To which classification of security controls does the implementation of patches after the identification of system vulnerabilities belong?

The implementation of patches after identifying system vulnerabilities falls under the classification of corrective controls because the patches are intended to correct vulnerabilities and fix issues that have already been identified. When a vulnerability is discovered, applying patches remediates that risk, thereby restoring the integrity and security of the system.

Additionally, this action is considered technical by type because it involves software updates and changes made at the system or application level, reflecting a direct change to the technology infrastructure rather than a change in policies or procedures, which would be classified as managerial or administrative controls.

This combination of corrective function and technical type effectively addresses vulnerabilities, demonstrating the necessity of having robust patch management processes within an information security management system as guided by ISO/IEC 27001.