Please note: This sample shows only a small part of the complete Asset-Based Risk Tool.
Not all columns are shown in the table below.
Not
all rows are shown in the table below.
ISO/IEC27001 Annex A Reference Controls
Thefollowinglistofreferencecontrolsisusedwithintheriskassessmentworksheets.
A.5Organizationalcontrols
A.5.1Policiesforinformationsecurity [e.g.SEC3,SEC14,SEC20]
A.5.2Informationsecurityrolesandresponsibilities
A.5.3Segregationofduties
A.5.4Managementresponsibilities
A.5.5Contactwithauthorities
A.5.6Contactwithspecialinterestgroups
A.5.7Threatintelligence
A.5.8Informationsecurityinprojectmanagement
A.5.9Inventoryofinformationandotherassociatedassets
A.5.10Acceptableuseofinformationandotherassociatedassets
A.5.11Returnofassets
A.5.12Classificationofinformation
A.5.13Labellingofinformation
A.5.14Informationtransfer
A.5.15Accesscontrol
A.5.16Identitymanagement
A.5.17Authenticationinformation
A.5.18Accessrights
A.5.19Informationsecurityinsupplierrelationships
A.5.20Addressinginformationsecuritywithinsupplieragreements
A.5.21ManaginginformationsecurityintheICTsupplychain
A.5.22Monitoring,reviewandchangemanagementofsupplierservices
A.5.23Informationsecurityforuseofcloudservices
A.5.24Informationsecurityincidentmanagementplanningandpreparation
A.5.25Assessmentanddecisiononinformationsecurityevents
A.5.26Responsetoinformationsecurityincidents
A.5.27Learningfrominformationsecurityincidents
A.5.28Collectionofevidence
A.5.29Informationsecurityduringdisruption
A.5.30ICTreadinessforbusinesscontinuity
A.5.31Legal,statutory,regulatoryandcontractualrequirements
A.5.32Intellectualpropertyrights
A.5.33Protectionofrecords
A.5.34PrivacyandprotectionofPII
A.5.35Independentreviewofinformationsecurity
A.5.36Compliancewithpolicies,rulesandstandardsforinformationsecurity
A.5.37Documentedoperatingprocedures
Not all rows are shown in the table below.
Asset | Threat | Vulnerability | Risk Type | Control Examples
The followinglistshows alistof assets, with associated threats and vulnerabilities, risk type and the Annex A controls thatmightbe used to treatthem. You may use this table to help to identify relevantrisks foryourorganization and to define where the controls fromAnnex A of ISO/IEC27001are applicable.
1 Organization Itis notclearwhatthe organization's rules are formanaging information security. Employees and others aren'taware of whatthey should be doingto protectthe organization
Policies eitherdon'texistordon'tcoverthe required areas Availability
2 Organization New threats have emerged thatneed to be addressed in policies Policies are outof date, do notreflectthe organization's business or technical setup
3 Organization Itis notclearwho should be doingwhatwith respectto information security
4 Business activities An individual is able to performall of the steps required to performasensitive business process. Checks are insufficientto preventaccidental amendmentordestruction of data
5 Organization The organization is unaware of theirlegal orregulatory responsibilities and may break the law withoutrealisingit
6 Business activities The organization lacks up to date knowledge of information security issues such as currentthreats, new controls and other relevantinformation
7 Organization Information gathered and created duringprojects is not adequately protected
8 Information Dataheld on mobile devices is prone to loss ortheftof the device, orunauthorised access
9 Physical/Site A teleworkingsite does notmeetthe information security standards ensured atmain locations and datais exposed to loss ortheft
10 Business activities Itis notclearwho does whatwith respectto cloud security and one party (e.g. cloud service customer) is underthe impression thatthe other(e.g. cloud service provider) is monitoringa particularaspect
Roles and responsibilities forinformation security have notbeen clearly defined
Processes have notbeen designed to limitthe scope fordeliberate or accidental actions
No contactis in place with bodies who may impose requirements on ourorganisation
No budgetis currently available forattendance atconferences, seminars and trainingevents
Projectdocumentstores are setup ad hocand often outside of more formal access controls
No guidance is given to employees abouthow to protecttheirmobile devices
Teleworkingarrangements are informal and no checkingis done of the environmentin place
Confidentiality, Integrity and Availability
Confidentiality
Confidentiality, Integrity and Availability
Confidentiality and Availability
Confidentiality, Integrity and Availability
Confidentiality
Confidentiality
Confidentiality
No splitof responsibilities is agreed as partof the cloud take-on service Availability
A.5.1Policies forinformation security
A.5.1Policies forinformation security
A.5.2Information security roles and responsibilities
A.5.3Segregation of duties
A.5.5Contactwith authorities
A.5.6Contactwith special interestgroups
A.5.8Information security in projectmanagement
A.8.1Userendpointdevices
A.6.7Remote working
A.5.23Information security for use of cloud services
Not all rows are shown in the table below.
