Which of the following is NOT an example of an operational control?

A.
Backup and recovery

B.
Auditing

C.
Contingency planning

D.
Operations procedures

Explanation:
On the CISSP exam you can see control categories broken down into administrative, technical, and physical
categories and the categories outlined by NIST, which are management, technical, and operational. You need
to be familiar with both ways of categorizing control types.
According to the NIST control categories, Auditing is in the Audit and Accountability Technical control group.
Operational controls are controls over the hardware, the media used and the operators using these resources.
Backup and recovery, contingency planning and operations procedures are operational controls.
Incorrect Answers:
A: Backup and recovery are listed under the Contingency Planning (CP) operational control group.
C: Contingency planning is a NIST operational control group.
D: Operations procedures are an example of an operational control.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, 2013, p. 58
http://infohost.nmt.edu/~sfs/Regs/sp800-53.pdf)