Corrective control in AP Cybersecurity

A corrective control is a security measure that fixes, reverses, or limits the damage of an attack after it has already happened, completing the prevent-detect-correct trio that AP Cybersecurity uses to classify defenses (EK 2.3.B.1).

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is corrective control?

A corrective control is what kicks in after something goes wrong. Its job is to repair the damage, contain the spread, or get a system back to normal once an attack or failure has already occurred. Think restoring from a backup after ransomware locks your files, replacing a stolen laptop, or revoking a badge that got into the wrong hands.

The CED frames every control around one core question (EK 2.3.B.1): how could an adversary exploit a vulnerability, and how do you prevent, detect, or correct the attack? Corrective controls own that last word. A preventative control tries to stop the attack from happening. A detective control notices it while or after it happens. A corrective control cleans up the mess and restores order. Same threat, three different jobs, and a strong defense usually layers all three.

Why corrective control matters in AP Cybersecurity

This term lives in Unit 2: Securing Spaces, specifically topic 2.3 Protecting Physical Spaces. It directly supports AP Cybersecurity 2.3.B, which asks you to determine mitigation strategies for risks from physical vulnerabilities. EK 2.3.B.1 spells out the prevent-detect-correct framework, and corrective controls are the 'correct' piece. You can't reason about mitigation strategies without knowing what happens after a defense fails, and that's exactly the gap corrective controls fill.

Keep studying AP Cybersecurity Unit 2

How corrective control connects across the course

Preventative and Detective Controls (Unit 2)

These three are a team. Prevent stops the attack, detect catches it in the act, and correct fixes the fallout. Knowing where a given control falls is the whole point of EK 2.3.B.1, so the fastest way to learn corrective control is to contrast it with the other two.

Physical Control (Unit 2)

A physical control describes the type of barrier (a lock, a fence, a bollard), while corrective describes the timing and goal (acting after the fact to fix damage). The same lock can be preventative, but swapping the lock after a break-in is a corrective use of a physical control.

Managerial Control and Workstation Security Policy (Unit 2)

Managerial controls like a workstation security policy (EK 2.3.A.2) set the rules, but they often build in corrective steps too, like requiring a stolen device be reported and remotely wiped. Policy and correction work together to limit damage after a breach.

Is corrective control on the AP Cybersecurity exam?

Expect classification questions. An MCQ stem will describe a scenario (a server room flooded, a laptop stolen, ransomware hit a workstation) and ask whether the response is a preventative, detective, or corrective control. Your job is to match the action to the right phase using EK 2.3.B.1. The tell for corrective: the damage already happened and the control is repairing or containing it. On a free-response prompt about mitigation strategies, name a corrective measure explicitly (backups, device replacement, badge revocation) and explain that it limits damage rather than prevents the attack.

Corrective control vs detective control

A detective control notices the attack, like a card reader logging a badge swipe or a camera catching an intruder. A corrective control responds to it, like restoring data or replacing a stolen device. Detection tells you something happened; correction does something about it.

Key things to remember about corrective control

  • A corrective control acts after an attack to fix, reverse, or limit the damage, completing the prevent-detect-correct framework in EK 2.3.B.1.

  • Restoring from backups, replacing stolen hardware, and revoking compromised badges are classic corrective controls.

  • The difference between detective and corrective is action: detective notices the problem, corrective fixes it.

  • Corrective is about timing and goal, while physical, technical, and managerial describe the type of control, so a control can be both (for example, a corrective physical control).

  • Strong physical security layers all three control types instead of relying on prevention alone.

Frequently asked questions about corrective control

What is a corrective control in cybersecurity?

It's a security measure that fixes or limits the damage of an attack after it has already happened, like restoring files from a backup after ransomware. It's the 'correct' part of the prevent-detect-correct framework in EK 2.3.B.1.

Is a corrective control the same as a detective control?

No. A detective control identifies that an attack happened (a camera or a card reader log), while a corrective control responds to fix the damage (restoring data, replacing a stolen device). Detection finds the problem; correction solves it.

Is a backup a preventative or corrective control?

A backup is corrective. It doesn't stop an attack from happening, but it lets you restore your data afterward, which limits the damage. That after-the-fact recovery role is exactly what makes it corrective.

How do I tell which control type a scenario is on the AP exam?

Ask when the control acts relative to the attack. If it stops the attack, it's preventative; if it spots the attack, it's detective; if it cleans up after the attack, it's corrective. Match the action to the phase using EK 2.3.B.1.

Can one control be corrective and physical at the same time?

Yes. The corrective label describes timing and goal, while physical, technical, and managerial describe the type. Replacing a broken lock after a break-in is a physical control used in a corrective way.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.