An ISO 27001 risk assessment contains five key steps. In this blog, we look at the second step in the process – identifying the risks that organisations face – and outline 10 things you should look out for.
How to identify threats
You must determine which can compromise the confidentiality, integrity and availability of each of the assets within the scope of your ISO 27001 compliance project.
Every organisation faces unique challenges, so there’s no single, definitive list that you can work from. However, there are some threats that are either so common or so dangerous that pretty much every organisation must account for them.
We’ve listed ten such threats here:
- Social engineering
This is the act of manipulating people into performing actions or divulging confidential information for malicious purposes. Phishing emails are the most common example.
- Disclosure of passwords
Passwords are intended to prevent unauthorised people from accessing accounts and other sensitive information.
When employees use easily guessed phrases or leave them lying around, it undermines the value of passwords. As a result, it makes it easy for wrongdoers to break into your systems.
- Unauthorised access to the network
Organisations must regularly check for vulnerabilities that could be exploited by criminal hackers.
For example, you might have unpatched software or a system weakness that allows a crook to plant malware.
- Maintenance errors
Sometimes organisations can introduce weaknesses into their systems during routine maintenance.
This might happen if a new update creates a vulnerability or if you accidentally disable your password protections on a sensitive database.
- Electrical outages
There is always a risk that your premises will suffer an electrical outage, which could knock your servers offline and stop employees from working.
If you can’t fix the problem quickly – or find a workaround with backup generators – then you’ll be unable to access sensitive information for hours or even days.
- Infrastructural damage
Electrical problems are just one of many ways in which your infrastructure could be damaged.
For instance, there’s also the possibility that someone will vandalise your property or sabotage systems. This is most likely to occur when a disgruntled or former employee still has access to your office.
- Malfunctioning equipment
Sometimes things go wrong without an obvious reason. Computers or other equipment are liable to break from time to time, and it could make sensitive data unavailable.
- Destruction of records
Organisations must be aware of the possibility that their records – whether physical or digital – are rendered unavailable.
This might occur when paper files are damaged or digital files are corrupted, for example.
Your information is far more likely to be stolen if it’s routinely taken off your premises. Perhaps staff bring paper records home with them, or they have work laptops that they carry around.
- Weather events
Depending on where your office and employees are based, you might have to account for damage and disruption caused by natural disasters and other weather events.
We’re not just talking about catastrophes such as earthquakes or hurricanes. You may suffer serious problems from a snowstorm, for example, with power lines being severed and employees unable to get into the office.
Remember, this list isn’t comprehensive. There are countless risks that you must review, and it’s only once you’ve identified which ones are relevant that you can determine which ones to prioritise.
You can find more advice on how to assess your information security risks by reading our free whitepaper: 5 Critical Steps to Successful ISO 27001 Risk Assessments.
It explains the risk assessment process from beginning to end, including the ways in which you can identify threats.
A version of this blog was originally published on 1 February 2017.