ISO 27001:2022 Control Type

What are the ISO 27001 Control Types?

Control types in the ISO 27001 and ISO 27002 frameworks are foundational to managing risks and ensuring the effectiveness of your organization's ISMS. These control types categorize security measures based on their timing and method of mitigating risks related to potential information security incidents. Understanding control types—Preventive, Detective, and Corrective—helps you systematically address threats, improve incident response, and align with security and compliance goals.

Iso 27001 Control Type

Preventive Controls

Control 5.01Policies for information security
Control 5.02Information security roles and responsibilities
Control 5.03Segregation of duties
Control 5.04Management responsibilities
Control 5.05Contact with authorities
Control 5.06Contact with special interest groups
Control 5.07Threat intelligence
Control 5.08Information security in project management
Control 5.09Inventory of information and other associated assets
Control 5.10Acceptable use of information and associated assets
Control 5.11Return of assets
Control 5.12Classification of information
Control 5.13Labelling of information
Control 5.14Information transfer
Control 5.15Access control
Control 5.16Identity management
Control 5.17Authentication information
Control 5.18Access rights
Control 5.19Information security in supplier relationships
Control 5.20Addressing information security within supplier agreements
Control 5.21Managing information security in the ICT supply chain
Control 5.22Monitoring, review and change management of supplier services
Control 5.23Information security for use of cloud services
Control 5.27Learning form information security incidents
Control 5.29Information security during disruption
Control 5.31Identification of legal, statutory, regulatory and contractual requirements
Control 5.32Intellectual property rights
Control 5.33Protection of records
Control 5.34Privacy and protection of PII
Control 5.35Independent review of information security
Control 5.36Compliance with policies and standards for information security
Control 5.37Documented operating procedures
Control 6.01Screening
Control 6.02Terms and conditions of employment
Control 6.03Information security awareness, education and training
Control 6.04Disciplinary process
Control 6.05Responsibilities after termination or change of employment
Control 6.06Confidentiality or non-disclosure agreements
Control 6.07Remote working
Control 7.01Physical security perimeter
Control 7.02Physical entry
Control 7.03Security offices, rooms and facilities
Control 7.04Physical security monitoring
Control 7.05Protecting against physical and environmental threats
Control 7.06Working in secure areas
Control 7.07Clear desk and clear screen
Control 7.08Equipment siting and protection
Control 7.09Security of assets off-premises
Control 7.10Storage media
Control 7.11Supporting utilities
Control 7.12Cabling security
Control 7.13Equipment maintenance
Control 7.14Secure disposal or re-use of equipment
Control 8.01User endpoint devices
Control 8.02Privileged access rights
Control 8.03Information access restriction
Control 8.04Access to source code
Control 8.05Secure authentication
Control 8.06Capacity management
Control 8.07Protection against malware
Control 8.08Management of technical vulnerabilities
Control 8.09Configuration management
Control 8.10Information deletion
Control 8.11Data masking
Control 8.12Data leakage prevention
Control 8.14Redundancy of information processing facilities
Control 8.18Use of privileged utility programs
Control 8.19Installation of software on operational systems
Control 8.20Network security
Control 8.21Security of network services
Control 8.22Segregation of networks
Control 8.23Web filtering
Control 8.24Use of cryptography
Control 8.25Secure development lifecycle
Control 8.26Application security requirements
Control 8.27Secure system architecture and engineering principles
Control 8.28Secure coding
Control 8.29Security testing in development and acceptance
Control 8.30Outsourced development
Control 8.31Separation of development, test and production environments
Control 8.32Change management
Control 8.33Test information
Control 8.34Protection of information systems during audit and testing

Detective Controls

Control 5.07Threat intelligence
Control 5.25Assessment and decision on information security events
Control 6.08Information security event reporting
Control 7.04Physical security monitoring
Control 7.11Supporting utilities
Control 8.06Capacity management
Control 8.07Protection against malware
Control 8.12Data leakage prevention
Control 8.15Logging
Control 8.16Monitoring activities
Control 8.17Clock Synchronization
Control 8.20Network security
Control 8.30Outsourced development

