A control is an individual measure for treating an information security risk. ISO 27001 Annex A lists 93 controls in four categories: organizational, people, physical, and technological. Each control has a defined purpose and can be preventive, detective, or corrective. In the Statement of Applicability (SoA) you document for each control whether it applies and how you implement it. Controls are a means to an end — they must address the risks your risk analysis identified. You verify the effectiveness of each control regularly through KPIs, internal audits, and management reviews.