Not all rows are shown in the table below.
ISO/IEC27001 Annex AReference Controls
Thefollowinglistofreferencecontrolsisusedwithintheriskassessmentworksheets.
REF
A.5Organizationalcontrols
A.5.1Policiesforinformationsecurity
A.5.2Informationsecurityrolesandresponsibilities
A.5.3Segregationofduties
A.5.4Managementresponsibilities
A.5.5Contactwithauthorities
A.5.6Contactwithspecialinterestgroups
A.5.7Threatintelligence
A.5.8Informationsecurityinprojectmanagement
A.5.9Inventoryofinformationandotherassociatedassets
A.5.10Acceptableuseofinformationandotherassociatedassets
A.5.11Returnofassets
A.5.12Classificationofinformation
A.5.13Labellingofinformation
A.5.14Informationtransfer
A.5.15Accesscontrol
A.5.16Identitymanagement
A.5.17Authenticationinformation
A.5.18Accessrights
A.5.19Informationsecurityinsupplierrelationships
A.5.20Addressinginformationsecuritywithinsupplieragreements
A.5.21ManaginginformationsecurityintheICTsupplychain
A.5.22Monitoring,reviewandchangemanagementofsupplierservices
A.5.23Informationsecurityforuseofcloudservices
A.5.24Informationsecurityincidentmanagementplanningandpreparation
A.5.25Assessmentanddecisiononinformationsecurityevents
A.5.26Responsetoinformationsecurityincidents
A.5.27Learningfrominformationsecurityincidents
A.5.28Collectionofevidence
A.5.29Informationsecurityduringdisruption
A.5.30ICTreadinessforbusinesscontinuity
A.5.31Legal,statutory,regulatoryandcontractualrequirements
A.5.32Intellectualpropertyrights
A.5.33Protectionofrecords
A.5.34PrivacyandprotectionofPII
A.5.35Independentreviewofinformationsecurity
A.5.36Compliancewithpolicies,rulesandstandardsforinformationsecurity
A.5.37Documentedoperatingprocedures
Not all rows are shown in the table below.
Asset | Threat | Vulnerability | Risk Type | Control Examples
The followinglistshows alistof assets, with associated threats and vulnerabilities, risk type and the Annex A controls thatmightbe used to treatthem. You may use this table to help to identify relevantrisks foryourorganization and to define where the controls fromAnnex A of ISO/IEC27001are applicable.
REF EXAMPLEASSETGROUP EXAMPLETHREAT(S)
1 Organization Itis notclearwhatthe organization's rules are formanaging information security. Employees and others aren'taware of whatthey should be doingto protectthe organization
EXAMPLEVULNERABILITY
RISKTYPE(S) ANNEXACONTROL
Policies eitherdon'texistordon'tcoverthe required areas Availability A.5.1Policies forinformation security
2 Organization New threats have emerged thatneed to be addressed in policies Policies are outof date, do notreflectthe organization's business or technical setup
3 Organization Itis notclearwho should be doingwhatwith respectto information security Roles and responsibilities forinformation security have notbeen clearly defined
4 Business activities An individual is able to performall of the steps required to performasensitive business process. Checks are insufficientto preventaccidental amendmentordestruction of data
5 Organization The organization is unaware of theirlegal orregulatory responsibilities and may break the law withoutrealisingit
6 Business activities The organization lacks up to date knowledge of information security issues such as currentthreats, new controls and other relevantinformation
7 Organization Information gathered and created duringprojects is not adequately protected
8 Information Dataheld on mobile devices is prone to loss ortheftof the device, orunauthorised access
9 Physical/Site A teleworkingsite does notmeetthe information security standards ensured atmain locations and datais exposed to loss ortheft
10 Business activities Itis notclearwho does whatwith respectto cloud security and one party (e.g. cloud service customer) is underthe impression thatthe other(e.g. cloud service provider) is monitoringa particularaspect
Confidentiality, Integrity and Availability
Confidentiality
A.5.1Policies forinformation security
A.5.2Information security roles and responsibilities
Processes have notbeen designed to limitthe scope fordeliberate or accidental actions Confidentiality, Integrity and Availability A.5.3Segregation of duties
No contactis in place with bodies who may impose requirements on ourorganisation Confidentiality and Availability A.5.5Contactwith authorities
No budgetis currently available forattendance atconferences, seminars and trainingevents
Projectdocumentstores are setup ad hocand often outside of more formal access controls
No guidance is given to employees abouthow to protecttheirmobile devices
Teleworkingarrangements are informal and no checkingis done of the environmentin place
Confidentiality, Integrity and Availability A.5.6Contactwith special interestgroups
Confidentiality A.5.8Information security in projectmanagement
Confidentiality A.8.1Userendpointdevices
Confidentiality A.6.7Remote working
No splitof responsibilities is agreed as partof the cloud take-on service Availability
A.5.23Information security for use of cloud services
Not all rows are shown in the table below.
