---
title: "Corrective Control — AP Cybersecurity Definition & Exam Guide"
description: "A corrective control fixes or limits damage after an attack happens. Learn how it fits the prevent-detect-correct framework in Unit 2 and how it shows up on the AP Cybersecurity exam."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/corrective-control"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 2"
---

# Corrective Control — AP Cybersecurity Definition & Exam Guide

## Definition

A corrective control is a security measure that fixes, reverses, or limits the damage of an attack after it has already happened, completing the prevent-detect-correct trio that AP Cybersecurity uses to classify defenses (EK 2.3.B.1).

## What It Is

A **corrective control** is what kicks in *after* something goes wrong. Its job is to repair the damage, contain the spread, or get a system back to normal once an attack or failure has already occurred. Think restoring from a backup after [ransomware](/ap-cybersecurity/key-terms/ransomware "fv-autolink") [locks](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc "fv-autolink") your files, replacing a stolen laptop, or revoking a badge that got into the wrong hands.

The CED frames every [control](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") around one core question (EK 2.3.B.1): how could an adversary exploit a vulnerability, and how do you **prevent, detect, or correct** the attack? Corrective controls own that last word. A preventative control tries to stop the attack from happening. A detective control notices it while or after it happens. A corrective control cleans up the mess and restores order. Same threat, three different jobs, and a strong defense usually layers all three.

## Why It Matters

This term lives in **[Unit 2](/ap-cybersecurity/unit-2 "fv-autolink"): Securing Spaces**, specifically topic 2.3 Protecting Physical Spaces. It directly supports **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 2.3.B**, which asks you to determine mitigation strategies for risks from physical vulnerabilities. EK 2.3.B.1 spells out the prevent-detect-correct framework, and corrective controls are the 'correct' piece. You can't reason about mitigation strategies without knowing what happens after a defense fails, and that's exactly the gap corrective controls fill.

## Connections

### Preventative and Detective Controls (Unit 2)

These three are a team. Prevent stops the attack, detect catches it in the act, and correct fixes the fallout. Knowing where a given control falls is the whole point of EK 2.3.B.1, so the fastest way to learn corrective control is to contrast it with the other two.

### [Physical Control (Unit 2)](/ap-cybersecurity/key-terms/physical-control)

A [physical control](/ap-cybersecurity/key-terms/physical-control "fv-autolink") describes the *type* of barrier (a lock, a fence, a bollard), while corrective describes the *timing and goal* (acting after the fact to fix damage). The same lock can be preventative, but swapping the lock after a break-in is a corrective use of a physical control.

### Managerial Control and Workstation Security Policy (Unit 2)

Managerial controls like a [workstation security policy](/ap-cybersecurity/key-terms/workstation-security-policy "fv-autolink") (EK 2.3.A.2) set the rules, but they often build in corrective steps too, like requiring a stolen device be reported and remotely wiped. Policy and correction work together to limit damage after a breach.

## On the AP Exam

Expect classification questions. An MCQ stem will describe a scenario (a server room flooded, a laptop stolen, ransomware hit a workstation) and ask whether the response is a preventative, detective, or corrective control. Your job is to match the action to the right phase using EK 2.3.B.1. The tell for corrective: the damage already happened and the control is repairing or containing it. On a free-response prompt about mitigation strategies, name a corrective measure explicitly (backups, device replacement, badge revocation) and explain that it limits damage rather than prevents the attack.

## corrective control vs detective control

A detective control *notices* the attack, like a card reader logging a badge swipe or a camera catching an intruder. A corrective control *responds* to it, like restoring data or replacing a stolen device. Detection tells you something happened; correction does something about it.

## Key Takeaways

- A corrective control acts after an attack to fix, reverse, or limit the damage, completing the prevent-detect-correct framework in EK 2.3.B.1.
- Restoring from backups, replacing stolen hardware, and revoking compromised badges are classic corrective controls.
- The difference between detective and corrective is action: detective notices the problem, corrective fixes it.
- Corrective is about *timing and goal*, while physical, technical, and managerial describe the *type* of control, so a control can be both (for example, a corrective physical control).
- Strong physical security layers all three control types instead of relying on prevention alone.

## FAQs

### What is a corrective control in cybersecurity?

It's a security measure that fixes or limits the damage of an attack after it has already happened, like restoring files from a backup after ransomware. It's the 'correct' part of the prevent-detect-correct framework in EK 2.3.B.1.

### Is a corrective control the same as a detective control?

No. A [detective control](/ap-cybersecurity/key-terms/detective-control "fv-autolink") identifies that an attack happened (a camera or a card reader log), while a corrective control responds to fix the damage (restoring data, replacing a stolen device). Detection finds the problem; correction solves it.

### Is a backup a preventative or corrective control?

A backup is corrective. It doesn't stop an attack from happening, but it lets you restore your data afterward, which limits the damage. That after-the-fact recovery role is exactly what makes it corrective.

### How do I tell which control type a scenario is on the AP exam?

Ask when the control acts relative to the attack. If it stops the attack, it's preventative; if it spots the attack, it's detective; if it cleans up after the attack, it's corrective. Match the action to the phase using EK 2.3.B.1.

### Can one control be corrective and physical at the same time?

Yes. The corrective label describes timing and goal, while physical, technical, and managerial describe the type. Replacing a broken lock after a break-in is a physical control used in a corrective way.

## Related Study Guides

- [2.3 Protecting Physical Spaces](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/corrective-control#resource","name":"Corrective Control — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/corrective-control","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/corrective-control#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:29.439Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/corrective-control#term","name":"corrective control","description":"A corrective control is a security measure that fixes, reverses, or limits the damage of an attack after it has already happened, completing the prevent-detect-correct trio that AP Cybersecurity uses to classify defenses (EK 2.3.B.1).","url":"https://fiveable.me/ap-cybersecurity/key-terms/corrective-control","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.3, LO 2.3.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.3, LO 2.3.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is a corrective control in cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's a security measure that fixes or limits the damage of an attack after it has already happened, like restoring files from a backup after ransomware. It's the 'correct' part of the prevent-detect-correct framework in EK 2.3.B.1."}},{"@type":"Question","name":"Is a corrective control the same as a detective control?","acceptedAnswer":{"@type":"Answer","text":"No. A [detective control](/ap-cybersecurity/key-terms/detective-control \"fv-autolink\") identifies that an attack happened (a camera or a card reader log), while a corrective control responds to fix the damage (restoring data, replacing a stolen device). Detection finds the problem; correction solves it."}},{"@type":"Question","name":"Is a backup a preventative or corrective control?","acceptedAnswer":{"@type":"Answer","text":"A backup is corrective. It doesn't stop an attack from happening, but it lets you restore your data afterward, which limits the damage. That after-the-fact recovery role is exactly what makes it corrective."}},{"@type":"Question","name":"How do I tell which control type a scenario is on the AP exam?","acceptedAnswer":{"@type":"Answer","text":"Ask when the control acts relative to the attack. If it stops the attack, it's preventative; if it spots the attack, it's detective; if it cleans up after the attack, it's corrective. Match the action to the phase using EK 2.3.B.1."}},{"@type":"Question","name":"Can one control be corrective and physical at the same time?","acceptedAnswer":{"@type":"Answer","text":"Yes. The corrective label describes timing and goal, while physical, technical, and managerial describe the type. Replacing a broken lock after a break-in is a physical control used in a corrective way."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 2","item":"https://fiveable.me/ap-cybersecurity/unit-2"},{"@type":"ListItem","position":4,"name":"corrective control"}]}]}
```
