Browse CompTIA Certification Guides

Compare Security Controls for Security+ (SY0-701)

Fuad Efendi March 28, 2026 5 min read

Learn how Security+ classifies technical, managerial, operational, physical, preventive, detective, corrective, compensating, deterrent, and directive controls.

On this page

Security+ uses control language constantly, and weak answers often fail because they classify the control incorrectly before they ever evaluate the scenario. CompTIA is not just asking you to memorize labels. It wants you to identify what kind of control you are looking at, what outcome it is trying to create, and why one control family is stronger than another in context.

IDS / IPS: Intrusion detection and intrusion prevention systems for spotting or stopping suspicious network activity.

ACL: Access control list, a rule set that allows or denies traffic or access attempts.

What CompTIA is really testing

The current objectives expect you to compare control categories such as technical, managerial, operational, physical, preventive, detective, corrective, deterrent, compensating, and directive. In practice, that means you need to read a choice like “mandatory security awareness training” or “IPS rule update” and immediately recognize both its function and its control family.

The exam move behind the terminology

Security+ usually hides one extra judgment behind control labels:

  • which control is strongest for the stated goal
  • which control is operating at the right layer
  • whether the answer is describing the control’s form, its purpose, or both

That is why a policy, a firewall rule, a warning banner, and a recovery script can all be “controls” while solving very different problems.

Two control lenses matter

Security+ normally applies two overlapping lenses:

  1. What form does the control take? Technical, managerial, operational, or physical.
  2. What is the control trying to do? Prevent, detect, correct, deter, compensate, or direct.

You can describe the same control using both lenses. A badge reader is a physical control and usually a preventive control. A log-review process is an operational control and usually a detective control.

Control classification table

Control type What it usually means Typical examples
Technical Enforced by technology or system configuration MFA, IDS/IPS, encryption, EDR, ACLs
Managerial Driven by policy, governance, and oversight risk register, policy, standards, approval board
Operational Performed through people and process incident runbooks, awareness training, job rotation
Physical Protects facilities or physical assets locks, fences, bollards, cameras, guards

Functional control table

Functional type What it does Typical examples
Preventive Stops or reduces the chance of an event MFA, allow-listing, network segmentation
Detective Identifies that something happened SIEM alert, camera review, tripwire
Corrective Restores or fixes after an event restoring from backup, reimaging a host
Deterrent Discourages bad behavior warning banners, visible cameras
Compensating Substitutes when the ideal control is not possible extra monitoring when a patch is delayed
Directive Tells people what they must do policies, procedures, standards

Fast chooser table

If the question is really asking… Strongest control tendency
stop the event before it happens preventive
notice or prove that it happened detective
restore service or correct the state after it happened corrective
define what people must do directive
discourage misuse visibly deterrent
cover a gap when the preferred control is unavailable compensating

Why the distinction matters

Security+ loves answer choices that all look “security-related” but solve different problems:

  • if the scenario says reduce the chance of compromise, a preventive control is usually stronger than a detective one
  • if the scenario says prove what happened, detective and logging controls matter more
  • if the scenario says the preferred control is not feasible, a compensating control may be the right answer

Small classification example

1control:
2  form: operational
3  function: directive
4  example: incident-response playbook

What to notice:

  • one control can be described across both lenses
  • that is exactly the kind of distinction Security+ wants you to make quickly
  • many missed questions come from classifying a control by vibe instead of by purpose

Quick scenario pattern

If a company cannot patch a business-critical system immediately, “install the missing patch” is not yet an available answer in the real world. Security+ may then reward a compensating move such as tighter segmentation, additional monitoring, or restricting access until the corrective control can be applied.

Control stacking is normal

The best answer is often not one control. It is the correct layer of control:

  • directive: policy says privileged access needs MFA
  • technical: MFA is enforced on the admin portal
  • detective: failed MFA attempts create an alert
  • corrective: compromised accounts are disabled and reset

That layered model is why CompTIA expects you to know control categories instead of only product names.

Harder scenario question

A hospital cannot patch a legacy imaging server immediately because vendor certification is still pending. Security staff add network restrictions, additional logging, and tighter access until the approved fix can be installed. Which label is strongest for those temporary measures?

A. Corrective only B. Compensating controls C. Physical controls D. Deterrent controls

Best answer: B. The preferred corrective action is delayed, so the temporary measures are compensating controls that reduce risk until full remediation is possible.

Common traps

  • treating “managerial” as less important because it is not a device
  • assuming every alerting tool is preventive
  • confusing compensating with corrective
  • forgetting that physical controls still matter in exam scenarios involving data centers, devices, or offices

What strong answers usually do

  • classify the control before judging whether it fits the scenario
  • prefer the control that achieves the asked outcome, not the one that sounds most powerful
  • recognize that one control can be described by both form and function
  • accept layered answers when the prompt implies policy, tooling, detection, and recovery all matter

Quiz

Loading quiz…

Continue with 1.2 Security Principles & Zero Trust to connect control classification to the principles those controls are trying to enforce.

1.2 Security Principles & Zero Trust