Control Types, Standards, and Frameworks is the ISACA CRISC knowledge area that defines how risk-response controls are classified by function — preventive, detective, corrective, or compensating — and how those classifications map to major governance frameworks: COSO Internal Control–Integrated Framework, ISO/IEC 27001/27002, ISO 31000, and NIST Cybersecurity Framework (CSF 2.0). A control type describes what a control does relative to a risk event: preventive controls stop the event from occurring; detective controls identify when an event has occurred; corrective controls remediate damage after an event; compensating controls substitute when a primary control cannot be implemented. A framework provides a structured vocabulary, component model, and audit-defensible taxonomy within which those control types are documented, assessed, and reported. Together, control types and frameworks form the standardized language that connects risk statements to audit evidence, regulatory requirements, and organizational accountability structures.
Where it stops · what it isn't
- —INCLUDES: Classification of controls as preventive, detective, corrective, or compensating; control objectives vs. control procedures; design effectiveness vs. operating effectiveness distinctions; COSO five-component model; ISO 27002:2022 93 control objectives across four themes; NIST CSF 2.0 six functions (Govern, Identify, Protect, Detect, Respond, Recover); framework-to-framework mapping logic; shared responsibility model control stratification.
- —EXCLUDES: Control design methodology — how to engineer a specific control from scratch (covered in 'Control Design, Selection, and Analysis'); control testing techniques and sampling methods (covered in 'Control Implementation, Testing, and Effectiveness'); risk treatment decision logic — which risks warrant which response strategies (covered in 'Risk Treatment and Response Options'); specific regulatory compliance procedures (e.g., how to file a SOX 404 report).
- —NOT the same as compliance frameworks: a compliance framework (e.g., PCI-DSS, HIPAA) dictates what you must do; a control framework (COSO, NIST CSF) provides the structural taxonomy for how you organize and classify what you do.
- —NOT a static list: framework versions change — NIST CSF 2.0 added the 'Govern' function in February 2024; ISO 27002 restructured from 114 to 93 controls in 2022. Practitioners must track version currency.
- —Control type is NOT the same as control mechanism: MFA is a mechanism; its type classification (preventive) depends on its placement and purpose in a specific risk scenario.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
REQUIRESControl Design, Selection, and AnalysisRisk Assessment Methodology
ENABLESControl Implementation, Testing, and EffectivenessRisk Treatment and Response OptionsGRC Platform Configuration and Taxonomy Design
PART OFCRISC Domain 3: Risk Response and Reporting
RELATED TOControl Monitoring and Reporting
CONSTRAINSAudit and Compliance Documentation