List of threats and vulnerabilities in ISO 27001

When an organisation conducts an ISO 27001 risk assessment, it’s useful to have a list of threats and vulnerabilities to hand to make sure everything is accounted for.

The list also helps you understand the difference between threats and vulnerabilities, which in itself is an essential part of the process.

In this blog, we help you understand the risks and vulnerabilities your organisation faces.

Note that these aren’t exhaustive lists; every organisation is unique and will have its own challenges. You must consider what these are in addition to what we’ve outlined below to achieve a comprehensive record.

List of threats

A threat is any incident that could negatively affect the confidentiality, integrity or availability of an asset.

Here is a list of threats your organisation may encounter:

  • Breach of contractual relations
  • Breach of legislation
  • Damage caused by a third party
  • Damages resulting from penetration testing
  • Destruction of records
  • Eavesdropping
  • Embezzlement
  • Employees going on strike
  • Equipment malfunction
  • Failure of communication links
  • Falsification of records
  • Fraud from a cyber criminal
  • Fraud from an internal party
  • Improper disclosure of passwords
  • Improper disclosure of sensitive information
  • Industrial espionage
  • Interruption of business processes
  • Lack of data integrity
  • Loss of support services
  • Maintenance errors
  • Malicious code
  • Misuse of information systems
  • Natural or man-made disaster
  • Phishing scams
  • Power failure
  • Sensitive data being compromised
  • Social engineering
  • Terrorism threat in the immediate vicinity or affecting nearby transport and logistics
  • Theft of equipment
  • Theft of sensitive data
  • Unauthorised access to the information system
  • Unauthorised access to the network
  • Unauthorised changes of records
  • Unauthorised physical access
  • Unauthorised use of copyright material

List of vulnerabilities

A vulnerability is an organisational flaw that can be exploited by a threat to destroy, damage or compromise an asset.

Here is a list of threats your organisation may encounter:

  • Employees not receiving adequate training
  • Equipment not being replaced when it is no longer fit for purpose
  • Hard drives being disposed of without sensitive data having been deleted
  • Improper cabling security and management
  • Improper change management
  • Improper internal audit
  • Improper network management
  • Improper validation of the processed data
  • Inadequate or irregular system backups
  • Inadequate physical security controls
  • Insufficient processes or technologies to prevent malicious files from being downloaded
  • Insufficient processes or technologies to prevent sensitive data from being copied
  • Insufficient software testing
  • Insufficient processes or technologies to prevent users from downloading unapproved software
  • Inadequate protection of cryptographic keys
  • Lack of systems for identification and authentication
  • No procedure for removing access rights upon termination of employment
  • No protection for mobile equipment
  • Operational and testing facilities not being properly segregated
  • Passwords not being changed from default settings
  • Passwords not being strong enough
  • Poor or non-existent access control policy
  • Poor or non-existent clean desk and clear screen policy
  • Poor or non-existent of internal documentation
  • Poor staff morale and potential for malicious action
  • Premises is vulnerable to flooding, fire or other disruptive event
  • Sensitive data not being properly classified
  • Staff duties not being properly segregated
  • Staff not receiving security awareness training
  • User rights are not reviewed regularly
  • Unprotected public networks
  • Water or heat damage to equipment

Performing an ISO 27001 risk assessment

Identifying risks and vulnerabilities is just the beginning of your ISO 27001 risk assessment. Next, you need to assess and prioritise each one – and only then can you implement measures to secure them.

This can be a labour-intensive task, but our risk assessment tool vsRisk does the work for you.

This software package provides a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.

Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.

Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.

We’re currently offering a free 30-day trial of vsRisk. Simply add the number of licenses you require to your basket and proceed to the checkout.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.