The control direction of a security control describes where in the incident lifecycle it takes effect. Preventive controls stop incidents from occurring (e.g., firewalls, training), detective controls identify them (e.g., SIEM, monitoring), and corrective controls restore normal operations (e.g., backups, incident response). In an ISMS, classifying controls by direction helps you spot gaps. A balanced mix of all three directions creates a robust security architecture.