Security control types — SY0-701
Learn security control types for CompTIA Security+ SY0-701: management, operational, technical, and compensating controls — grounded in NIST definitions.
WHAT IT IS
A security control is a safeguard or countermeasure prescribed for an information system or organization designed to protect the confidentiality, integrity, and availability of its information and meet defined security requirements. (NIST CSRC Glossary, security control, citing SP 800-53 Rev. 5 and SP 800-171r3.)
The NIST CSRC Glossary also defines security controls collectively as "management, operational, and technical controls (safeguards or countermeasures) prescribed for an information system to protect confidentiality, integrity, and availability." These three terms name the recognized categories by which controls are organized.
A specialized variant — the compensating security control — is "a management, operational, and/or technical control employed by an organization in lieu of a recommended security control…that provides equivalent or comparable protection for an information system." (NIST CSRC Glossary, compensating security control.)
Mental model
Think of security controls as answers to one question: what are we doing to reduce a weakness or meet a security requirement? The NIST CSRC Glossary frames controls as "actions, devices, procedures, techniques, or other measures that reduce the vulnerability of an information system." That scope is deliberately wide — a policy document, a locked server room, and an encryption algorithm all qualify. The three NIST categories tell you who or what does the work:
| Category | Who or what executes it | Grounded definition (NIST CSRC Glossary) |
|---|---|---|
| Management | Risk and security program managers | "Focus on the management of risk and the management of information system security" |
| Operational | People | "Primarily implemented and executed by people (as opposed to systems)" |
| Technical | The information system itself | "Primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system" |
A compensating control sits within any of these three categories and is distinguished by its purpose: it substitutes for a baseline control the organization cannot implement, while still providing equivalent or comparable protection.
When to use it
The exam tests whether you can correctly classify a described control. The key decision is recognizing who or what executes the safeguard (management vs. operational vs. technical) and whether a control is operating as a baseline measure or as a substitute (compensating).
| If the scenario describes… | Category to consider |
|---|---|
| A policy, risk assessment, or security plan | Management |
| A procedure carried out by personnel, such as security awareness training or a manual review | Operational |
| A hardware, software, or firmware mechanism operating within the system | Technical |
| A substitute safeguard deployed because the standard control cannot be implemented, providing equivalent protection | Compensating |
Note: NIST SP 800-53 has moved away from strict management/operational/technical classification, recognizing that controls do not always fit neatly into a single category. When a scenario involves overlapping characteristics, focus on the primary execution mechanism.
COMMON MISCONCEPTION
A common error is treating these three categories as mutually exclusive silos. A single security program element may have characteristics that span more than one category — the NIST CSRC Glossary for operational controls explicitly notes that NIST SP 800-53 has moved away from the management/operational/technical partition because controls do not always fit neatly. Candidates who apply rigid either/or reasoning may eliminate a correct answer.
A related trap is confusing the category (management, operational, technical) with the purpose a control serves at a given moment. The category describes who or what executes the control; the purpose (blocking an event, detecting it after the fact, restoring a system, or substituting for another control) is a separate dimension. Conflating them can lead to misclassifying a compensating control, which can belong to any category.
How it shows up on the exam
The cognitive target at Domain 1, Task 1.1 is application: given a description of a safeguard or countermeasure, select the correct control type. Signal phrases to watch for:
- "policy," "risk management," "security plan" — point toward management controls, which focus on managing risk.
- "training," "procedure," "personnel," "carried out by staff" — point toward operational controls, which are "primarily implemented and executed by people."
- "hardware," "software," "firmware," "automated mechanism" — point toward technical controls, implemented and executed "through mechanisms contained in the hardware, software, or firmware."
- "in lieu of," "substitute," "equivalent protection," "cannot implement" — these are markers of a compensating security control deployed because the recommended baseline control is not feasible.
Candidates often find the management/operational boundary the hardest to distinguish. The reliable separator is execution: if a safeguard is carried out by people in their day-to-day roles, it is operational; if it exists to direct or oversee the security program at the risk-management level, it is management.
Related concepts
- Security control categories — the parallel dimension that classifies controls by the nature of the organizational function (administrative, physical, technical), distinct from the management/operational/technical execution axis.
- CIA triad — the three properties (confidentiality, integrity, availability) that security controls are defined to protect.
- Non-repudiation — a security property enforced by specific technical and operational controls, illustrating how control types serve concrete security objectives.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: