Explain the categories of security controls and give examples of each.
Short answer
Controls are classified two ways. By type: administrative (policies, training, procedures), technical/logical (firewalls, MFA, encryption), and physical (locks, badges, cameras). By function: preventive (stop an event — MFA, access control), detective (find an event — SIEM, IDS, audit logs), corrective (fix after — restore from backup, patch), deterrent (discourage — warning banners), and compensating (an alternative when the primary control isn't feasible). Defence in depth layers these so no single control failure leads to compromise.
Classifying controls is foundational GRC vocabulary. Interviewers ask it to confirm you can map a real safeguard to its purpose — which is exactly what you do when designing a control framework or filling a gap found in an audit.
Classifying by type
This describes what kind of thing the control is:
- Administrative (managerial) — policies, standards, procedures, risk assessments, security awareness training, background checks.
- Technical (logical) — firewalls, MFA, encryption, access control lists, IDS/IPS, endpoint protection.
- Physical — locks, fences, badge readers, mantraps, CCTV, guards.
Classifying by function
This describes what the control does in the timeline of an event:
- Preventive — stops an incident before it happens (access control, MFA, input validation).
- Detective — identifies an incident in progress or after (SIEM, IDS, audit logs, file-integrity monitoring).
- Corrective — restores systems after an incident (restoring from backup, applying a patch, re-imaging).
- Deterrent — discourages an actor from attempting (warning banners, visible cameras, sanctions policy).
- Compensating — an alternative safeguard used when the primary control is not feasible, providing comparable protection (e.g. heightened monitoring where you cannot patch a legacy system).
Layering them
A single control will fail eventually. Defence in depth layers preventive, detective, and corrective controls across administrative, technical, and physical types so one failure does not lead to compromise.
Why this matters
The clearest signal is a candidate who can place a given safeguard in both classifications and explain compensating controls correctly — these come up constantly in audit findings and risk-treatment decisions.
Likely follow-ups
- When would you use a compensating control instead of the primary one?
- Give an example of one technology that acts as both detective and corrective.
- How do these categories support a defence-in-depth strategy?