The DIS of the ISO21434 considers controls as artifacts that are yielded in the development-phase of a product. In the concept-phase, they are rather called Cybersecurity Goals, which don’t describe the concrete implementation yet. Later when digested they will turn into Cybersecurity Requirements.
That’s why the TARA and concept chapters (chapter 8 and 9) don’t write about Security Controls. Only the Product Development chapter (chapter 10) works with them (in recommendation [RC-10-01]).
Practically, controls are an important input for refining the whole analysis. Since controls themselves introduce assets, their risks shall be assessed as well (requirement [RQ-10-01] c) ). Furthermore, the assets of controls should be included in the existing analysis. Consequently, this saves efforts because it avoids recreating parts of the analysis. That way, a single source of truth can carry the history of decisions throughout the whole lifecycle. As an additional benefit, such setting makes decisions consistent.
Got a comment? Want to discuss this further? Feel free to contact me.