Corrective Controls
Controls that restore systems and processes to normal operation after a security incident. Corrective controls fix problems, remove threats, and return the environment to a secure state.
Understanding Corrective Controls
Corrective controls fix things after they break. They're reactive—they respond to incidents that have already occurred. The goal is restoration: getting systems back to a known-good state and eliminating whatever caused the problem.
Think of corrective controls as the "undo" or "repair" function. Something bad happened; now we need to correct it. Antivirus quarantining malware, restoring from backup after ransomware, or patching a vulnerability that was exploited—these all correct the situation.
The key timing distinction: preventive controls act BEFORE incidents, detective controls identify DURING/AFTER incidents, and corrective controls respond AFTER incidents are detected. Detection tells you something happened; correction fixes it.
Why This Matters for the Exam
Corrective controls appear throughout Domain 4 (Security Operations), which is 28% of the exam. Incident response is essentially a corrective function—containing threats, eradicating malware, and recovering systems.
The exam tests whether you understand the response sequence: detect → correct. You can't correct what you haven't detected. Many questions present an incident scenario and ask what corrective action should be taken.
Understanding corrective controls also helps distinguish between control types. When a question asks "what happens after the incident?" or "how do you recover?"—the answer involves corrective controls.
Deep Dive
Common Corrective Controls on the Exam
Malware Response
- •Antivirus quarantine — Isolates malicious files
- •Antivirus removal — Deletes detected malware
- •System reimaging — Restores clean OS image
- •Malware eradication procedures — Removes all traces
System Restoration
- •Backup restoration — Recovers data from backups
- •System recovery — Returns to known-good state
- •Configuration rollback — Reverts unauthorized changes
- •Failover activation — Switches to backup systems
Vulnerability Correction
- •Security patching — Fixes known vulnerabilities
- •Hotfix deployment — Addresses urgent issues
- •Configuration correction — Fixes misconfigurations
- •Service pack installation — Comprehensive updates
Access Correction
- •Account disabling — Terminates compromised accounts
- •Permission revocation — Removes unauthorized access
- •Credential reset — Forces password changes
- •Session termination — Ends active malicious sessions
Physical Correction
- •Fire suppression systems — Corrects fire damage spread
- •Emergency power systems — Corrects power failures
- •Physical access revocation — Removes badges/keys
- •Facility repairs — Fixes physical damage
The Corrective Timeline
Corrective controls happen AFTER detection:
1. Detection → Something wrong is identified 2. Containment → Prevent further damage (can be corrective) 3. Eradication → Remove the threat (corrective) 4. Recovery → Restore normal operations (corrective) 5. Lessons Learned → Improve future prevention
Steps 2-4 involve corrective controls. Step 5 leads to improved preventive controls.
Corrective vs. Other Control Types
| Scenario | Control Type | Why? |
|---|---|---|
| Firewall blocks attack | Preventive | Stops before it succeeds |
| IDS alerts on attack | Detective | Identifies the attack |
| Admin patches exploited vulnerability | Corrective | Fixes the problem after |
| Backup restore after ransomware | Corrective | Recovers from incident |
| Security training to prevent future clicks | Preventive | Stops future incidents |
Corrective = Response to something that already happened.
How CompTIA Tests This
Example Analysis
Scenario: An organization's antivirus software detects ransomware on an employee workstation. The antivirus automatically quarantines the malicious files and alerts the IT team. The team then restores encrypted files from the previous night's backup and reimages the workstation.
Analysis: Multiple corrective controls are at work: • Quarantine = Corrective (contains the damage) • Alert = Detective (identifies the incident) • Backup restore = Corrective (recovers data) • System reimage = Corrective (restores clean state)
The antivirus itself has both preventive functions (blocking known malware before execution) and corrective functions (quarantining detected malware after execution attempt).
Key insight: The same tool can perform multiple control types. The question is WHAT FUNCTION is being described.
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
"Corrective controls CORRECT what went wrong."
Simple and direct—if something bad happened and this control fixes it, it's corrective.
- •The Timeline Test:
- •BEFORE incident → Preventive (stops it)
- •DURING/AFTER incident identified → Detective (finds it)
- •AFTER detection, to fix it → Corrective (fixes it)
The Response Pattern: Detect → Correct You must DETECT before you can CORRECT.
- •The Fire Example:
- •Smoke detector = Detective (identifies fire)
- •Sprinkler system = Corrective (responds to fire)
- •Fire-resistant materials = Preventive (stops fire spread)
All protect against fire, but at different points in the timeline.
Test Your Knowledge
Q1.After a security breach is detected, an administrator applies security patches to vulnerable systems to prevent the same exploit from being used again. This patching activity is which type of control?
Q2.An organization experiences a ransomware attack. Which of the following represents a corrective control in this scenario?
Q3.A fire suppression system activates when smoke is detected in the server room. What type of control is the fire suppression system?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on corrective controls and other Objective 1.1 concepts.