First is important to note that such classifications are defined only in ISO 27002, and they are not mandatory to be used to be compliant with ISO 27001.
Considering that, these classifications are known in ISO 27002 as control attributes, and they provide a standardized way to sort and filter controls against different views to address the needs of different groups.
The detective, corrective and preventive attributes belong to the “control type” attribute category. ISO 27002 provides other four categories that can be used instead of “control type” to sort controls:
- Information security properties: Confidentiality, Integrity, and Availability
- Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
- Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
- Security domains: Governance and ecosystem, Protection, Defense, and Resilience
For example, control 5.1 Policies for Information Security, in its attribute Control type is classified as preventive, while its Concept attribute is identify. As for control 7.4 Physical Security Monitoring in its attribute Control type is classified as preventive and detective, while its Concept attribute is protect and detect.
For further information, see: