Quiz Entry - updated: 2026.07.14
How are security controls classified in ISO 27002, and why use two axes instead of one?
Two axes: time-relation (Präventiv / Detektiv / Korrektiv) × domain (Physisch / Prozedural / Technisch / Legal). Twelve combinations, each with concrete examples.
The grid:
| Physisch | Prozedural | Technisch | Legal | |
|---|---|---|---|---|
| Präventiv (before incident) | Doors, locks | ISMS, policies | Firewall, encryption | GDPR compliance |
| Detektiv (during/after) | Cameras | Alarms, info sharing | Logging, SIEM | Audits |
| Korrektiv (after incident) | Restore backups (physical media) | BCM playbooks | Redundant backups, failover | Insurance |
Why two axes:
- Time: A balanced programme has all three time stages. Pure prevention → blind when it fails. Pure detection → fast diagnosis but slow recovery. Pure correction → constantly fighting fires.
- Domain: Cyber is the obvious one, but physical, procedural, and legal controls matter too. A perfect firewall is undone by an unlocked server-room door, an untrained employee, or a missing data-processing agreement.
This grid is the practical answer to "what controls should we implement?" — fill the gaps, don't pile everything in one cell.
Cross-references: ISO 27001 (the ISMS framework) and NIST CSF (Identify-Protect-Detect-Respond-Recover) organise the same idea with slightly different vocabulary.