What is CertGuide.ai?

CertGuide.ai is an AI-powered certification prep platform that helps you pass CompTIA exams like Security+, Network+, and A+. It maps all exam concepts, diagnoses your weak areas, and creates personalized study plans.

How does CertGuide compare to CertMaster?

CertGuide.ai offers AI-powered diagnostics that map your knowledge across all 183 Security+ concepts, personalized study plans, and an AI tutor. Unlike traditional prep tools, CertGuide shows you exactly which concepts need work and tracks your progress to exam readiness.

What is the pass rate for CertGuide users?

99% of CertGuide users who reach 95% concept mastery pass their certification exam on the first attempt.

How much does CertGuide cost?

CertGuide offers a free baseline assessment to diagnose your current knowledge. Full course access is $79 per certification exam.

Which CompTIA certifications does CertGuide support?

CertGuide currently supports CompTIA Security+ (SY0-701), with Network+ and A+ (Core 1 & Core 2) launching soon.

Objective 1.1High Priority8 min read

Managerial Controls

Administrative policies, procedures, and governance mechanisms established by management to direct security efforts. Also called administrative controls, these define what should happen but rely on other controls for enforcement.

Understanding Managerial Controls

Managerial controls—also called administrative controls—are the policies, procedures, and governance structures that management creates to guide an organization's security program. They answer the question: "What are the rules?"

Here's the critical distinction: managerial controls don't enforce security directly. A password policy doesn't force users to create strong passwords—it states that they must. The technical control (password complexity requirements in Active Directory) actually enforces it. The operational control is the help desk resetting passwords according to procedure.

Think of managerial controls as the blueprints. They're essential—you can't build without them—but the blueprint itself doesn't construct the building.

Why This Matters for the Exam

The Security+ exam frequently tests whether you understand the difference between creating rules (managerial) and following rules (operational). This is one of the most common points of confusion.

Managerial controls also appear heavily in Domain 5 (Security Program Management), which is 20% of the exam. Understanding that governance frameworks, compliance requirements, and security policies are all managerial controls connects Domain 1 concepts to Domain 5 scenarios.

When a question describes management establishing, approving, or documenting something, think managerial. When it describes someone executing or performing a task, that's operational.

Deep Dive

Common Managerial Controls on the Exam

•Security policies — High-level statements of security intent
•Acceptable Use Policies (AUP) — Rules for how employees can use company resources
•Risk assessments — Formal evaluation of threats and vulnerabilities
•Security awareness program — The program design and requirements (not the training itself)
•Background check requirements — Policy requiring checks for certain roles
•Vendor management policies — Rules for third-party security requirements
•Change management procedures — Documented process for system changes
•Incident response plans — Documented procedures for handling incidents
•Business continuity plans — Strategies for maintaining operations during disruptions

The Management Layer

•Managerial controls exist at the governance layer. They're created by:
•Executive leadership
•Security committees
•Compliance officers
•Risk management teams

They're documented in: • Policy documents • Standards and procedures • Frameworks and guidelines • Contracts and agreements

Managerial vs. Operational: The Key Distinction

This is the #1 exam trap. Here's how to tell them apart:

Scenario	Managerial	Operational
Background checks	Policy requiring background checks	HR staff performing the check
Security training	Program requiring annual training	Trainer delivering the course
Incident response	Written IR plan	Analyst following the plan
Log review	Policy requiring daily log review	Admin reviewing the logs

The pattern: Managerial CREATES the requirement. Operational EXECUTES it.

How CompTIA Tests This

Example Analysis

Scenario: An organization's CISO develops a document stating that all employees must complete security awareness training within 30 days of hire and annually thereafter. The document is approved by the board and distributed to all department heads.

Analysis: This is a managerial control because: • It's created by management (CISO) • It's approved through governance (board) • It establishes a requirement but doesn't execute it • It's a documented policy

What would make it operational? If the question described trainers conducting the sessions or employees completing the modules, that's the operational execution of this managerial policy.

Control type: This is a directive control—it directs behavior by establishing expectations. Managerial controls are often also directive controls.

Key Terms to Know

managerial controlsadministrative controlssecurity policyrisk assessmentgovernancecomplianceAUPacceptable use policysecurity framework

Common Mistakes to Avoid

Confusing the policy with its execution—"Requiring background checks" is managerial. "Performing background checks" is operational. The verb matters: require/establish/mandate = managerial. Perform/conduct/execute = operational.

Thinking security awareness training is always managerial—the training PROGRAM and POLICY are managerial. The actual DELIVERY of training is operational. A question about "conducting training" is operational.

Missing that risk assessments are managerial—even though analysts perform the work, a formal risk assessment is a management-directed evaluation that produces governance documentation.

Forgetting that managerial controls need other controls to be effective—a policy alone doesn't stop attacks. It must be paired with technical enforcement and operational execution.

Exam Tips

Look for management-level verbs: establishes, requires, mandates, approves, documents, defines. These signal managerial controls.

If the control is a document (policy, plan, procedure, framework), it's almost always managerial. Documents don't execute themselves.

Ask: "Who created this?" If it's management, executives, or a committee, think managerial. If it's a technician or analyst doing daily work, think operational.

Remember that managerial and directive often overlap—most policies are both managerial (category) and directive (type). Don't let this confuse you if the question asks for one or the other.

Memory Trick

"Managerial controls live in DOCUMENTS, not in DOING."

If you can print it, file it, or point to it in a policy manual, it's managerial. If someone has to actively perform it day-to-day, it's operational.

•The Management Test:
•Ask yourself: "Did a manager or committee CREATE this, or does a staff member DO this?"
•CREATE = Managerial
•DO = Operational

•Word Association:
•Policy, Procedure, Plan, Program, Framework = Managerial
•Perform, Conduct, Execute, Monitor, Review = Operational

Test Your Knowledge

Q1.A security team documents a formal process for evaluating and approving new software before deployment. What type of control is this?

Q2.Which of the following is an example of an operational control rather than a managerial control?

Q3.An organization requires all employees in finance roles to undergo background checks before being granted access to financial systems. The HR department conducts these checks using a third-party service. Which statement is correct?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Technical Controls Operational Controls Physical Controls Preventive Controls

Ready to test your knowledge?

Practice questions on managerial controls and other Objective 1.1 concepts.

Start Practice

Technical Controls Operational Controls