A risk assessment process that meets the requirements of ISO/IEC 27001:2013 should have five key steps. The second step in this process is to identify risks and, while this is a relatively straightforward activity, it is the most time-consuming part of the whole risk assessment process.
How to identify threats
You will need to establish which events may compromise the confidentiality, integrity and availability of each of the assets within your scope. To help you get started, we have narrowed it down to the top 10 threats you should consider in your information security risk assessment:
1. Social engineering: Social engineering is the act of manipulating people into performing actions or divulging confidential information for malicious purposes. Phishing is an example of a social engineering technique
2. Disclosure of information or passwords
3. Access to the network by unauthorised persons
4. Errors in maintenance
5. Loss of electricity
6. Human or natural disasters: Human disasters include sabotage, vandalism and tampering. Natural disasters include earthquakes, volcanoes and storms.
7. Malfunction of equipment
8. Destruction of records
9. Theft of hardware
It’s important to remember that this list is not complete. Your risk assessor will need to take a significant amount of time to consider every reasonable scenario. Whether that be a bomb attack or user errors, your list of risks is bound to be a long one.
vsRisk™ risk assessment software gives you a helping hand in this process with a list of risks that have been applied to each asset group. It delivers simple, fast, accurate and hassle-free risk assessments and helps you to produce consistent, robust and reliable risk assessments year-on-year.
To see how vsRisk™ can save 80% of your time, please book a free online demonstration >>