nerdexam
(ISC)2

CISSP · Question #581

Change management policies and procedures belong to which of the following types of controls?

The correct answer is A. Directive. Change management policies and procedures are classified as directive controls because they provide guidance, rules, and requirements that direct how changes should be managed within an organization.

Submitted by asante_acc· Mar 5, 2026Security and Risk Management

Question

Change management policies and procedures belong to which of the following types of controls?

Options

  • ADirective
  • BDetective
  • CCorrective
  • DPreventative

How the community answered

(40 responses)
  • A
    95% (38)
  • B
    3% (1)
  • D
    3% (1)

Why each option

Change management policies and procedures are classified as directive controls because they provide guidance, rules, and requirements that direct how changes should be managed within an organization.

ADirectiveCorrect

Directive controls are administrative mechanisms - such as policies, procedures, standards, and guidelines - that instruct personnel on how to behave or perform actions. Change management policies fall squarely into this category because they define the rules and processes that govern how changes are requested, approved, and implemented, directing organizational behavior before any incident occurs.

BDetective

Detective controls are designed to identify and alert on security incidents or policy violations after they have occurred (e.g., log monitoring, intrusion detection systems), not to prescribe behavior.

CCorrective

Corrective controls are implemented to remediate or restore systems and processes after a security incident or failure has already taken place (e.g., patch management, backups), not to direct behavior.

DPreventative

Preventative controls are technical or physical mechanisms that actively block or stop unwanted events from occurring (e.g., firewalls, access controls), whereas change management policies direct behavior rather than technically preventing actions.

Concept tested: Classification of security control types by function

Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Topics

#Change management#Security controls#Administrative controls

Community Discussion

No community discussion yet for this question.

Full CISSP Practice