One of the core aspects of an information security risk assessment is to identify the threats your organisation faces.
We recommend that you follow the best practices outlined in ISO 27001 when doing this. The international standard provides a framework for developing an ISMS (information security management system) that’s dictated by the results of your risk assessment.
Specifically, ISO 27005 contains in-depth guidance on identifying, assessing, evaluating and treating information security risks.
The Standard is applicable to all organisations, regardless of size or sector, and supports the general concepts outlined in ISO 27001.
How does ISO 27005 work?
It can take quite some time for the risk assessor to try to come up with every possible threat scenario.
A more detailed assessment of the likelihood and impact of risks must be undertaken during a later stage in the risk assessment process.
At the same time, the likelihood of such a threat occurring also needs to be considered. This is a key consideration, because some threats are so unlikely to occur that risk assessors tend to ignore them – for instance, a natural disaster occurring in an area with stable weather conditions.
Once you have identified the threats, the next step is to identify the corresponding weaknesses (or vulnerabilities) in your organisational systems, resources, processes or policies that could be exploited by the threat.
It is always useful to start off with a list of known threats to information security. ISO 27005 provides a detailed list of threats and vulnerabilities – and we list some of them below, but you can also find them in Vigilant Software’s risk assessment tool vsRisk.
If you are following an asset-based risk assessment, you may want to first identify the assets, and then choose the specific vulnerabilities that apply to them.
What threats might you face?
Threats come in various guises, such as natural disasters, a data leak, computer malfunction or even more severe scenarios, such as a bomb or terrorist attack.
One common threat relates to contractual or regulatory breaches, whether that’s a violation of the terms of contract with a third party (including a security incident that they’re responsible for) or a breach of a regulatory requirements, such as those outlined in the GDPR (General Data Protection Regulation).
Another common category of threats is the improper disclosure of sensitive information – whether that’s password breaches, employee data, customer data or intellectual property.
Similarly, organisations need to be concerned about unauthorised access to their information. This includes access to information systems, networks, physical premises and databases.
It’s not just the threat of information being compromised that you need to worry about, though. You also need to consider the possibility of someone creating fraudulent records or amending existing data to contain incorrect information.
Other threats you may need to address include:
- Employees going on strike
- Equipment malfunction
- Industrial espionage
- Interruption of business processes
- Loss of support services
- Maintenance errors
- Malicious code
- Phishing scams
- Sensitive data being compromised
- Social engineering
- Terrorism threat in the immediate vicinity or affecting nearby transport and logistics
- Theft of equipment
- Theft of sensitive data
Performing an ISO 27001 risk assessment
Identifying risks and vulnerabilities is just the beginning of your ISO 27001 risk assessment. Next, you need to assess and prioritise each one – and only then can you implement measures to secure them.
This can be a labour-intensive task, but our risk assessment tool vsRisk does the work for you.
This software package provides a simple and fast way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.
Its asset library assigns organisational roles to each asset group, applying relevant potential threats and risks by default.
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.
We’re currently offering a free 30-day trial of vsRisk. Simply add the number of licenses you require to your basket and proceed to the checkout.
A version of this blog was originally published on 28 October 2014.