5.2 Different types of control
Let’s look at the different types of controls that can be used for risk treatment.
Directive controls give direction. These are the weakest controls. Things like policies are directive controls; they state the practice to be followed but do not stop bad practice from occurring. The Highway Code is an example of a directive control.
Detective controls aim to identify a breach after the event, an example being a financial review or audit after activity has taken place. They will often lead to corrective action being taken.
Preventative controls act to nullify the root cause and thus prevent the event. These are often the strongest controls. Common preventative controls include segregation of duties and IT passwords.