ISO 27001:2022 Control Type
What are the ISO 27001 Control Types?
Control types in the ISO 27001 and ISO 27002 frameworks are foundational to managing risks and ensuring the effectiveness of your organization's ISMS. These control types categorize security measures based on their timing and method of mitigating risks related to potential information security incidents. Understanding control types—Preventive, Detective, and Corrective—helps you systematically address threats, improve incident response, and align with security and compliance goals.

Preventive Controls
5. Organizational Controls
Control 5.01 | Policies for information security |
Control 5.02 | Information security roles and responsibilities |
Control 5.03 | Segregation of duties |
Control 5.04 | Management responsibilities |
Control 5.05 | Contact with authorities |
Control 5.06 | Contact with special interest groups |
Control 5.07 | Threat intelligence |
Control 5.08 | Information security in project management |
Control 5.09 | Inventory of information and other associated assets |
Control 5.10 | Acceptable use of information and associated assets |
Control 5.11 | Return of assets |
Control 5.12 | Classification of information |
Control 5.13 | Labelling of information |
Control 5.14 | Information transfer |
Control 5.15 | Access control |
Control 5.16 | Identity management |
Control 5.17 | Authentication information |
Control 5.18 | Access rights |
Control 5.19 | Information security in supplier relationships |
Control 5.20 | Addressing information security within supplier agreements |
Control 5.21 | Managing information security in the ICT supply chain |
Control 5.22 | Monitoring, review and change management of supplier services |
Control 5.23 | Information security for use of cloud services |
Control 5.27 | Learning form information security incidents |
Control 5.29 | Information security during disruption |
Control 5.31 | Identification of legal, statutory, regulatory and contractual requirements |
Control 5.32 | Intellectual property rights |
Control 5.33 | Protection of records |
Control 5.34 | Privacy and protection of PII |
Control 5.35 | Independent review of information security |
Control 5.36 | Compliance with policies and standards for information security |
Control 5.37 | Documented operating procedures |
6. People Controls
Control 6.01 | Screening |
Control 6.02 | Terms and conditions of employment |
Control 6.03 | Information security awareness, education and training |
Control 6.04 | Disciplinary process |
Control 6.05 | Responsibilities after termination or change of employment |
Control 6.06 | Confidentiality or non-disclosure agreements |
Control 6.07 | Remote working |
7. Physical Controls
Control 7.01 | Physical security perimeter |
Control 7.02 | Physical entry |
Control 7.03 | Security offices, rooms and facilities |
Control 7.04 | Physical security monitoring |
Control 7.05 | Protecting against physical and environmental threats |
Control 7.06 | Working in secure areas |
Control 7.07 | Clear desk and clear screen |
Control 7.08 | Equipment siting and protection |
Control 7.09 | Security of assets off-premises |
Control 7.10 | Storage media |
Control 7.11 | Supporting utilities |
Control 7.12 | Cabling security |
Control 7.13 | Equipment maintenance |
Control 7.14 | Secure disposal or re-use of equipment |
8. Technological Controls
Control 8.01 | User endpoint devices |
Control 8.02 | Privileged access rights |
Control 8.03 | Information access restriction |
Control 8.04 | Access to source code |
Control 8.05 | Secure authentication |
Control 8.06 | Capacity management |
Control 8.07 | Protection against malware |
Control 8.08 | Management of technical vulnerabilities |
Control 8.09 | Configuration management |
Control 8.10 | Information deletion |
Control 8.11 | Data masking |
Control 8.12 | Data leakage prevention |
Control 8.14 | Redundancy of information processing facilities |
Control 8.18 | Use of privileged utility programs |
Control 8.19 | Installation of software on operational systems |
Control 8.20 | Network security |
Control 8.21 | Security of network services |
Control 8.22 | Segregation of networks |
Control 8.23 | Web filtering |
Control 8.24 | Use of cryptography |
Control 8.25 | Secure development lifecycle |
Control 8.26 | Application security requirements |
Control 8.27 | Secure system architecture and engineering principles |
Control 8.28 | Secure coding |
Control 8.29 | Security testing in development and acceptance |
Control 8.30 | Outsourced development |
Control 8.31 | Separation of development, test and production environments |
Control 8.32 | Change management |
Control 8.33 | Test information |
Control 8.34 | Protection of information systems during audit and testing |
Detective Controls
5. Organizational Controls
Control 5.07 | Threat intelligence |
Control 5.25 | Assessment and decision on information security events |
6. People Controls
Control 6.08 | Information security event reporting |
7. Physical Controls
Control 7.04 | Physical security monitoring |
Control 7.11 | Supporting utilities |
8. Technological Controls
Control 8.06 | Capacity management |
Control 8.07 | Protection against malware |
Control 8.12 | Data leakage prevention |
Control 8.15 | Logging |
Control 8.16 | Monitoring activities |
Control 8.17 | Clock Synchronization |
Control 8.20 | Network security |
Control 8.30 | Outsourced development |
Corrective Controls
5. Organizational Controls
Control 5.05 | Contact with authorities |
Control 5.06 | Contact with special interest groups |
Control 5.07 | Threat intelligence |
Control 5.24 | Information security incident management responsibilities and preparation |
Control 5.26 | Response to information security incidents |
Control 5.28 | Collection of evidence |
Control 5.29 | Information security during disruption |
Control 5.30 | ICT readiness for business continuity |
Control 5.35 | Independent review of information security |
Control 5.37 | Documented operating procedures |
6. People Controls
Control 6.04 | Disciplinary process |
7. Physical Controls
None
8. Technological Controls
Control 8.07 | Protection against malware |
Control 8.13 | Information backup |
Control 8.16 | Monitoring activities |
Classification of Control Types
Control types define how and when a security measure influences the risk of an incident. The three primary control types are:
- Preventive Controls – Reduce the likelihood of an incident by stopping it before it occurs.
- Detective Controls – Identify and alert about an incident as it happens or immediately after.
- Corrective Controls – Limit damage and restore systems following an incident.
Each type plays a specific role in maintaining the security and continuity of your information assets.
Preventive Controls
Definition and Objectives
Preventive controls are designed to stop incidents before they occur. By reducing vulnerabilities and deterring potential threats, these controls strengthen your organization’s security posture.
Examples of Preventive Controls
- Access Controls: Implementing authentication mechanisms like passwords and multi-factor authentication to prevent unauthorized access.
- Firewalls: Blocking malicious traffic and preventing unauthorized network access.
- Encryption: Ensuring data confidentiality by converting sensitive information into an unreadable format for unauthorized parties.
Implementation Strategies
- Develop strong access management policies.
- Regularly update and patch software to close security gaps.
- Train employees on recognizing phishing attempts and secure behavior.
Detective Controls
Definition and Objectives
Detective controls identify and log security incidents, enabling you to take timely action. These controls are essential for maintaining visibility into your organization’s security landscape.
Examples of Detective Controls
- Intrusion Detection Systems (IDS): Monitoring networks for suspicious activities.
- Log Analysis: Reviewing system and application logs for signs of unauthorized actions.
- Security Information and Event Management (SIEM): Aggregating and analyzing data from various sources to identify security events.
Implementation Strategies
- Regularly monitor security logs for unusual patterns.
- Use automated systems to generate alerts for potential incidents.
- Conduct periodic audits to verify control effectiveness.
Corrective Controls
Definition and Objectives
Corrective controls focus on minimizing damage and restoring normal operations after an incident. These controls are essential for reducing downtime and mitigating the impact of breaches.
Examples of Corrective Controls
- Incident Response Plans: Outlining steps for identifying, containing, and eradicating security incidents.
- Backup and Recovery Procedures: Ensuring data availability through regular backups and swift restoration processes.
- Patching Vulnerabilities: Addressing exploited weaknesses to prevent recurring issues.
Implementation Strategies
- Test incident response plans with simulated exercises.
- Ensure backup systems are redundant and regularly updated.
- Review post-incident analyses to improve future preparedness.
Relationship Between Control Types and Information Security Properties
Each control type supports the core principles of information security: confidentiality, integrity, and availability.
- Confidentiality: Preventive controls like access restrictions and encryption.
- Integrity: Detective controls such as monitoring data changes and detecting unauthorized modifications.
- Availability: Corrective controls like disaster recovery plans and fault-tolerant systems.
Integration of Control Types in an ISMS
Integrating control types within your ISMS for effective risk management. A balanced approach ensures that:
- Preventive controls reduce vulnerabilities.
- Detective controls provide situational awareness.
- Corrective controls enable swift recovery from incidents.
Align these controls with your risk assessment process and organizational policies to maintain compliance with ISO 27001 standard and address operational needs.
Conclusion
Control types in ISO 27001/27002 are essential for building a resilient ISMS. By categorizing controls as Preventive, Detective, or Corrective, your organization can address risks systematically, enhance incident response capabilities, and ensure compliance with international standards.
Implementing these controls effectively requires careful planning, regular testing, and alignment with your organization’s unique risk profile. Adopting a balanced approach across all control types strengthens your security posture and safeguards critical assets.
References and Further Reading
- ISO 27001: Information Security Management Systems – Requirements
- ISO 27002: Code of Practice for Information Security Controls
- Guides on Risk Management and Incident Response Planning