Preventive, Detective, and Corrective Controls: Types Explained with Examples
Security and risk controls fall into three types: preventive (stop events from occurring), detective (identify events that occur), and corrective (limit damage after an event). Learn how each type works, how they reduce risk, and how to build a balanced control set.
Every control in your security and risk program does one of three jobs: it prevents a risk event from happening, detects when one has occurred, or corrects the damage after the fact. Understanding which type a control is — and what dimension of risk it reduces — is essential for accurate residual risk scoring and effective control design.
The Three Control Types
Preventive Controls
Preventive controls reduce the likelihood of a risk event occurring. They act before the event, making it harder or impossible for the threat to succeed.
How they affect risk: re-score residual likelihood downward.
Examples:
| Control | Risk Addressed | How It Prevents |
|---|---|---|
| Multi-factor authentication (MFA) | Unauthorized access | Requires second factor even with stolen password |
| Firewall rules | Network intrusion | Blocks unauthorized traffic before it reaches systems |
| Encryption at rest | Data exposure | Data is unreadable without keys even if accessed |
| Security awareness training | Phishing, social engineering | Reduces employee susceptibility to attacks |
| Code review / SAST | Vulnerable code deployment | Catches vulnerabilities before production |
| Separation of duties | Fraud, unauthorized transactions | Requires multiple approvals, prevents single actor abuse |
| Access provisioning controls | Excessive permissions | Ensures only authorized users get access |
| Vendor security due diligence | Third-party risk | Screens vendors before granting access |
Preventive controls are generally the most cost-effective investment when they work — they eliminate events rather than just limiting damage. The limitation: no preventive control is perfect, and well-resourced attackers find ways around them.
Detective Controls
Detective controls identify that a risk event has occurred — or is in progress. They don't stop the event, but they ensure you know about it quickly enough to limit impact.
How they affect risk: re-score residual impact downward (faster detection = faster containment = smaller blast radius).
Examples:
| Control | Risk Addressed | What It Detects |
|---|---|---|
| SIEM / log monitoring | Security incidents | Anomalous activity, login patterns, data exfiltration |
| Intrusion detection system (IDS) | Network attacks | Malicious traffic patterns, known attack signatures |
| File integrity monitoring | Unauthorized changes | Modifications to critical system files or configs |
| Access reviews | Excessive or stale permissions | Accounts with more access than required |
| Audit trails / logging | Fraud, policy violations | Who did what, when, to which resource |
| Vulnerability scanning | Unpatched systems | CVEs present in the environment |
| User behavior analytics (UBA) | Insider threats | Unusual data access or exfiltration patterns |
| Control self-assessments | Control failures | Controls not operating as designed |
Detective controls are the most commonly underinvested type. Organizations concentrate on prevention and often lack the visibility to know when prevention has failed. A breach that's discovered in 200 days costs dramatically more than one detected in 2 days — detection speed directly determines impact severity.
Corrective Controls
Corrective controls limit damage and restore normal operations after a risk event has occurred. They reduce impact severity and recovery time.
How they affect risk: re-score residual impact downward (better recovery = lower consequence severity).
Examples:
| Control | Risk Addressed | How It Corrects |
|---|---|---|
| Incident response plan | Security incidents | Provides structured containment and recovery process |
| Data backup and recovery | Data loss, ransomware | Restores data from clean copies |
| Business continuity plan | Operational disruption | Maintains critical operations during outages |
| Disaster recovery plan | Infrastructure failure | Restores IT systems within defined RTO/RPO |
| Patch management | Vulnerabilities | Applies fixes after CVEs are discovered |
| Insurance | Financial losses | Covers breach costs, liability, business interruption |
| Rollback procedures | Failed changes | Reverts configuration or code changes causing incidents |
| Root cause analysis | Recurring incidents | Prevents repeat events by fixing underlying causes |
Corrective controls are what separates a manageable incident from a catastrophic one. Organizations with tested incident response plans recover from breaches in days; those without structured recovery processes can take months.
How Control Types Affect Residual Risk Scoring
This is where control type understanding directly impacts risk management accuracy:
| Control Type | Affects | Re-score | Example |
|---|---|---|---|
| Preventive | Likelihood | Residual Likelihood ↓ | MFA reduces likelihood from 4 to 2 |
| Detective | Impact (via faster response) | Residual Impact ↓ | SIEM reduces impact from 4 to 3 |
| Corrective | Impact (via recovery capability) | Residual Impact ↓ | DR plan reduces impact from 4 to 2 |
| All three | Both | Residual Likelihood ↓, Impact ↓ | Full control stack reduces both |
Practical example — Data Breach Risk:
| Assessment | Likelihood | Impact | Score |
|---|---|---|---|
| Inherent (no controls) | 4 | 5 | 20 (Critical) |
| + Preventive (MFA, encryption, DLP) | 2 | 4 | 8 (Medium) |
| + Detective (SIEM, UBA, access reviews) | 2 | 3 | 6 (Medium) |
| + Corrective (IR plan, backup, insurance) | 2 | 2 | 4 (Low) |
Each control type contributes a different dimension of risk reduction. A program with only preventive controls might reduce likelihood well but leave impact exposure high if an event occurs.
