TWENTY-FOURCELLS.

The framework she is working from organises every security control along two independent axes. The first axis describes what the control does — its functional type. The second describes what the control is — its implementation type. Every control in the register gets one label from each axis. The resulting grid has six rows and four columns: twenty-four possible cells. Some cells are densely populated. Some are nearly empty. The distribution itself is diagnostic.

She starts at the top of the functional axis. A preventive control acts before an incident occurs — its purpose is to stop the threat from materialising at all. Full disk encryption on every managed laptop, enforced through Jamf and validated in Vanta, is preventive and technical: enforced by technology, not by a person. Pre-employment background checks are also preventive, but their implementation type is different — they are a procedure carried out by HR, making them operational, and mandated by a policy owned by the people function, giving them a managerial dimension too. Auditors accept dual implementation tags. What they do not accept is a control with no owner and no evidence of execution.

The second row is detective controls: they do not stop an incident, they identify that one is occurring or has occurred. The SIEM — Splunk, ingesting CloudTrail, Okta, and endpoint telemetry — is detective and technical. The monthly access review, comparing active accounts against the HR roster and flagging orphaned access, is detective, operational, and managerial simultaneously. The CCTV cameras covering the server room entrance are detective and physical — the fourth implementation type, covering anything tangible. A fence is physical and preventive. Implementation type describes the form a control takes, not what it does.

Below detective sits corrective controls: these act after an incident is confirmed, with the purpose of restoring normal operation. The EDR platform — CrowdStrike across all endpoints — isolates a compromised host and rolls back malicious changes on confirmed detection. Corrective and technical. The incident response runbook in Confluence is corrective and operational: a procedure that humans follow when the alarm sounds. Patch deployment via Jamf, pushing a critical OS patch in response to a published CVE, is corrective and technical — restoring a secure baseline. These controls protect the availability and integrity dimensions of the CIA triad.

Catrin is halfway through the register when she hears the door. The CISO, Marcus Webb, has thirty minutes free before his 10 o'clock and wants to see how the classification pass is going. She pulls up the working view on the wall screen.

The fourth functional type requires a precise definition. A deterrent control does not physically prevent an action and does not detect one after the fact. It discourages by making the consequences of action visible. The CCTV signage in the building lobby is a deterrent — the cameras behind it are detective. A warning banner on the corporate VPN login screen is deterrent and technical: delivered by technology, its purpose is to cause a potential intruder to reconsider before acting. The sanctions clause in the Acceptable Use Policy is deterrent and managerial. None of these would stop a determined attacker who had already committed to acting. Their job is to influence the calculation that precedes the decision.

The fifth functional type is where Catrin spends the most time during audit readiness: compensating controls. A compensating control is a deliberate substitute for a primary control that cannot be implemented — not a preference, not a budget objection, but a documented genuine constraint. The company runs a legacy payroll system that cannot support MFA without a full redevelopment scoped for Q3. The compensating package: access restricted to internal IPs only (technical and preventive), and every login logged to Splunk with an anomalous-access alert rule (technical and detective). Recorded in the exception register with a CISO-signed risk acceptance, a Q2 review date, and a remediation ticket linked to the Q3 project.

"A compensating control is not just any alternative," Catrin tells Marcus. "It has to be documented as a deliberate exception. Without the risk acceptance and the review date, it is not a compensating control. It is an unmitigated gap that happens to have a workaround."

The sixth functional type is directive controls. These state what is required. They do not enforce it, detect violations, or correct them after the fact. The AUP is directive and managerial. The data classification policy is directive and managerial. The mandatory security awareness training programme — annual, completion tracked in the LMS — sits at the boundary of directive and operational, because it is delivered as a procedure and carried out by staff. Directive controls protect the CIA triad indirectly, by shaping the behaviour that all other controls depend on. An organisation whose staff do not understand the data classification policy will mishandle confidential data regardless of how good its technical controls are. ISO 27001 Annex A is full of directive controls. Auditors look for evidence that staff have read and understood them, not merely that the documents exist.

Marcus leans back. "I classified network segmentation as preventive. That is it." Catrin keeps her expression neutral. She has had this conversation before, with a Big Four lead auditor who made the same call. "It depends on how you frame the purpose of the control," she says. She pulls up the network diagram. The company runs four VLANs: corporate users, developer tooling, the legacy payroll system, and the cloud connectivity VLAN. The segmentation between the legacy VLAN and the others is enforced at the firewall.

"If you frame it as stopping an attacker on one segment from reaching another, it is preventive — it prevents lateral movement. That is the most obvious reading." She opens the firewall policy in the SIEM console. "If you frame it as the alerts that fire when traffic attempts to cross a segment boundary in violation of the policy, it is detective — the firewall generates deny logs that feed into Splunk, and there is a detection rule on unusual cross-segment attempts." She navigates to the exception register. "And if you frame it as the reason the legacy payroll system is tolerable without a current-cycle patch schedule — because we have isolated it from every other segment so its exposure is limited — then it is also a compensating control for the patching gap."

Marcus is quiet for a moment. "So it sits in three cells." "It sits in three cells depending on the context in which you are evaluating it," Catrin confirms. "ISO 27001 and NIST 800-53 both recognise that a single technical control can serve multiple functions. What auditors want to see is that you are making deliberate, documented decisions about each function — not that you have mechanically assigned one label and moved on. If you record it as preventive only and the auditor asks about detective capability on segment boundaries, the answer 'the firewall logs those' should be in the register alongside the control, not improvised on the day."

She adds a note to the segmentation entry in Confluence: "Primary classification: Preventive / Technical. Secondary functions: Detective / Technical (deny-log detection rule SEC-D-041 in Splunk); Compensating / Technical for legacy payroll patching gap (exception REG-2024-009)." The entry now has three rows instead of one. Each row is accurate. The auditor will see that the organisation has thought about this.

The NIST CSF organises this differently — Identify, Protect, Detect, Respond, Recover — but the underlying logic maps cleanly: Protect aligns with preventive and directive, Detect with detective, Respond and Recover with corrective. SOC 2 Trust Services Criteria use different vocabulary for the same structure. Once you understand the 4×6 matrix, you can orient yourself in any framework within minutes.

By 10:40, Catrin has classified 118 of 140 controls. The remaining 22 are in the compensating category — all of them properly documented with a risk acceptance signed at the appropriate level, a review date, and a remediation ticket. The exception register is the most important document in the room for an ISO 27001 auditor after the risk assessment itself. It demonstrates that the organisation knows where its controls are inadequate and has made a deliberate, supervised decision about how to handle the gap. Undocumented gaps fail. Documented, risk-accepted, compensating-controlled gaps with a review cadence pass.

The audit is in fourteen days. Catrin closes the Vanta dashboard, opens the ISMS scope document, and starts on the next section. The matrix is complete. What remains is the evidence.