Security Control Types Explained (Part 2) (Domain 1)
In this episode, we will continue our discussion of security control types by examining two more: detective controls and corrective controls. These controls come into play after an incident has either started or already occurred. While preventive and deterrent controls are about stopping something from happening, detective and corrective controls are about what to do when something has slipped through.
Let’s start with detective controls. These controls are designed to identify and report that a security incident has taken place. They do not stop the incident, but they help an organization become aware of it so that action can be taken quickly. Without detective controls, an attack or breach might go unnoticed for days, weeks, or even months.
One key tool in this category is the intrusion detection system. This system monitors network traffic or system behavior and sends alerts when it notices patterns that could indicate a threat. For example, if a user suddenly logs in from two distant locations within minutes, that behavior might trigger a detection alert. Intrusion detection systems help organizations spot anomalies in real time so that they can investigate and respond.
Audit logs are another important detective control. These logs keep records of user actions, system events, and security-related changes. For instance, they can show who accessed a sensitive file and when. Reviewing audit logs regularly can reveal unusual patterns, like repeated failed login attempts or changes to configuration settings that were not approved. These clues can lead to the discovery of an attack or internal misuse.
Surveillance cameras also function as detective controls when they are used to review footage after an event. For example, if a device goes missing from a secure area, camera footage can help determine who was present at the time. In some cases, surveillance may also detect unusual behavior in real time, such as someone trying to enter a restricted area without authorization.
The effectiveness of detective controls depends heavily on how quickly they trigger a response. An intrusion detection system that sends alerts immediately gives security teams a chance to act before the situation gets worse. On the other hand, a log file that is only reviewed once a month may not be helpful in catching fast-moving threats. Organizations often define thresholds and response plans that connect to these controls. For example, if an audit log shows that a critical file was accessed by an unauthorized user, the security team may be alerted automatically and begin containment steps.
That leads us to corrective controls. These controls come into play after a security incident has occurred. Their purpose is to fix the problem, restore normal operations, and reduce the impact of the event. In many cases, corrective controls are what allow an organization to bounce back after a security breach.
One common example is applying patches. If an attack exploited a known vulnerability, applying the correct software patch can prevent that same attack from happening again. Patches correct the weakness in the system and bring it up to date. In this way, the system is not only restored but also hardened against similar future threats.
System restoration is another example of a corrective control. After a ransomware attack or a system failure, restoring from a backup allows the organization to get back to work. This control is often part of a larger business continuity plan. The goal is to bring operations back online as quickly and safely as possible, while avoiding further damage.
Incident response procedures also fall into this category. These are structured steps that guide the organization’s actions after a breach has been detected. The procedure might include isolating affected systems, removing malicious files, notifying key stakeholders, and performing root cause analysis. Corrective controls work hand-in-hand with detective controls, because you cannot fix what you have not detected. Together, they form the core of incident response and recovery.
The critical importance of corrective controls becomes clear when you consider how much organizations depend on their systems and data. If a business cannot recover quickly, it may suffer financial loss, reputational damage, or even legal consequences. That is why corrective controls are central to business continuity. They ensure that, even in the face of a successful attack, the organization can recover, learn, and improve its defenses moving forward.
For the Security Plus exam, be ready to identify whether a control is detective or corrective. If the control is focused on discovering a problem, like log analysis or an intrusion detection system, it is detective. If it is about responding to the problem, like restoring systems or applying patches, then it is corrective. You may also be asked to evaluate a scenario and recommend the most appropriate type of control based on timing and purpose. Pay attention to the wording—look for signs that something has already happened, or that the goal is to discover suspicious activity as it unfolds.
