An important step in an ISO 27001 risk assessment process is identifying all the threats that pose a risk to information security. While this is a relatively straightforward activity, it is usually the most time-consuming part of the whole risk assessment process.
Identifying threats in your risk assessment
You will need to identify which threats could exploit the vulnerabilities of your in-scope assets to compromise their confidentiality, integrity or availability (often referred to as the CIA triad).
To help you get started, we have identified the top 10 threats you should consider in your ISO 27001 risk assessment.
It’s important to remember that this list is not appropriate to everyone, nor is it complete. Your risk assessor will need to take a significant amount of time to consider every reasonable threat, whether from a bomb attack or user errors. Your list of threats is bound to be a long one.
- Social engineering: For example, phishing is a social engineering technique that manipulates people into performing actions or divulging confidential information for malicious purposes.
- Access to the network by unauthorised persons.
- Disclosure of information or passwords.
- Malfunction of equipment.
- Loss of electricity.
- Errors in maintenance.
- Theft of hardware.
- Destruction of records.
- Human or natural disasters: Human disasters are man-made and include sabotage, vandalism and tampering. Natural disasters include earthquakes, storms and landslides.
- Terrorist attacks.
Streamline the risk assessment process with vsRisk™
Fully compliant with ISO 27001, the risk assessment software tool delivers simple, fast, accurate and hassle-free risk assessments and helps you to produce consistent, robust and reliable risk assessments year-on-year.