Controls for malicious attack

For malicious attack which control is necessary? As per the video it says physical and environmental security however I think it should be operation control.

Answer: In fact both types of controls may be necessary. Physical and environmental security prevents an attacker from having direct physical access to an asset (e.g. access to a paper document, a server, a switch, etc.), while by using operation controls you can handle risks related to abuses while operating equipment and facilities, as well as attacks that can be performed remotely (e.g., invasion through software exploitation). The application of different types of controls to protect an asset is what we call defense in depth.

These articles will provide you further explanation about how to use different controls to apply the same security concept:
- Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-ar eas/
- Requirements to implement network segregation according to ISO 27001 control A.13.1.3 https://advisera.com/27001academy/blog/2015/11/02/requirements-to-implement-network-segregation-according-to-iso-27001-control-a-13-1-3/

This material will also help you regarding defense in depth:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/