The correct answer is Corrective controls, because the organization is responding to an incident that has already occurred and is taking actions to remove the malware and restore normal operations. Corrective controls are designed to limit damage, eradicate the cause of an incident, and return systems to an acceptable operational state after a security event has been detected.
In this scenario, the malware infection has already bypassed existing security measures, meaning preventive controls failed to stop the incident. The focus now is not on detection, as the infection is already known, but on remediation and recovery. Activities such as malware removal, system restoration from backups, reinstallation of compromised systems, and application of patches are classic examples of corrective controls.
ISO/IEC 27001:2022 addresses this through clause 10.2 on nonconformity and corrective action, which requires organizations to take action to control and correct incidents and deal with their consequences. Additionally, ISO/IEC 27002:2022 includes controls related to incident response and recovery that support corrective actions after an event.
Option B is incorrect because detective controls, such as monitoring and logging, are intended to identify incidents, not resolve them. Option C is incorrect because preventive controls aim to stop incidents from occurring in the first place, such as antivirus software or access controls. Since the malware has already caused harm, corrective controls are the most appropriate response.
