Security Controls: A Structured Taxonomy
By A. Northam • Published: 2 March 2026 • Updated: 2 March 2026
Security controls are safeguards designed to reduce risk. They exist to protect confidentiality, integrity, and availability by preventing, detecting, or responding to threats.
Understanding how controls are categorized helps clarify how a security program is structured.
1. Classification by Function
Preventive Controls
Designed to stop an incident before it occurs.
- Multi-factor authentication
- Encryption
- Access control policies
- Network segmentation
Detective Controls
Designed to identify events after they occur or while they are in progress.
- Security monitoring
- Intrusion detection systems
- Log analysis
Corrective (or Recovery) Controls
Designed to restore systems or reduce damage after an incident.
- Backups and disaster recovery
- Incident response procedures
- Patch management
See also: Prevent, Detect, Recover Explained
2. Classification by Nature
Administrative Controls
Policies, procedures, and governance mechanisms.
- Security policies
- Risk assessments
- Vendor management programs
Technical Controls
Technology-based protections implemented in systems.
- Encryption
- Identity & Access Management
- Endpoint protection
Physical Controls
Protections that limit physical access to systems and infrastructure.
- Locks and secure facilities
- Access badges
- Environmental controls
3. Preventive vs Detective vs Corrective Is Not Enough
Real-world systems rely on layered combinations of controls. This is often described as defense in depth.
For example:
- Authentication (preventive)
- Logging (detective)
- Incident response (corrective)
Together, these reduce both the likelihood and the impact of compromise.
4. Controls and the CIA Triad
- Confidentiality → access controls, encryption
- Integrity → validation mechanisms, change control
- Availability → redundancy, backups, resilience planning
5. Controls and Zero Trust
Zero Trust architectures rely heavily on preventive and continuous verification controls.
See: Zero Trust Explained
6. Controls as Risk Treatment
Security controls are one method of risk treatment. Others include risk acceptance, transfer, or avoidance.
See: Risk Management in Digital Security
This article is provided for educational purposes only and does not constitute legal, compliance, or professional security advice.