CISSP · Question #581
Change management policies and procedures belong to which of the following types of controls?
The correct answer is A. Directive. Change management policies and procedures are classified as directive controls because they provide guidance, rules, and requirements that direct how changes should be managed within an organization.
Question
Options
- ADirective
- BDetective
- CCorrective
- DPreventative
How the community answered
(40 responses)- A95% (38)
- B3% (1)
- D3% (1)
Why each option
Change management policies and procedures are classified as directive controls because they provide guidance, rules, and requirements that direct how changes should be managed within an organization.
Directive controls are administrative mechanisms - such as policies, procedures, standards, and guidelines - that instruct personnel on how to behave or perform actions. Change management policies fall squarely into this category because they define the rules and processes that govern how changes are requested, approved, and implemented, directing organizational behavior before any incident occurs.
Detective controls are designed to identify and alert on security incidents or policy violations after they have occurred (e.g., log monitoring, intrusion detection systems), not to prescribe behavior.
Corrective controls are implemented to remediate or restore systems and processes after a security incident or failure has already taken place (e.g., patch management, backups), not to direct behavior.
Preventative controls are technical or physical mechanisms that actively block or stop unwanted events from occurring (e.g., firewalls, access controls), whereas change management policies direct behavior rather than technically preventing actions.
Concept tested: Classification of security control types by function
Source: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
Topics
Community Discussion
No community discussion yet for this question.