A corrective control is a security measure that fixes, reverses, or limits the damage of an attack after it has already happened, completing the prevent-detect-correct trio that AP Cybersecurity uses to classify defenses (EK 2.3.B.1).
A corrective control is what kicks in after something goes wrong. Its job is to repair the damage, contain the spread, or get a system back to normal once an attack or failure has already occurred. Think restoring from a backup after ransomware locks your files, replacing a stolen laptop, or revoking a badge that got into the wrong hands.
The CED frames every control around one core question (EK 2.3.B.1): how could an adversary exploit a vulnerability, and how do you prevent, detect, or correct the attack? Corrective controls own that last word. A preventative control tries to stop the attack from happening. A detective control notices it while or after it happens. A corrective control cleans up the mess and restores order. Same threat, three different jobs, and a strong defense usually layers all three.
This term lives in Unit 2: Securing Spaces, specifically topic 2.3 Protecting Physical Spaces. It directly supports AP Cybersecurity 2.3.B, which asks you to determine mitigation strategies for risks from physical vulnerabilities. EK 2.3.B.1 spells out the prevent-detect-correct framework, and corrective controls are the 'correct' piece. You can't reason about mitigation strategies without knowing what happens after a defense fails, and that's exactly the gap corrective controls fill.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryPreventative and Detective Controls (Unit 2)
These three are a team. Prevent stops the attack, detect catches it in the act, and correct fixes the fallout. Knowing where a given control falls is the whole point of EK 2.3.B.1, so the fastest way to learn corrective control is to contrast it with the other two.
Physical Control (Unit 2)
A physical control describes the type of barrier (a lock, a fence, a bollard), while corrective describes the timing and goal (acting after the fact to fix damage). The same lock can be preventative, but swapping the lock after a break-in is a corrective use of a physical control.
Managerial Control and Workstation Security Policy (Unit 2)
Managerial controls like a workstation security policy (EK 2.3.A.2) set the rules, but they often build in corrective steps too, like requiring a stolen device be reported and remotely wiped. Policy and correction work together to limit damage after a breach.
Expect classification questions. An MCQ stem will describe a scenario (a server room flooded, a laptop stolen, ransomware hit a workstation) and ask whether the response is a preventative, detective, or corrective control. Your job is to match the action to the right phase using EK 2.3.B.1. The tell for corrective: the damage already happened and the control is repairing or containing it. On a free-response prompt about mitigation strategies, name a corrective measure explicitly (backups, device replacement, badge revocation) and explain that it limits damage rather than prevents the attack.
A detective control notices the attack, like a card reader logging a badge swipe or a camera catching an intruder. A corrective control responds to it, like restoring data or replacing a stolen device. Detection tells you something happened; correction does something about it.
A corrective control acts after an attack to fix, reverse, or limit the damage, completing the prevent-detect-correct framework in EK 2.3.B.1.
Restoring from backups, replacing stolen hardware, and revoking compromised badges are classic corrective controls.
The difference between detective and corrective is action: detective notices the problem, corrective fixes it.
Corrective is about timing and goal, while physical, technical, and managerial describe the type of control, so a control can be both (for example, a corrective physical control).
Strong physical security layers all three control types instead of relying on prevention alone.
It's a security measure that fixes or limits the damage of an attack after it has already happened, like restoring files from a backup after ransomware. It's the 'correct' part of the prevent-detect-correct framework in EK 2.3.B.1.
No. A detective control identifies that an attack happened (a camera or a card reader log), while a corrective control responds to fix the damage (restoring data, replacing a stolen device). Detection finds the problem; correction solves it.
A backup is corrective. It doesn't stop an attack from happening, but it lets you restore your data afterward, which limits the damage. That after-the-fact recovery role is exactly what makes it corrective.
Ask when the control acts relative to the attack. If it stops the attack, it's preventative; if it spots the attack, it's detective; if it cleans up after the attack, it's corrective. Match the action to the phase using EK 2.3.B.1.
Yes. The corrective label describes timing and goal, while physical, technical, and managerial describe the type. Replacing a broken lock after a break-in is a physical control used in a corrective way.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.