Domain 1 · 1.1 Security Controls

1.1.1 Categories of Controls

Technical, Managerial, Operational, Physical.

11 min

A security control is any safeguard — policy, procedure, technology, or physical mechanism — that reduces risk and protects the CIA Triad (Confidentiality, Integrity, Availability).

Security+ splits controls two ways: - Categories → *where / how* the control is implemented - Types → *what* the control is meant to accomplish

The four categories

  • Technical (logical) → enforced by hardware or software
  • Examples: firewalls, antivirus, encryption, ACLs, MFA, IDS, IPS
  • Managerial → governance and strategy from management
  • Examples: policies, risk assessments, compliance programs, audits
  • Operational → executed by people through day-to-day procedures
  • Examples: security awareness training, incident response, account reviews, backups, onboarding/offboarding
  • Physical → tangible protections for facilities and equipment
  • Examples: locks, fences, guards, CCTV, lighting, bollards, badges, biometric readers, mantraps

Quick recall

  • Technical = technology
  • Managerial = planning & governance
  • Operational = people & procedures
  • Physical = tangible protections