk and protect systems, data, users and processes. For ISC2 CC, you need to understand that not all controls do the same thing: some prevent, others detect, others correct or reduce the impact of an incident.

A common mistake is thinking that a control is always a technical tool. In reality, a control can be technical, administrative or physical.

Key concepts

• Preventive control: tries to prevent an incident from happening.
• Detective control: detects events, anomalies or suspicious activity.
• Corrective control: helps restore a situation after a problem.
• Deterrent control: discourages unauthorized behavior.
• Compensating control: reduces risk when the main control is not available or not sufficient.
• Technical control: uses technology, systems or software.
• Administrative control: concerns policies, procedures, training and management.
• Physical control: protects environments, buildings, devices and physical access.

Differences not to confuse

Type of control	Main function
Preventive	Prevents or reduces the likelihood of an incident
Detective	Detects events or suspicious activity
Corrective	Helps recover after an incident
Deterrent	Discourages unauthorized behavior
Compensating	Reduces risk as an alternative to or support for other controls
Technical	Uses technological tools
Administrative	Uses rules, policies and processes
Physical	Protects people, facilities and devices

Preventive controls

A preventive control is used to avoid a problem or reduce its likelihood.

Examples:

• firewall;
• multifactor authentication;
• access control;
• anti-phishing training;
• system patching;
• password policy.

For the ISC2 CC exam, you need to remember that a preventive control acts before the incident.

Detective controls

A detective control is used to identify suspicious activity, anomalies or incidents that are already in progress or have already occurred.

Examples:

• IDS;
• security logs;
• SIEM systems;
• monitoring alerts;
• audit trail;
• access review.

A detective control does not necessarily prevent the incident, but it allows it to be discovered and responded to.

Corrective controls

A corrective control is used to restore the situation after an incident or an error.

Examples:

• backup;
• disaster recovery;
• configuration restore;
• malware removal;
• applying patches after a compromise;
• incident response procedures.

A corrective control is important because no system is completely immune to incidents.

Deterrent controls

A deterrent control is used to discourage unwanted or unauthorized behavior.

Examples:

• video surveillance signs;
• disciplinary policies;
• legal warnings;
• visible badges;
• cameras;
• presence of guards.

The key point is that a deterrent control does not always physically block the action, but tries to dissuade someone who might perform it.

Compensating controls

A compensating control is used when the main control is not possible, not sufficient or must be supported by another control.

Example: if a legacy system does not support MFA, network segmentation, stricter monitoring, IP restrictions and stronger access controls can be used.

A compensating control is not a random control: it must concretely reduce residual risk.

Technical, administrative and physical controls

Controls can also be classified according to their nature.

Technical controls use technology. Examples: firewall, antivirus, MFA, encryption, IDS, IPS.

Administrative controls concern rules and processes. Examples: security policies, training, procedures, risk assessment, onboarding and offboarding.

Physical controls protect environments and devices. Examples: locks, badges, cameras, gates, locked rack cabinets, building access control.

Practical examples to remember

Scenario	Most likely control
Blocking unauthorized traffic	Preventive / Technical
Detecting intrusion attempts	Detective / Technical
Restoring lost data	Corrective
Discouraging unauthorized access to a building	Deterrent / Physical
Defining corporate security rules	Administrative
Using backups after ransomware	Corrective
Training users against phishing	Preventive / Administrative
Using cameras at the entrance	Deterrent / Physical

Common quiz mistakes

• Confusing preventive and detective controls.
• Thinking that an IDS is preventive only because it relates to security.
• Forgetting that a backup is a corrective control.
• Confusing technical and administrative controls.
• Thinking that physical controls are not part of cybersecurity.
• Believing that a compensating control always eliminates risk completely.
• Thinking that a deterrent control always physically blocks an attack.

Mini exam scenario

A company installs an IDS system to receive alerts when suspicious traffic is detected on the network. This is a detective control, because it is used to detect potentially dangerous activity and generate alerts.

If instead the company uses a firewall to block unauthorized traffic before it reaches internal systems, that is a preventive control.

Mini checklist before the quiz

Before starting the quiz, you should be able to explain:

• what a preventive control does;
• what a detective control does;
• what a corrective control does;
• what deterrent control means;
• when a compensating control is used;
• the difference between technical, administrative and physical controls;
• why backups are corrective controls;
• why an IDS is detective and not preventive;
• why multiple controls together reduce risk more effectively.