Security Control Categories: Administrative, Preventive, Detective, Corrective, and Compensating

Security controls are how an organization turns security intent into real behavior.

A policy by itself does not stop much. A tool by itself does not explain why it exists. A dashboard by itself does not reduce risk if nobody knows what to do with the alert. Useful security comes from controls working together.

There are several ways to categorize controls. For a practical security program, these five categories are a good starting point: administrative, preventive, detective, corrective, and compensating.

Administrative controls

Administrative controls are the governance layer. They tell people what the organization expects and how decisions should be made.

Examples include policies, standards, procedures, training, risk acceptance processes, vendor review processes, and access approval workflows.

These controls can feel less exciting than technical tools, but they matter. If nobody owns access reviews, an identity tool will not magically create accountability. If there is no incident procedure, a logging platform will not know who to wake up.

Preventive controls

Preventive controls try to stop a problem before it happens.

Examples include multi-factor authentication, least privilege access, patching, secure configuration, network segmentation, endpoint protection, and blocking known-bad traffic.

Preventive controls are important, but they are not magic. They reduce the odds of a bad event. They do not remove the need to monitor, respond, and improve.

Detective controls

Detective controls help the organization notice when something has gone wrong or when behavior is drifting from what was expected.

Examples include logging, alerting, endpoint detection, file integrity monitoring, vulnerability scanning, audit review, and suspicious login detection.

The trap here is collecting logs nobody reads. A detective control should have an owner, a review rhythm, and a response path. Otherwise it is just expensive noise.

Corrective controls

Corrective controls help the organization recover after something fails.

Examples include backup restoration, password resets, account disablement, malware removal, patch deployment, system rebuilds, and incident response procedures.

Corrective controls are where planning meets reality. If the backup has never been restored, it is not much of a recovery control yet. If nobody knows who can disable an account after hours, the procedure is still theoretical.

Compensating controls

Compensating controls are alternative safeguards used when the preferred control is not feasible.

They should not be a loophole or a hand wave. A compensating control needs a reason, an owner, and enough strength to reduce the risk in a credible way.

For example, if a legacy system cannot support modern MFA, the organization might isolate it, restrict access, increase logging, review access more frequently, and document the exception. That does not make the legacy system ideal. It makes the risk visible and managed.

Choosing controls without making a mess

Before adding a control, ask practical questions:

• What risk is this control supposed to reduce?
• Who owns it?
• How will it be implemented?
• How will we know it is working?
• What breaks if it fails?
• Does it conflict with another process?
• What evidence would show it is operating?

Security programs get brittle when controls are added without purpose. A good control should support the business, reduce risk, and produce enough evidence to be trusted.

Summary

No single category does the whole job. Administrative controls guide the program. Preventive controls reduce the chance of trouble. Detective controls show when something is wrong. Corrective controls help recover. Compensating controls manage exceptions honestly.

The goal is not to collect controls. The goal is to build a security program that behaves well under pressure.