What Are Cyber security Control Functions and Types? A Simple Explanation
December 16th, 2025
Cybersecurity Control Types and Control Functions
Cybersecurity controls are safeguards designed to reduce risk, protect systems, and ensure the confidentiality, integrity, and availability of information. To understand how controls work, they are commonly categorized in two different ways:
Control Types – How the control is implemented (Technical, Operational, or Administrative)
Control Functions – What the control is intended to do (Detective, Preventive, etc.)
Understanding both helps organizations design layered, effective security programs.
Cybersecurity Control Types
Control types describe the nature of the control itself. The three most widely accepted control types are Administrative, Technical, and Operational. Administrative controls (sometimes referred to as “managerial controls”) are policy and process driven controls that guide organizational decision making and human behavior. Examples of administrative controls include the organization’s incident response plan, security policies and standards, security awareness training mandates, and risk assessments. Administrative controls are policy and process oriented, are regularly documented and reviewed, and are foundational to governance and compliance.
Operational controls are the daily operations carried out by members of an organization. Examples of operational controls include activity logging and monitoring, change management activities, incident response activities, physical security activities, and recovery and backup processes. Operational controls are people driven and further characterized by depending on human execution, human capabilities, and support from technical and administrative controls.
Technical controls are technology-based solutions that enforce security automatically. Examples of technical controls include firewalls, intrusion detection systems, intrusion prevention systems, and encryption. Technical controls are often automated, scalable, enforce administrative controls, and require monitoring, maintenance, and configuration.
Cybersecurity Control Functions
Control functions describe the purpose or outcome of a control, regardless of type. In this article we are going to cover five of the main security control functions.
The 5 security functions are:
Preventive controls- Preventive controls stop incidents before they occur (least privilege access policies).
Detective controls- Detective controls identify incidents that have already occurred or are in progress (IDS alerts).
Deterrent controls- Deterrent controls discourage malicious activity by increasing the perceived risk of carrying out such activity (visible surveillance cameras and warning banners).
Corrective controls- Corrective controls limit damage and restore systems after an incident (incident response procedures and data backup and recovery processes).
Compensating controls- Compensating controls provide alternative protection when a primary control is not feasible (Network segmentation when patching is delayed).
How to remember the definitions and differences
Control Types = Form (policy, people, technology)
Control Functions = Purpose (prevent, detect, correct, deter, make up for)
Final thoughts
Strong security programs use layered controls across all types and functions, ensuring that no single failure leads to compromise. When designing or evaluating security controls, ask two key questions:
How is this control implemented? (Type)
What security outcome does it achieve? (Function)
Answering both helps ensure coverage, reduces gaps, and improves risk communication across the organization.
— Ben Skinner