we have done a Risk Assessment and we are now in the process of choosing security controls. We are using security controls which align with industry standard like ISO 27001 and we are also choosing controls which were individual designed by us and fits to our company. In this context what is the difference between C.A.R/P.A.R and these security control? From my understanding if a control is not implemented yet, we can make some kind a project plan to fullfil our controls. But as I also understand we can create a C.A.R to implement these controls or?
First is important to note that in the context of ISO 27001 preventive actions are not required (the word preventive neither appears in the standard). Preventive actions were superseded by clause 6.1 - Actions to address risks and opportunities, which basically involves risk management. So, for this standard what you could see as similar to the preventive action report is the Risk Treatment Plan, which defined actions, responsible, resources and deadlines to treat risk considered unacceptable.
Second, the standard does not require a Corrective Action Report, only that, if needed, corrective actions are implemented and evidences of the nature of the nonconformities and any subsequent actions taken, and the results of any corrective action are retained.
Considering that, to answer your question, a risk treatment plan is used to minimize chance of a risk to happen, or its impact, while corrective actions are used when the risk has already occurred.
so this scenario could then be possible for me:
1. Making the Risk Assessment
2. Choosing Controls (ISO 27001 and Own Controls)
3. Handling the implementation of this controls (Risk Treatment plan) over P.A.R
4. Choosing C.A.Rs as result from security threats, audits etc.