Corrective Controls

Control 5.05Contact with authorities
Control 5.06Contact with special interest groups
Control 5.07Threat intelligence
Control 5.24Information security incident management responsibilities and preparation
Control 5.26Response to information security incidents
Control 5.28Collection of evidence
Control 5.29Information security during disruption
Control 5.30ICT readiness for business continuity
Control 5.35Independent review of information security
Control 5.37Documented operating procedures
Control 6.04Disciplinary process

None

Control 8.07Protection against malware
Control 8.13Information backup
Control 8.16Monitoring activities

Classification of Control Types

Control types define how and when a security measure influences the risk of an incident. The three primary control types are:

  1. Preventive Controls – Reduce the likelihood of an incident by stopping it before it occurs.
  2. Detective Controls – Identify and alert about an incident as it happens or immediately after.
  3. Corrective Controls – Limit damage and restore systems following an incident.

Each type plays a specific role in maintaining the security and continuity of your information assets.

Preventive Controls

Definition and Objectives

Preventive controls are designed to stop incidents before they occur. By reducing vulnerabilities and deterring potential threats, these controls strengthen your organization’s security posture.

Examples of Preventive Controls

  • Access Controls: Implementing authentication mechanisms like passwords and multi-factor authentication to prevent unauthorized access.
  • Firewalls: Blocking malicious traffic and preventing unauthorized network access.
  • Encryption: Ensuring data confidentiality by converting sensitive information into an unreadable format for unauthorized parties.

Implementation Strategies

  • Develop strong access management policies.
  • Regularly update and patch software to close security gaps.
  • Train employees on recognizing phishing attempts and secure behavior.

Detective Controls

Definition and Objectives

Detective controls identify and log security incidents, enabling you to take timely action. These controls are essential for maintaining visibility into your organization’s security landscape.

Examples of Detective Controls

  • Intrusion Detection Systems (IDS): Monitoring networks for suspicious activities.
  • Log Analysis: Reviewing system and application logs for signs of unauthorized actions.
  • Security Information and Event Management (SIEM): Aggregating and analyzing data from various sources to identify security events.

Implementation Strategies

  • Regularly monitor security logs for unusual patterns.
  • Use automated systems to generate alerts for potential incidents.
  • Conduct periodic audits to verify control effectiveness.

Corrective Controls

Definition and Objectives

Corrective controls focus on minimizing damage and restoring normal operations after an incident. These controls are essential for reducing downtime and mitigating the impact of breaches.

Examples of Corrective Controls

  • Incident Response Plans: Outlining steps for identifying, containing, and eradicating security incidents.
  • Backup and Recovery Procedures: Ensuring data availability through regular backups and swift restoration processes.
  • Patching Vulnerabilities: Addressing exploited weaknesses to prevent recurring issues.

Implementation Strategies

  • Test incident response plans with simulated exercises.
  • Ensure backup systems are redundant and regularly updated.
  • Review post-incident analyses to improve future preparedness.

Relationship Between Control Types and Information Security Properties

Each control type supports the core principles of information security: confidentiality, integrity, and availability.

  • Confidentiality: Preventive controls like access restrictions and encryption.
  • Integrity: Detective controls such as monitoring data changes and detecting unauthorized modifications.
  • Availability: Corrective controls like disaster recovery plans and fault-tolerant systems.

Integration of Control Types in an ISMS

Integrating control types within your ISMS for effective risk management. A balanced approach ensures that:

  • Preventive controls reduce vulnerabilities.
  • Detective controls provide situational awareness.
  • Corrective controls enable swift recovery from incidents.

Align these controls with your risk assessment process and organizational policies to maintain compliance with ISO 27001 standard and address operational needs.

Conclusion

Control types in ISO 27001/27002 are essential for building a resilient ISMS. By categorizing controls as Preventive, Detective, or Corrective, your organization can address risks systematically, enhance incident response capabilities, and ensure compliance with international standards.

Implementing these controls effectively requires careful planning, regular testing, and alignment with your organization’s unique risk profile. Adopting a balanced approach across all control types strengthens your security posture and safeguards critical assets.

References and Further Reading

  • ISO 27001: Information Security Management Systems – Requirements
  • ISO 27002: Code of Practice for Information Security Controls
  • Guides on Risk Management and Incident Response Planning