Objective 1.1High Priority7 min read

Directive Controls

Controls that guide or mandate security behavior through rules, policies, and expectations. Directive controls tell people what they should or must do, establishing the "rules of the road" for security.

Understanding Directive Controls

Directive controls tell people what to do. They're the written rules—policies, standards, procedures, and guidelines—that establish expectations for security behavior. Unlike technical controls that enforce automatically, directive controls rely on people choosing to follow them.

Think of directive controls as the rulebook. An Acceptable Use Policy (AUP) directs employees on proper system use. Password standards direct them to create strong passwords. Incident response procedures direct them on how to handle security events. All directive—all telling people what's expected.

Here's the critical relationship: directive controls often overlap with managerial controls. A security policy created by management (managerial) that tells employees what to do (directive) is both. But not all managerial controls are directive—a risk assessment is managerial but doesn't direct behavior.

Why This Matters for the Exam

Directive controls establish the foundation for security governance. They define what "good" looks like and create accountability. Without directives, there's no basis for enforcement or compliance measurement.

The exam tests the relationship between directive and other control types. Directive controls often work alongside preventive and deterrent controls: the policy DIRECTS behavior, the technical control PREVENTS violations, and the warning sign DETERS bad actors. Together, they form layered protection.

Understanding directive controls also helps with Domain 5 questions about governance, policies, and compliance. The security policy that drives an entire program is a directive control.

Deep Dive

Common Directive Controls on the Exam

Policies

  • Acceptable Use Policy (AUP) — Directs proper resource use
  • Information Security Policy — Directs overall security program
  • Access Control Policy — Directs who gets access to what
  • Data Classification Policy — Directs how data should be labeled/handled
  • Password Policy — Directs password requirements

Standards

  • Password complexity standards — Directs minimum requirements
  • Encryption standards — Directs acceptable algorithms
  • Configuration standards — Directs secure baseline settings
  • Hardware/software standards — Directs approved technologies

Procedures

  • Incident response procedures — Directs actions during incidents
  • Change management procedures — Directs change approval process
  • Account provisioning procedures — Directs how accounts are created
  • Backup procedures — Directs backup frequency and methods

Guidelines

  • Security best practices — Suggests recommended behaviors
  • Implementation guidelines — Suggests how to meet requirements
  • Hardening guidelines — Suggests configuration improvements

Agreements

  • Confidentiality agreements — Directs handling of sensitive information
  • User acknowledgments — Confirms understanding of policies
  • Consent forms — Establishes terms of monitoring

The Directive Hierarchy

Directive controls follow a hierarchy:

1. Policies — High-level, mandatory, broad scope 2. Standards — Specific, mandatory, define metrics 3. Procedures — Step-by-step, mandatory, how-to 4. Guidelines — Recommended, flexible, best practices

Policies = WHAT must be done Standards = HOW WELL it must be done Procedures = HOW to do it Guidelines = SUGGESTIONS for doing it better

Directive vs. Managerial: Understanding the Overlap

DocumentManagerial?Directive?
Security policy requiring MFAYes (created by management)Yes (directs MFA usage)
Risk assessment reportYes (management process)No (doesn't direct behavior)
Acceptable Use PolicyYes (management-created)Yes (directs user behavior)
Incident response planYes (management-approved)Yes (directs response actions)
Security training program outlineYes (management initiative)No (describes program, not behavior)

The key distinction: Managerial = WHO creates it. Directive = WHAT it does (tells people what to do).

How CompTIA Tests This

Example Analysis

Scenario: An organization creates a document stating that all employees must complete security awareness training within 30 days of hire, must not share login credentials, and must report suspicious emails to the security team. All employees must sign acknowledgment of this document.

Analysis: This is a directive control because: • It tells employees what they MUST do • It establishes expectations and requirements • It directs specific behaviors • The acknowledgment creates accountability

It's ALSO a managerial control because: • It's created by management • It's a documented policy • It requires governance oversight

Control TYPE (directive): Tells people what to do Control CATEGORY (managerial): Created by management

Many policies are BOTH managerial (category) AND directive (type).

Key Terms to Know

directive controlssecurity policiesacceptable use policyAUPstandardsproceduresguidelinescompliance requirements

Common Mistakes to Avoid

Thinking directives enforce themselves—directive controls tell people what to do, but people can choose to ignore them. Technical controls enforce; directives guide.
Confusing directive with preventive—a policy directing password complexity doesn't prevent weak passwords. The technical control enforcing complexity prevents them. Directive = the rule. Preventive = the enforcement.
Forgetting that managerial and directive overlap—most policies are both managerial (who creates them) and directive (what they do). These are different classification systems.
Missing the hierarchy—policies, standards, procedures, and guidelines are all directive but serve different purposes. Know the difference between mandatory (policies, standards, procedures) and suggested (guidelines).

Exam Tips

Look for control documents: policies, standards, procedures, guidelines, agreements, acknowledgments. These are directive controls.
Directive controls often start with action words: "must," "shall," "will," "required to." These indicate direction of behavior.
When a question asks about establishing expectations or rules, the answer involves directive controls.
Remember the overlap: most directive controls are ALSO managerial. The exam may ask about either classification.
AUP (Acceptable Use Policy) is the classic exam example of a directive control. If you see AUP in an answer, it's almost certainly directive.

Memory Trick

"Directive controls give DIRECTION—they're the rules."

Like a movie director telling actors what to do, directive controls tell users what to do.

The Document Test: If it's a policy, standard, procedure, or guideline document → Directive control These documents DIRECT behavior.

The "Must" Test: If the control says what people MUST, SHALL, or SHOULD do → Directive If it FORCES them to do it automatically → That's technical/preventive, not directive

The Hierarchy Memory Device: Policies → Purpose (broad goals) Standards → Specifications (requirements) Procedures → Process (step-by-step) Guidelines → Good ideas (suggestions)

All four DIRECT behavior, but at different levels of detail and enforcement.

Test Your Knowledge

Q1.An organization requires all employees to read and sign an Acceptable Use Policy (AUP) that defines proper use of company IT resources. What type of control is this AUP?

Q2.Which of the following is the BEST example of a directive control?

Q3.What is the relationship between directive controls and managerial controls?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Managerial ControlsPreventive ControlsDeterrent ControlsOperational Controls

Ready to test your knowledge?

Practice questions on directive controls and other Objective 1.1 concepts.

Start Practice
Compensating ControlsDefense in Depth