Skip to main content

Documentation Index

Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt

Use this file to discover all available pages before exploring further.

This article explains the four primary categories of security controls, how they differ, and where they fit in a layered security program. Two categories are implemented by people, and two are implemented by systems or devices.
  • Managerial controls (implemented by people)
  • Operational controls (implemented by people)
  • Technical controls (implemented by things)
  • Physical controls (implemented by things)
Use the following quick reference table to compare these control categories at a glance.
Control CategoryImplemented ByPurpose / Use CaseExamples
ManagerialPeople (leadership/management)Define policies, governance, risk tolerance, and responsibilitiesSecurity policy, risk assessments, governance frameworks
OperationalPeople (staff/operations)Day-to-day execution of security tasks and proceduresIncident response, backups, change control, data classification
TechnicalSystems (hardware/software/firmware)Enforce security automatically at a technical levelFirewalls, IDS/IPS, authentication, encryption
PhysicalThings (physical devices/structures)Prevent or deter unauthorized physical access and tamperingLocks, fences, badge readers, CCTV, lighting
Managerial controls establish the rules and acceptable risk levels. Operational controls are the human actions that enforce and follow those rules. Technical and physical controls are the automated or tangible mechanisms that enforce security, either electronically or physically.

Managerial Controls (implemented by people)

Managerial controls are set by organizational leadership to define what must be done and who is accountable. They build the foundation for a security program and typically include:
  • Policies, standards, and procedures
  • Security governance and oversight
  • Risk assessments, business impact analysis, and acceptance criteria
  • Security planning and resource allocation
  • Vendor/third-party risk management
These controls guide both operational staff and technical teams. Examples of standards and frameworks that influence managerial controls include NIST SP 800-series and organizational security policies.

Operational Controls (implemented by people)

Operational controls are the everyday security-related activities performed by staff to implement managerial direction. They typically focus on processes and human behavior:
  • Incident response and forensics
  • Change management and configuration control
  • Asset management and inventory
  • Data labeling, classification, and handling
  • Physical security patrols and identity verification
Operational controls often intersect with technical controls—for example, an operator who triages alerts from an intrusion detection system or a backup administrator who verifies restore procedures.

Technical Controls (implemented by things)

Technical controls are implemented via hardware, software, or firmware. They are designed to automatically enforce security policies and reduce human error:
  • Network defenses: firewalls, IDS/IPS, network segmentation
  • Endpoint protections: antivirus/anti-malware, EDR
  • Access controls: authentication, authorization, access control lists (ACLs)
  • Data protection: encryption (at-rest and in-transit), tokenization
  • Monitoring and logging systems
Technical controls are critical for scalability and consistent enforcement, and they should be aligned with managerial policies and operational procedures.

Physical Controls (implemented by things)

Physical controls protect facilities, systems, and personnel from physical threats. They are implemented as tangible barriers and detection systems:
  • Structural: fences, gated perimeters, walls
  • Entry controls: locks, badge readers, turnstiles, vestibules
  • Environmental: lighting, secure enclosures, tamper-evident seals
  • Detection: cameras (CCTV), motion sensors, alarms
  • Human: security guards, reception screening
Examples of physical controls include fences, locked doors, badge readers, lighting, and video surveillance.
A presentation slide titled "Security Controls – Categories" showing two colored panels: "Technical Controls" (firewall icon and bullets) and "Physical Controls" (barrier icon and bullets). A banner above reads "Implemented by Things."
Physical security is most effective when layered. Multiple scales of intrusion should be anticipated—from perimeter breaching to insider threats—so defenses are combined to delay and detect attackers before they reach critical assets. For example, controlled entry points such as vestibules create staged authentication zones that slow or prevent unauthorized entry and reduce the risk of simple techniques such as
The slide titled "Fundamental Security Concepts" shows an "Intruder" icon on the left, an "Access Control Vestibules" icon in the center, and a building inside a dotted perimeter labeled "Physical Security" on the right. It visually links an intruder to physical security controls (access control/vestibules) protecting the building.
tailgating, piggybacking, or walking into facilities unnoticed. All authorized personnel should use badges or other approved credentials for access, and environmental measures like lighting and video surveillance should be part of a comprehensive program.

Deception-based Controls (honeypots and honeynets)

Deception-based controls are designed to lure, observe, and analyze attackers. A honeypot is a deliberately vulnerable or enticing system deployed to attract adversaries so defenders can study attacker behavior and tactics without risking production assets. Key considerations for honeypots:
  • Isolate them from production networks to prevent lateral movement.
  • Instrument honeypots with detailed logging and monitoring.
  • Treat honeypots as research and detection tools, not replacements for hardening real systems.
  • Consider legal and privacy implications before recording or interacting with attackers.
Honeypots require careful design and legal consideration: they must be isolated to prevent attackers from pivoting into production, and monitoring/collection must comply with privacy and legal requirements.
You can deploy a single honeypot or scale to honeynets (interconnected decoys). Choose low-, medium-, or high-interaction honeypots based on the intelligence you want to gather and the risk you’re willing to accept.

Further reading and references

ResourceWhy it helps
NIST Cybersecurity FrameworkGuidance on risk-based cybersecurity governance and control selection
CompTIA Security ResourcesPractitioner-focused security topics and certification materials
OWASP Cheat SheetsBest practices for technical controls and application security
These references provide deeper guidance for designing, implementing, and assessing managerial, operational, technical, and physical controls.

Watch Video