CA FINAL ISCA | CHAPTER 3 | POIS | Classification of IS Controls | Mnemonics | Shortcuts | Stories


Classification of IS Controls
Mnemonics | Shortcuts | Stories

Topic: 3.6 Classification of Information Systems Controls

3.6.1 Classification on the basis of "Objective of Controls"


In this post we are going to learn Classification of control on the basis of Objective of control with the help of Mnemonics following with the stories linked with them to help you remember the topic easily. Video Class will also be provided at the end of this post for further explanation & better understanding of the Mnemonics.

Helmet डालना compulsory है : COMPENSATORY 
इससे Accident Prevent होता है : PREVENTIVE 
अगर ना डाला हो तो पुलिस Detect कर लेती है :DETECTIVE 
फिर चालान काट के Correct करती है। : CORRECTIVE

Now the Bunch line which links Preventive, Detective & Corrective characteristics & examples
[compensatory doesn't have any].

CA PRAVEEN को मिलने के लिए SARDARJI और SARDARNI ने POLICE से TAJ MAHAL मे जाने की request की।
Background: CA Praveen Taj mai ghumne aye the vahan pe Police security thi, sardarji aur sardarni ji ko ca praveen se milna tha.

CA: examples
PRAVEEN: characteristics

SARDAR JI: examples
SARDARNI JI: characteristics

POLICE: examples
TAJ: characteristics

Preventive Controls: 

Preventive Controls are those inputs, which are designed to prevent an error, omission or malicious act occurring. An example of a preventive control is the use of passwords to gain access to a financial system.


--> Employing qualified personnel; Segregation of duties; Access control; Vaccination against diseases; Documentation; Prescribing appropriate books for a course; Training and retraining of staff; Authorization of transaction; Validation, edit checks in the application; Firewalls; Anti-virus software (sometimes this acts like a corrective control also), etc., and Passwords


CA vala i.e CA businessman ko prevent karta hai;

CA proper documentation karta hai;
employ karta hai Qualified personnel;
unki segregation of duties karta hai;
Audit pe bhejta hai ye bol kar ke Validation of transaction karni hai;
Autorization of transaction krni hai;
Phir CA report pe access control lagata hai;
ID password, Antivirus, Firewall


  • A clear-cut understanding about the vulnerabilities of the asset;
  • Understanding probable threats; and
  • Provision of necessary controls for probable threats from materializing


CA PRAVEEN ने Understand करके Vulnerability को, Understand किया Threat को फिर उसने necessary Control लगाए उसे दूर करने के लिए।  

Detective Controls:

 These controls are designed to detect errors, omissions or malicious acts that occur and report the occurrence. An example of a detective control would be a use of automatic expenditure profiling where management gets regular reports of spend to date against profiled spend.


--> Hash totals; Check points in production jobs; Echo control in telecommunications; Error message over tape labels; Duplicate checking of calculations; Periodic performance reporting with variances; Past-due accounts report; The internal audit functions; Intrusion detection system, Cash counts and bank reconciliation, and monitoring expenditures against budgeted amount


IDS sardarji (Police कि पोस्ट) apne baccho ke Expenditure ka Internal Audit karte thejisme vo Monitor karte the Expenditure against Budgeted amount,Cash count & Bank reconciliation krte theye sab check krne k liye unhone Calculator mangvayaHarsh ko Phone kiya jo job karta tha Production deptt ke checkpoint peEcho control tha telecommunication mai jisseError message hua Over tape label.

  • Clear understanding of lawful activities so that anything which deviates from these is reported as unlawful, malicious, etc;
  • An established mechanism to refer the reported unlawful activities to the appropriate person or group;
  • Interaction with the preventive control to prevent such acts from occurring; and
  • Surprise checks by supervisor.


Sardarni Lawful k sath Unlawful activities bhi karti thi; uski report kar di jiski vajah se Surprise check hua by supervisor taki prevent ho ske such acts from occuring.

[SARDARNI Mall मे shopping कर रही थी कुछ सामान उसने ख़रीदा और कुछ चुराया ; अब ऐसी चोरियां बहुत होने लगी जिसके कारण Supervisor ने Surprise Check करना start किया जिससे ये सब चोरियां Prevent] 

Corrective Controls:

 Corrective controls are designed to reduce the impact or correct an error once it has been detected. Corrective controls may include the use of default dates on Invoices where an operator has tried to enter the incorrect date. A Business Continuity Plan (BCP) IS considered to be a corrective control. 


--> Contingency planning; Backup procedure; Rerun procedures; Change input value to an application system, and Investigate budget variance and report violations


Police वाला :

Police वाला Run(jogging) पे गया हुआ थापीछे से उसके घर पे चोर आगया उसने Change करदी Input value of Application system (मतलब उसने ताले की Values change करके Application system को access किया)Wife recovery मांगती है (जो उसका सामान चोरी होता है उसकी)बोली Backup procedure लगाओ (पुलिस का backup बुलाओ)पुलिस वाला Contingency planning करता है ( चोर कहाँ कहाँ भाग सकता है, पकड़ा जायेगा नहीं?)इसके बाद अब वो Investigation शुरू करता है

  • Minimizing the impact of the threat;
  • Identifying the cause of the problem;
  • Providing Remedy to the problems discovered by detective controls;
  • Getting feedback from preventive and detective controls;
  • Correcting error arising from a problem; and
  • Modifying the processing systems to minimize future occurrences of the incidents.

Mnemonics :

AGRA:                   Getting Feedback
PUBLIC:                Providing remedy to the problem
ENVIRONMENT: Identifying cause of problem
TAJ MAHAL:        Minimizing the Impact of threat
FACTORY:             Modifying processing system
POLLUTION:        Correcting error arising from a problem

[For explanation see video]


Compensatory Controls:

"The cost of the lock should not be more than the cost of the assets it protects."