The DIS of the ISO21434 considers controls as artifacts that are yielded in the development-phase of a product. In the concept-phase, they are rather called Cybersecurity Goals, which don’t describe the concrete implementation of them yet. Later when digested they will turn into Cybersecurity Requirements.
That’s why the TARA and concept chapters (chapter 8 and 9) don’t write about Security Controls. Only the Product Development chapter (chapter 10) works with them (in requirement [RC-10-01]).
Got a comment? Want to discuss this further? Feel free to contact me.