LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How are security controls classified in ISO 27002, and why use two axes instead of one?

Two axes: time-relation (Präventiv / Detektiv / Korrektiv) × domain (Physisch / Prozedural / Technisch / Legal). Twelve combinations, each with concrete examples.

The grid:

Physisch Prozedural Technisch Legal
Präventiv (before incident) Doors, locks ISMS, policies Firewall, encryption GDPR compliance
Detektiv (during/after) Cameras Alarms, info sharing Logging, SIEM Audits
Korrektiv (after incident) Restore backups (physical media) BCM playbooks Redundant backups, failover Insurance

Why two axes:

  • Time: A balanced programme has all three time stages. Pure prevention → blind when it fails. Pure detection → fast diagnosis but slow recovery. Pure correction → constantly fighting fires.
  • Domain: Cyber is the obvious one, but physical, procedural, and legal controls matter too. A perfect firewall is undone by an unlocked server-room door, an untrained employee, or a missing data-processing agreement.

This grid is the practical answer to "what controls should we implement?" — fill the gaps, don't pile everything in one cell.

Cross-references: ISO 27001 (the ISMS framework) and NIST CSF (Identify-Protect-Detect-Respond-Recover) organise the same idea with slightly different vocabulary.

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026