Building a Balanced Control Set
The principle of defense in depth is: assume each layer of prevention will eventually fail, and design the next layer to catch the failure.
A three-layer model
Layer 1 — Prevent: Make events unlikely
Layer 2 — Detect: Identify events quickly when they occur
Layer 3 — Correct: Minimize damage and recover fast
Identifying gaps
For each high or critical risk, audit your control set by type:
| Risk | Preventive | Detective | Corrective | Gap |
|---|---|---|---|---|
| Unauthorized access | MFA, least privilege | SIEM, access reviews | IR plan, PAM revocation | ✓ Balanced |
| Ransomware | Email filtering, AV | EDR, anomaly detection | Backup recovery | ✓ Balanced |
| Insider data theft | DLP, separation of duties | UBA | — | Missing corrective |
| Physical intrusion | Door access controls | CCTV | — | Missing corrective |
Any risk relying on only one control type has a structural gap. If all your controls are preventive, you have no way to know when prevention has failed.
Common patterns by risk type
Cyber risks: Heavy preventive investment is standard, but detective controls (SIEM, EDR) are what compress breach dwell time. Don't skip them.
Operational risks: Corrective controls (BCP, DR) are critical — these risks often can't be fully prevented (hardware failure, natural disasters, vendor outages). The question is how fast you recover.
Compliance risks: Detective controls (audits, access reviews, control self-assessments) are essential. Most compliance failures are discovered through inadequate monitoring, not through events that preventive controls should have stopped.
Financial risks: Separation of duties (preventive) plus reconciliation procedures (detective) plus escalation protocols (corrective) is the standard balanced set.
Testing Controls by Type
How you verify effectiveness depends on the control type. For a full scoring methodology, see Control Effectiveness Scoring.
| Type | Testing Method | Evidence |
|---|---|---|
| Preventive | Penetration testing, configuration review | Firewall rulesets, access provisioning logs, test results |
| Detective | Simulate events, review alert cadence | Alert logs, SIEM queries, response tickets |
| Corrective | Tabletop exercises, DR tests | Test results, RTO/RPO achieved, recovery logs |
A preventive control that's never tested may have a configuration gap that makes it ineffective. A corrective plan that's never exercised may fail at the worst possible moment. Each control type requires its own testing approach.
Frequently Asked Questions
- What are the three types of security controls?
- The three primary control types are: Preventive controls (reduce the likelihood of a risk event — they stop bad things from happening), Detective controls (identify when a risk event has occurred — they tell you something went wrong), and Corrective controls (limit damage and restore normal operations after an event — they reduce impact and duration). A fourth type, Deterrent controls, discourages attacks or violations through visible consequences (e.g., warning banners, audit notices), but many frameworks collapse deterrent into preventive.
- What is the difference between a preventive and a detective control?
- A preventive control stops a risk event from occurring — it acts before the event. Example: MFA prevents unauthorized login by requiring a second factor. A detective control identifies that an event has occurred — it acts during or after the event. Example: SIEM alerting detects unusual login patterns. Both matter because no preventive control is 100% effective. Detective controls ensure that when prevention fails, the failure is noticed quickly.
- How do control types affect residual risk scoring?
- Control types determine which dimension of residual risk you re-score. Preventive controls reduce residual likelihood — they make the event less probable. Corrective and detective controls reduce residual impact — they limit consequences and recovery time when the event occurs. Example: for a data breach risk, MFA (preventive) reduces residual likelihood, encryption (corrective) reduces residual impact by limiting data exposure, and SIEM monitoring (detective) reduces impact by enabling faster detection and response. When assessing residual risk, note which control type applies to determine whether to adjust likelihood, impact, or both.
- What are examples of corrective controls?
- Corrective controls restore normal operations and limit ongoing damage after a risk event. Examples include: incident response plans (define how to contain and recover from a security incident), backup and recovery systems (restore data after ransomware or hardware failure), business continuity plans (maintain operations during an outage), patch management (corrects vulnerabilities after they're discovered), and insurance (corrects financial exposure after a loss event). A good corrective control reduces both impact severity and recovery time.
- What is a compensating control?
- A compensating control provides an alternative safeguard when the primary control can't be implemented. Common in compliance contexts — if a system can't support MFA (primary control), a compensating control might be strict IP allowlisting combined with more frequent access reviews. Compensating controls are accepted by most frameworks (SOC 2, PCI DSS, ISO 27001) with documented justification, but they typically provide weaker protection than the primary control they replace.
Related Articles
Control Effectiveness Scoring: How to Measure and Improve Your Security Controls
Learn how to measure control effectiveness — scoring methodologies, design vs. operating effectiveness, testing approaches, and how to use control data to improve your risk posture. A practical guide for GRC teams.
7 min read
What Is Residual Risk? How to Calculate and Manage Risk After Controls
Residual risk is the risk that remains after controls are applied. Learn how to calculate residual risk, the difference between inherent and residual risk, and how to decide whether residual risk is acceptable.
6 min read
GRC Platform Buyer's Guide: What to Look For in 2026
A comprehensive buyer's guide for GRC software — evaluation criteria, must-have features, questions to ask vendors, and how to choose the right governance, risk, and compliance platform for your organization.
8 min read