Interim controls are temporary protective measures deployed until a permanent control is fully implemented. Typical examples include manual review steps until automated monitoring is operational, or a temporary VPN solution until a zero-trust architecture is in place. In your ISMS, you document interim controls in the risk treatment plan with a clear expiration date and a responsible person. This ensures that provisional solutions do not become permanent fixtures. Auditors pay close attention to whether interim controls are being tracked.