ExamplesofAssets
Thefollowingisaninitiallistoftypicalassetsthatmaybeuseasguidanceforyourriskassessment.
Note:informationassetsshouldbecapturedinmoredetailintheInformationAssetInventory.
ASSETGROUP SUB-CATEGORY ASSET
Businessactivities
Business-criticalactivities
Supportingactivities Compliance
Information Cloudcustomerdata Personallyidentifiableinformation(PII)
Non-PII
Corporate Budgets
Salesforecasts
Corporateplans
Corporatepolicies
SalesandMarketing Customerrecords-names,addresses,contacts
Customercreditcardinformation
Customerbankdetailse.g.DirectDebits
Websiteinformation
Customerpreferencesandpurchasehistory
Customercorrespondenceandcomplaints
HumanResources Employeerecords -address,DOB,insurancenumbers
Employeeexpenseclaims
Payrollinformation,includingbankdetails
Trainingrecords
Recruitmentinformation
Securityclearance/checkinformation
Employeecomplaints/disciplinaryrecords
Sickness/occupationalhealthrecords Employmentcontracts
Finance Accountingrecords-invoices,bills,accounts
Businessaccountbankingdetails
Buying Suppliercontactdetails
Buyingplans
Commercialterms
Legal Suppliercontracts
Customercontracts
Propertyleases
Creditagreements
Insurancepolicies
Operations Documentsheldonbehalfofcustomers
Productspecificationsandbillsofmaterials
Processandproceduraldocumentation
IntellectualPropertyspecifictotheorganisation
Resourceplans
AuditandCompliance Internalauditrecords
Externalauditreports
Riskassessments
Examplesof Threats
The followingisastandardlistof typical threatsthatmaybe use asguidance foryourriskassessment.
THREATCATEGORY THREAT
Human Maliciousoutsider
Maliciousinsider
Lossof keypersonnel
Humanerror
EXAMPLE
Someone launchesadenial of service attackonyourcloud service platform
Anemployee ortrustedthirdpartyaccessescardholderdatain anunauthorisedmannerfrominside yournetwork
One ormore people withkeyskillsorknowledge are unavailable perhapsdue toextendedsickness
Anemployee accidentallydeletescardholderdata
Accidental loss Amanagerlosesamemorystickwithcardholderdataonit
Natural Fire
Flood
Severe weather
Earthquake
Yourdatacentre burnsdowndue toanelectrical fault
The nearbyriverbreaksitsbanksandyourmainoffice is severelyflooded
Non-one cangetintothe office due tothe weather
The areaof yourmaindatacentre isaffectedbyanearth tremorthatdamagesall yourservers
Lightning All yourserversare friedbyalightningstrike onthe data centre building
Technical Hardware failure
Akeyphysical serverhasaprocessorfailure
Software failure Yourfinancial systemprocessesinvoicesincorrectlydue toa bug
Virus/Maliciouscode Avirusspreadsthroughoutyournetworkpreventingaccessto your(andyourcustomers') data
Physical Sabotage
Adisgruntledex-employee takesanaxe toyourserverroom
Theft Youcome inonMondaymorningtofindsome important driveshave beenstolen
Arson Someone withagrudge againstyourorganisationstartsafire duringthe night
Environmental Hazardouswaste Alorrycarryinghazardouswaste hasanaccidentoutside your office
Powerfailure
The sub-stationsupplyingyourareahasameltdown
Gassupplyfailure There isasuspectedleakandall suppliesare turnedoff
Operational Processerror
Crime scene
Yournewdatatransferprocedure doesn'tcaterforunexpected circumstancesandcardholderdataislostorsenttothe wrong destination
Acrime happensinornearyouroffice andthe areaissealed off bypolice
Likelihood
This table should be used to decide upon the most appropriate likelihood for a particular threat.
LIKELIHOOD DESCRIPTION SUMMARY
1 Improbable Has never happened before and there is no reason to think it is any more likely now
2 Unlikely There is a possibility that it could happen, but it probably won't
3 Likely On balance, the risk is more likely to happen than not
4 Very Likely It would be a surprise if the risk did not occur either based on past frequency or current circumstances
5 Almost certain Either already happens regularly or there is some reason to believe it is virtually imminent