Security Control

Origin & evolution

The vocabulary of preventive, detective, and corrective controls comes from internal-audit and accounting practice, where the question was always who stops the error, who notices it, and who fixes it. Information security adopted the framing wholesale. A preventive control reduces the chance an incident🚨IncidentDevOps & PlatformA production incidentView reference → happens at all (encryption, access rules); a detective control surfaces an incident as or after it occurs (intrusion detection, log review); a corrective control limits damage and restores the system afterwards (backups, patching). The trio maps cleanly onto the NIST Cybersecurity Framework functions, where preventive controls support Protect, detective controls support Detect, and corrective controls support Respond and Recover.

The second axis, technical versus administrative versus physical, sorts controls by their nature: a software ACL, a written policy, a locked server cage. Major frameworks codify the catalogue. NIST SP 800-53 lists hundreds of controls across families; the CIS Controls (v8 has 18) prioritise a defensible subset; and ISO/IEC 27001 Annex A enumerates the controls an information security management system selects from. The 2022 ISO revision added attributes to each control, including its control type, which formalised the preventive-detective-corrective tag inside the standard itself.

How it works in practice

A SaaS team has a threat☠️ThreatSecurityA specific security threatView reference → on its board: an attacker who phishes an engineer's credentials could reach the production database. One control rarely answers a threat on its own, so the team layers across the time axis. Preventive: mandatory hardware-key multi-factor authentication on every production login. Detective: an alert when a database admin session opens from an unrecognised device. Corrective: automated session revocation and a rotation runbook📘RunbookDevOps & PlatformA runbook for incident responseView reference → that the on-call engineer can trigger in one command.

Each control is now an inspectable object. The auditor checking the team against ISO 27001 does not ask "are you secure?"; they ask "show me the control, show me it is operating." The MFA setting, the alert rule🛎️Alert RuleDevOps & PlatformAn alerting ruleView reference →, the runbook, each leaves evidence🔎EvidenceValidationData supporting or refuting a hypothesisView reference →. The threat is the reason the controls exist; the framework is why these specific controls were chosen.

Security control vs. its neighbours

• Security policy🔐Security PolicySecurityA security policyView reference → states the rule ("all production access requires multi-factor authentication"). A control is the mechanism that enforces or detects compliance with that rule. A policy without a control is an unkept promise; a control without a policy is an undocumented habit.
• Compliance framework🏟️Compliance FrameworkComplianceA compliance framework (SOC 2, GDPR, etc.)View reference → is the catalogue and obligation set (NIST 800-53, ISO 27001) that says which controls an organisation must have. The control is the individual safeguard the framework requires.
• Threat is what a control answers. The strongest justification for any control is a named threat it mitigates, which is why controls and threats should always be linked rather than maintained as separate lists.

In the graph

In the Unified Product Graph, a security control is a connective entity, defined as much by what it links to as by what it is. A compliance_framework_requires_security_controlCompliance FrameworkrequiresSecurity Controlcross-domain edge records the obligation that put it in scope; a security_policy_mandates_security_controlSecurity PolicymandatesSecurity Controlhierarchy edge ties it to the rule it enforces; and a product_enforces_security_controlProductenforcesSecurity Controlhierarchy edge grounds it in the actual system. Its outbound defence is captured by security_control_mitigates_threatSecurity ControlmitigatesThreatcross-domain and security_control_protects_serviceSecurity ControlprotectsServicecross-domain, so the graph can answer two audit-grade questions at once: which framework requirement does this control satisfy, and which threat does it actually stop. A control that satisfies a framework but mitigates no threat is compliance theatre, and the structure makes that visible.