Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram

Types of Security Controls: Categories and Functions

What Is Infosec
_ _ Tech Jacks Solutions_ 0 Comments
Security / what is infosec

Types of Security Controls: Categories and Functions

Security controls are the safeguards you put in place to reduce risk. There are a lot of them, but they sort cleanly along two axes: how a control is implemented, and what it is meant to do. Understanding both is the difference between a checklist and a defensible program.

Security controls4 categories6 functionsWith examples4 min readUpdated Jun 2026

Security controls are the safeguards you put in place to reduce risk. There are a lot of them, but they sort cleanly along two axes: how a control is implemented, and what it is meant to do. Understanding both is the difference between a checklist and a defensible program.

A single control usually has one category and one or more functions. A camera is a physical control by category, and a detective control by function, and it can deter an attacker at the same time.

01

Controls by category

Controls by category (how they are implemented)
Technical. Hardware or software mechanisms in digital systems. Examples: firewalls, intrusion prevention systems, encryption.
Managerial. Administrative policies, guidelines, and procedures focused on governance. Examples: risk assessments, security awareness training, written policies.
Operational. Human-led, day-to-day security activities. Examples: security guards, log reviews, media destruction.
Physical. Tangible barriers that protect physical spaces. Examples: bollards, fences, locks, motion sensors.

Categories describe how a control is implemented. There are four.

02

Controls by function

FunctionWhat it doesExample
PreventiveStops an event from occurringFirewall rules, security guards
DeterrentDiscourages an attacker from tryingWarning signs, lighting
DetectiveIdentifies and records an eventIDS, CCTV
CorrectiveMitigates damage and restores systemsPatching, restoring from backup
CompensatingAn alternative when the primary control is not feasibleSegmenting a legacy server into a private network
DirectiveInstructs and guides behaviorAcceptable Use Policy

Functions describe what a control is meant to accomplish. The same category can serve different functions.

[[INSIGHT: Auditors and frameworks speak in both axes at once. When you can say a control is “technical and preventive” or “operational and detective,” you can show coverage across the full range instead of stacking three controls that all do the same job.]]

Key takeaways
  • Categories describe how a control is built: technical, managerial, operational, and physical.
  • Functions describe what a control does: preventive, deterrent, detective, corrective, compensating, and directive.
  • A compensating control is an alternative used when the primary control is not feasible.
  • One control can have a category and several functions at once.
FAQ

Frequently asked questions

What are the categories of security controls?

By how they are implemented: technical, managerial, operational, and physical.

What are the functional types of controls?

By what they do: preventive, deterrent, detective, corrective, compensating, and directive.

What is a compensating control?

An alternative measure used when the primary control is not feasible. For example, segmenting a legacy server into a private network when it cannot be patched.

Can one control be more than one type?

Yes. A control has a category (how it is built) and one or more functions (what it does). A camera is a physical, detective control that can also be a deterrent.

Written and reviewed by Tech Jacks Solutions Security Practice. Information security and GRC practitioners.
Primary source: CompTIA Security+ body of knowledge. Last reviewed June 2026.

Author

Tech Jacks Solutions

Leave a comment