Control Categories and Functions
Start course

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of risk management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Risk management problem space and management flow

  • Definitions, terminology, and types of risks

  • Control Categories and Functions

  • Cost-Benefit Assessment

  • General Risk Assessment Model

  • Overall Control Objectives

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Now, as we mentioned before, controls tend to be considered a proactive. Things that we put in place in an attempt to prevent bad consequences and threats from having their effect. They fall into three general categories, administrative-managerial, which embodies our governance documentation, policies, procedures, standards, baselines, guidelines, et cetera. Things that describe behaviors, conditions, states that we are going to follow.

We have the technical or logical methods, techniques and instrumentalities that we're going to employ to support and are often implementations derived from the administrative section. These can be hardware, software or firmware in their nature. And then we have the physical or operational. These are locks, lighting, guards or other methods that affect the places and spaces where we will be doing our business. Within each of these three high level categories we have different control functions.

Now, these control functions typically fall into four areas. The first being preventive, which will disallow or prevent a threat from having an impact against our asset and within preventive would be deterrent. Now, a true preventive is something that actually stops something from happening. A deterrent discourages only. This could be anything from strong to weak in its deterrent effect, but it is part of the preventive category.

Then we have detective. This provides an advance alert function and may in fact be a secondary function of a preventive control to alert us that something is attempting to penetrate and hopefully will be stopped by the preventive control now sending us the alert as the detective element. Then we have corrective.

Now, corrective enables the adjustment or resetting of misconfigurations on a micro scale. Recovery, another subset of corrective types of controls, is a little bit larger in its scope. It could be considered as a kind of control that we use to recover a system on a macro scale, but it is a part of the overall corrective family of control functions. And then we have compensating.

Now these are blended alternatives to direct controls and these actually are used in many places where a direct option would produce a secondary but unfavorable effect, which is something that we may not be able to tolerate, and so using a combination of preventative, detective and corrective measures from the administrative, technical or physical areas in combination with each other, can provide us the primary impact that we want without providing the secondary effect that we can't tolerate.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.