Why this note exists
Control attributes are useful only if they help link a control to the risk treatment outcome you need.
A control should not be selected because it is popular, cheap, or easy. It should be selected because its effect on risk matches the desired outcome.
Basic mapping
| Desired risk effect | Better control type |
|---|---|
| Reduce likelihood | Preventive control |
| Improve detection | Detective control |
| Reduce impact | Corrective, recovery, containment, or resilience control |
| Improve accountability | Governance, approval, logging, segregation, review |
| Improve compliance | Policy, procedure, evidence, monitoring, legal/contractual controls |
Ransomware example
| Control | Type | Effect |
|---|---|---|
| Security awareness | Preventive | Reduces likelihood of user-triggered compromise |
| Email filtering | Preventive/detective | Blocks or flags malicious messages |
| Patch management | Preventive | Reduces exploitability |
| EDR | Detective/respond | Detects suspicious activity and supports containment |
| Network segmentation | Preventive/limiting | Reduces spread |
| Immutable backups | Recovery | Reduces impact and supports restoration |
| Incident response playbook | Corrective/respond | Reduces confusion and response time |
| Disaster recovery testing | Recovery/resilience | Confirms ability to restore operations |
Common mismatch examples
| Claimed risk treatment | Selected control | Problem |
|---|---|---|
| Prevent unauthorized access | Logging only | Logging detects; it does not prevent access |
| Prevent ransomware | Backup only | Backup recovers; it does not prevent infection |
| Ensure secure development | Policy only | Policy needs standards, review, testing, and enforcement |
| Reduce supplier breach risk | NDA only | NDA does not prove supplier security capability |
| Prevent insider misuse | Annual training only | Need access control, monitoring, segregation, and reviews |
Practical mentor takeaway
For every control, ask:
- What risk does this control treat?
- Does it reduce likelihood, detect occurrence, reduce impact, or support recovery?
- Is that the outcome we actually need?
- What evidence proves it operates?
- Is another control needed to cover another part of the risk?
Related templates
- Risk treatment
- Control attributes
- Iso27002
- Isms
Note Metadata
Aliases: Risk Treatment Effects
Source: 01 Fundamentals/Control Attributes and Risk Treatment Effects.md
Related Notes
- ISO27001 ISMS KB - Start Here
- Annex A and the Statement of Applicability
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.7 - Threat Intelligence
- A.5 Organizational Controls MOC
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISMS Implementation Roadmap
- EXAM-003 - ISO 27002 Control Attributes
- EXAM-007 - Preventive vs Detective vs Corrective Controls
- ISO 27002 Control Attributes Evidence Map
- ISO 27002 Knowledge Base
- Template - Control Attribute Review
- Template - Control Balance Analysis
- Template - Risk and Control Mapping Table
- Annex A Controls MOC
- ISO 27001 Overview