2.1.1. Control Categories: Technical, Managerial, Operational, Physical

💡 First Principle: Categories answer "who or what implements this control?" — they describe the nature of the implementation, not its purpose.

Technical controls are implemented and enforced by technology systems. Firewalls filter traffic based on rules. Encryption scrambles data mathematically. Access control lists restrict permissions programmatically. Antivirus software scans for known signatures. The strength of technical controls is consistency — they don't get tired, distracted, or socially engineered. Their weakness is that they only address threats they're configured to handle.

Managerial controls (also called administrative controls) are designed and overseen by management. Risk assessments determine what needs protection. Security policies define acceptable behavior. Security plans lay out architectures and strategy. These controls don't directly stop attacks, but without them, technical and operational controls lack direction — like a ship with a working engine but no navigation chart.

Operational controls are procedures executed by people in their daily work. Security awareness training teaches employees to recognize phishing. Change management procedures ensure patches are tested before deployment. Incident response runbooks guide the team during a breach. Guard patrols check physical perimeters. These controls bridge the gap between management intent and technical enforcement.

Physical controls restrict or monitor physical access. Fences define perimeters. Locks restrict entry. Cameras record activity. Bollards prevent vehicle attacks. Lighting deters nighttime intrusion. Physical controls are the foundation — the most sophisticated firewall is useless if an attacker can walk up to the server and unplug it.

Compensating controls span all categories — when the ideal control can't be implemented (cost, technical limitation, business constraint), a compensating control provides equivalent risk reduction through an alternative approach. PCI DSS formally recognizes compensating controls when organizations can't meet a specific requirement directly.

⚠️ Exam Trap: "Administrative" and "managerial" mean the same thing on SY0-701. CompTIA uses "managerial" in the official objectives. If you see "administrative control" in a question, think management-level controls like policies, risk assessments, and security plans.