Certified Governance Risk and Compliance (CGRC) Practice Exam 2025 - Free CGRC Practice Questions and Study Guide

Preventive controls are designed specifically to prevent security incidents from occurring in the first place. They focus on the proactive measures taken to avoid breaches and mitigate risks before they can manifest into actual security incidents. Examples of preventive controls include firewalls, security policies, access controls, and employee training on security awareness. By implementing these controls, organizations can significantly lower the likelihood of security threats and incidents, thereby establishing a strong foundation for their overall security posture.

In contrast, detective controls are intended to identify and detect incidents after they have occurred, allowing for timely response and remediation. Corrective controls are focused on correcting or restoring systems after a security incident has taken place, while compensatory controls serve as alternative measures to achieve the desired security outcomes when primary controls are not feasible or effective. Thus, while all these controls play essential roles in an organization’s security framework, it is the preventive controls that are primarily aimed at stopping incidents before they happen.