ISO 27001 risk assessments: How to identify risks and vulnerabilities

One of the early challenges of conducting an ISO 27001 risk assessment is how to identify the risks and vulnerabilities that your organisation faces.

It’s a deceptively tricky task, because although it doesn’t require the practical application of information security knowledge – you’re simply listing threats – you still need a strong understanding of the subject.

That’s because risks aren’t always self-evident. To uncover them, you need to understand how cyber attacks work and the types of mistakes that could compromise sensitive information.

So how do you go about doing that?

There are two ways identify risks

Organisations have two options when deciding how to identify risks; they can take an asset-based or scenario-based approach.

With an asset-based risk assessment, organisations begin with a list of assets – such as digital files, databases and physical documents – and outline all the ways they could be compromised.

A scenario-based risk assessment reverses this, starting with a list of ways that security incidents might occur, which you then use to follow the damage through your organisation and highlight vulnerable assets..

Although each approach has its merits – and ISO 27001, the international standard that describes best practice for information security, doesn’t advise one way or the other – an asset-based approach is generally the preferred option.

Examples of risks

Every organisation will face its own risks, and there are far too many to even begin listing them comprehensively, but to give you an idea of the sorts of things you should look out for, we’ve highlighted five common issues:

  1. New technology

Technology is developing rapidly, and while many organisations are quick to embrace it, they are often less efficient at securing it.

Staying up to date with the latest technological advances offers an array of benefits, from convenience to improved business prospects, but new technology comes with new vulnerabilities, offering cyber criminals opportunities for attack.

Remember, too, that security risks aren’t just traditional vulnerabilities – giving employees the opportunity to work in new ways could have surprisingly negative impacts on information security.

  1. Outdated software

Outdated software poses a bigger risk than you might expect. It might be tempting to ignore updates and carry on using old systems because they still work and upgrading seems like too much hassle.

However, the older your system, the greater the chance that there are vulnerabilities that can be exploited – especially when the software has reached its end of life and the vendor is no longer maintaining support. And it’s not just the criminal hackers you have to worry about.

Old software is often incompatible with newer applications, reduces your competitiveness, and puts you at risk of non-compliance with laws and regulations, which could have legal, financial and reputational repercussions.

  1. Supply chain attacks

For your organisation to be secure, you also need to ensure your partners and suppliers are following security best practice.

A supply chain attack occurs when your system is infiltrated through a third-party supplier or service provider; these are often targeted because they are the ‘weak link’ and are less secure, offering a cyber criminal an easy route into your organisation.

As these vendors generally have access to your systems and to the personal data that your organisation holds, a breach could have serious implications.

  1. Phishing

Phishing is a type of social engineering attack that targets people through deceptive emails, trying to get them to click malicious links or disclose confidential information.

Both the ease of the scam and its long-term success have made it popular with attackers – and as their methods have become more sophisticated, their emails have become harder to spot.

While software can help stem the flow, no spam filter is 100% effective and malicious emails will slip through – ultimately leaving it up to your employees to make the final call.

  1. Malware

Malware is designed to infiltrate and damage computer systems, and takes many different forms, from worms to Trojans to ransomware.

Although the extent of the damage will depend on the type of malware, the device or network that is infected and what data is stored on it, the consequences of a successful attack can be severe, resulting in the shutdown of an organisation’s systems, the loss of critical data, and/or significant financial and reputational damage.

Simplify the risk assessment process with vsRisk

You can find out more on how to create a successful risk assessment by checking out vsRisk Cloud.

This software package provides a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.

Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.


A version of this blog was originally published on 2 July 2019.

No Responses

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.