When organisations talk about security, the conversation often starts with controls:
Encryption.
Access control.
Monitoring.
But CISSP starts with a different question:
Are you applying the right controls to the right data?
Because in CISSP, controls don’t come first.
Classification does.
Security Is Not About “More Controls”
A common mistake in cybersecurity is assuming:
“More security controls = better security.”
That’s not always true.
Too many controls can lead to:
- Increased cost
- Operational complexity
- Reduced usability
Too few controls lead to:
- Data exposure
- Increased risk
- Compliance failures
CISSP focuses on balance.
Security is not about maximum protection.
It is about appropriate protection.
A Simple Analogy: Airport Security
Think about airport security.
Not everyone is treated the same:
- Passengers → Standard screening
- Staff → Controlled access
- Pilots → Higher trust, restricted access
Security varies based on role and risk.
Now apply this to data.
Not all data needs the same level of protection.
What Are Data Security Controls?
Data security controls are mechanisms used to protect data from:
- Unauthorized access
- Exposure
- Loss
- Misuse
CISSP categorises controls into different types based on purpose.
Types of Data Security Controls
1️⃣ Preventive Controls
Designed to stop incidents before they occur.
Examples:
- Encryption
- Access control
- Data masking
2️⃣ Detective Controls
Designed to identify and alert on incidents.
Examples:
- Logging
- Monitoring
- Data Loss Prevention alerts
3️⃣ Corrective Controls
Designed to recover from incidents.
Examples:
- Backup restoration
- Incident response actions
4️⃣ Deterrent Controls
Designed to discourage misuse.
Examples:
- Warning banners
- Policies
5️⃣ Compensating Controls
Alternative controls when primary controls are not feasible.
Example:
- Additional monitoring when encryption cannot be implemented
How Classification Drives Controls
This is the core concept.
Data classification determines:
- Which controls are required
- How strong those controls should be
- Where those controls should be applied
Let’s break it down:
Public Data
- Minimal restrictions
- Focus on integrity
Internal Data
- Basic access control
- Limited monitoring
Confidential Data
- Strong access control
- Encryption required
- Logging and monitoring
Restricted / Sensitive Data
- Strict access control
- Multi-factor authentication
- Encryption (at rest and in transit)
- Continuous monitoring
The Risk-Based Approach
Controls are not chosen randomly.
They are driven by:
- Data sensitivity
- Business impact
- Risk level
CISSP principle:
Higher sensitivity = stronger controls.
But always aligned to business needs.
How This Appears in the CISSP Exam
CISSP won’t ask you to define controls.
Instead, it will ask:
- What is the most appropriate control?
- What should be implemented first?
- What is the best solution?
Correct approach:
- Identify data classification
- Understand the risk
- Select the appropriate control
If you jump to the “strongest” control, you may get it wrong.
Key Takeaway
If you remember one concept, remember this:
Data classification determines security controls.
🎧 Listen to the Podcast
This article is part of the CISSP Blogpost and Podcast Series.
In the podcast episode, this concept is explained using practical analogies and exam-focused scenarios in a structured 10-minute format.
Search on Spotify: PK’s Chronicles
Final Thought
Security controls are powerful.
But only when they are applied correctly.
Without classification, controls are guesswork.
With classification, controls become strategy.
Until then—
Think classification.
Think risk.
Think like a CISSP.
