Security Controls: A Structured Taxonomy
By A. Northam • Published: 2 March 2026 • Updated: 23 April 2026
Security controls are safeguards designed to reduce risk. They support confidentiality, integrity, and availability by preventing incidents, detecting them quickly, or helping restore normal operations.
A structured taxonomy helps clarify how different controls relate to one another and how they contribute to a balanced security program.
On this page
- Classification by function
- Control taxonomy (diagram)
- Classification by nature
- Why function alone is not enough
- Controls and the CIA Triad
- CIA Triad mapping (diagram)
- Controls and Zero Trust
- Controls as risk treatment
- Questions and answers
- Recommended next reading
1. Classification by function
One of the most widely used ways to categorize controls is by their function: what they are intended to achieve in relation to an incident.
Preventive controls
Preventive controls aim to stop an incident before it occurs. They reduce the likelihood of unauthorized access, misuse, or disruption.
- Multi-factor authentication
- Encryption concepts (data at rest and in transit)
- Access control policies and role-based access
- Network segmentation
- Configuration baselines
Preventive controls are often the most visible, but they are not sufficient on their own. Even strong preventive measures can be bypassed or misconfigured.
Detective controls
Detective controls identify events after they occur or while they are in progress. They help organizations notice anomalies, suspicious activity, or failures.
- Security monitoring and alerting
- Intrusion detection systems
- Log analysis and audit trails
- File integrity monitoring
Detective controls reduce dwell time — the period between occurrence and awareness.
Corrective (or recovery) controls
Corrective controls help restore systems or reduce damage after an incident. They support continuity and resilience.
- Backups and restoration processes
- Disaster recovery planning
- Incident response procedures
- Patch management and remediation
Corrective controls assume that failures will occur and focus on restoring a trusted state.
See also: Prevent, Detect, Recover Explained
Control taxonomy (diagram)
2. Classification by nature
Another common taxonomy groups controls by their nature — administrative, technical, or physical. These categories describe how controls are implemented.
Administrative controls
Administrative controls are policies, procedures, and governance mechanisms that guide how security is managed.
- Security policies and standards
- Risk assessments
- Vendor and third-party management
- Training and awareness programs
These controls shape expectations and define how decisions are made.
Technical controls
Technical controls are technology-based protections implemented in systems, applications, or services.
- Encryption mechanisms
- Identity and Access Management (IAM)
- Endpoint protection
- Firewalls and filtering
Technical controls often receive the most attention, but they rely on administrative controls for direction and physical controls for support.
Physical controls
Physical controls limit physical access to systems, devices, and facilities.
- Locks and secure facilities
- Access badges and visitor management
- Environmental controls (temperature, humidity, fire suppression)
Physical controls are essential because many digital protections can be bypassed if an attacker gains direct physical access.
3. Why function alone is not enough
Classifying controls as preventive, detective, or corrective is useful, but real-world systems rely on layered combinations of controls. This is often described as defense in depth.
For example:
- Authentication (preventive)
- Logging and monitoring (detective)
- Incident response and recovery (corrective)
Together, these reduce both the likelihood and the impact of compromise.
4. Controls and the CIA Triad
Security controls support the objectives of the CIA Triad:
- Confidentiality → access controls, encryption, identity governance
- Integrity → validation mechanisms, change control, audit trails
- Availability → redundancy, backups, resilience planning
CIA Triad mapping (diagram)
5. Controls and Zero Trust
Zero Trust architectures rely heavily on preventive and continuous verification controls. The core idea is that no implicit trust is granted based on network location or past authentication.
- Strong authentication and continuous verification
- Least privilege access
- Micro-segmentation
- Monitoring of identity and device posture
6. Controls as risk treatment
Security controls are one method of risk treatment. Others include:
- Risk acceptance — acknowledging a risk without additional controls
- Risk transfer — shifting risk through contracts or insurance
- Risk avoidance — discontinuing activities that create risk
Controls are most effective when chosen deliberately, based on realistic risks and operational constraints.
See: Risk Management Explained
This article is provided for educational purposes only and does not constitute legal, compliance, or professional security advice.
Questions and answers
Are more controls always better?
Not necessarily. Adding controls without clear purpose can create complexity, reduce usability, and introduce new failure points.
Do all organizations need the same controls?
No. Controls should match the organization’s size, risk profile, regulatory environment, and operational needs.
Is encryption a preventive or technical control?
Encryption is a technical control by nature and typically a preventive control by function.
How often should controls be reviewed?
Controls should be reviewed periodically — often annually or when systems, roles, or risks change.
Is Zero Trust a type of control?
Zero Trust is not a single control. It is an approach that uses many controls — especially identity, access, and monitoring controls.