In AP Cybersecurity, a physical control is a tangible security measure (fencing, gates, bollards, locks, turnstiles, card readers) that prevents, detects, or corrects unauthorized physical access to an organization's buildings, rooms, and devices.
A physical control is exactly what it sounds like: a security measure you can touch. Instead of code or company rules, it's a real object that keeps people out of places they shouldn't be. Think fences, gates, bollards (those short posts that stop a car from ramming a door), locks on server cabinets, turnstiles, and card readers at entrances.
The job of a physical control is to protect the physical space around your systems. If an adversary can walk up to a server, plug in a USB drive, or just steal a laptop, none of your software defenses matter. Physical controls create barriers so an attacker never gets close enough to do that. Some deter (a tall fence makes a building look like too much trouble), some prevent (a lock stops the door from opening), and some detect (a card reader records exactly which badge opened which door and when).
Physical control sits in Unit 2: Securing Spaces, specifically topic 2.3 Protecting Physical Spaces. It's the backbone of learning objective AP Cybersecurity 2.3.B, which asks you to determine mitigation strategies for risks from physical vulnerabilities. EK 2.3.B.2 names fencing, gates, and bollards as deterrents, EK 2.3.B.3 covers locks on doors, cabinets, and computers, and EK 2.3.B.4 covers card readers that log badge usage.
The big theme here is that security has layers. Physical controls are the outermost layer, the part that stops a threat before it ever touches a keyboard. On the exam you'll need to match a physical vulnerability (like someone sneaking into a server room) to the right physical control that prevents, detects, or corrects it.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryManagerial control (Unit 2)
A managerial control is a rule, not an object. A workstation security policy or employee training that tells people 'don't badge strangers in' is managerial; the card reader and locked door that enforce it are physical. They cover the same risk from two angles, and good security uses both.
Technical control (Unit 2)
Technical controls are the software and system defenses like firewalls and encryption. Physical controls protect the hardware those defenses run on. Encryption can't help if a thief walks off with the whole server, which is why a locked cabinet matters just as much as a strong password.
Preventative, detective, and corrective controls (Unit 2)
Every physical control also has a function. A lock is preventative (stops access), a card reader's access log is detective (records who came through), and a re-keyed lock after a breach is corrective. The same object can be classified by what it's made of (physical) AND by what it does (prevent/detect/correct).
Multiple-choice stems love physical controls because they're concrete and easy to test. Expect a scenario where 'unauthorized individuals could enter the server room by tailgating' and you pick the mitigation, or a question asking which option 'is an example of a physical control that protects a building from unauthorized access.' One common stem lists bollards, turnstiles, and access control vestibules and asks for the umbrella term, which is physical control. Your job is to recognize a tangible barrier and match it to the vulnerability it fixes. Watch for questions that ask you to distinguish a physical control from a managerial one (a policy) or a technical one (software).
A physical control is a thing you can touch (a fence, a lock, a card reader). A managerial control is a rule people are supposed to follow (a workstation security policy, employee awareness training). The trap: 'employees are told not to let strangers in' is managerial, while 'a turnstile that only opens for valid badges' is physical, even though both address the same tailgating risk.
A physical control is a tangible security measure such as fencing, gates, bollards, locks, turnstiles, and card readers that protects physical spaces and devices.
Physical controls map to learning objective AP Cybersecurity 2.3.B and live in Unit 2: Securing Spaces, topic 2.3.
Controls can be classified by what they're made of (physical, technical, managerial) and by what they do (preventative, detective, corrective), so a single lock is both physical and preventative.
On the exam, match the physical vulnerability (like tailgating into a server room) to the physical control that prevents, detects, or corrects it.
Physical controls are the outermost layer of security, stopping an attacker before they ever reach your software or hardware.
It's a tangible, real-world security measure like fencing, gates, bollards, locks, turnstiles, or card readers that prevents unauthorized people from physically reaching an organization's buildings, rooms, and devices. It's the focus of topic 2.3 and objective AP Cybersecurity 2.3.B.
No. A policy like a workstation security policy or acceptable use policy is a managerial control because it's a written rule, not an object. The lock and card reader that enforce that rule are the physical controls.
A physical control is something you can touch (a fence or a lock) that protects the physical space. A technical control is software or system-based (a firewall, encryption) that protects the data and systems. You need both because encryption won't stop someone from stealing the whole server.
A turnstile or an access control vestibule (sometimes called a mantrap) works well because it only lets one verified badge holder through at a time. Card readers also help by logging exactly which badge opened the door and when.
Yes. Per EK 2.3.B.2, fencing, gates, and bollards are physical controls that deter adversaries from trying to physically access a building. Bollards specifically block vehicles from ramming entrances.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.