ExamplesofAssets
Thefollowingisaninitiallistoftypicalassetsthatmaybeuseasguidanceforyourriskassessment.
Note:informationassetsshouldbecapturedinmoredetailintheInformationAssetInventory.
Businessactivities
Business-criticalactivities
Supportingactivities
Compliance
Information Cloudcustomerdata Personallyidentifiableinformation(PII) Non-PII
Corporate Budgets
Salesforecasts
Corporateplans
Corporatepolicies
SalesandMarketing Customerrecords-names,addresses,contacts
Customercreditcardinformation
Customerbankdetailse.g.DirectDebits
Websiteinformation
Customerpreferencesandpurchasehistory
Customercorrespondenceandcomplaints
HumanResources
Employeerecords -address,DOB,insurancenumbers
Employeeexpenseclaims
Payrollinformation,includingbankdetails
Trainingrecords
Recruitmentinformation
Securityclearance/checkinformation
Employeecomplaints/disciplinaryrecords
Sickness/occupationalhealthrecords
Employmentcontracts
Finance Accountingrecords-invoices,bills,accounts
Buying
Businessaccountbankingdetails
Suppliercontactdetails
Buyingplans
Commercialterms
Legal Suppliercontracts
Customercontracts
Propertyleases
Creditagreements
Insurancepolicies
Operations
Documentsheldonbehalfofcustomers
Productspecificationsandbillsofmaterials
Processandproceduraldocumentation
IntellectualPropertyspecifictotheorganisation
Resourceplans
AuditandCompliance Internalauditrecords
Externalauditreports
Riskassessments
Examplesof Threats
The followingisastandardlistof typical threatsthatmaybe use asguidance foryourriskassessment. THREATCATEGORY
Human Maliciousoutsider
Maliciousinsider
Lossof keypersonnel
Humanerror
Accidental loss
Natural Fire
Flood
Severe weather
Earthquake
Lightning
Technical Hardware failure
Software failure
Virus/Maliciouscode
Physical Sabotage
Theft
Arson
Environmental Hazardouswaste
Powerfailure
Gassupplyfailure
Operational Processerror
Crime scene
Someone launchesadenial of service attackonyourcloud service platform
Anemployee ortrustedthirdpartyaccessescardholderdatain anunauthorisedmannerfrominside yournetwork
One ormore people withkeyskillsorknowledge are unavailable perhapsdue toextendedsickness
Anemployee accidentallydeletescardholderdata
Amanagerlosesamemorystickwithcardholderdataonit
Yourdatacentre burnsdowndue toanelectrical fault
The nearbyriverbreaksitsbanksandyourmainoffice is severelyflooded
Non-one cangetintothe office due tothe weather
The areaof yourmaindatacentre isaffectedbyanearth tremorthatdamagesall yourservers
All yourserversare friedbyalightningstrike onthe data centre building
Akeyphysical serverhasaprocessorfailure
Yourfinancial systemprocessesinvoicesincorrectlydue toa bug
Avirusspreadsthroughoutyournetworkpreventingaccessto your(andyourcustomers') data
Adisgruntledex-employee takesanaxe toyourserverroom
Youcome inonMondaymorningtofindsome important driveshave beenstolen
Someone withagrudge againstyourorganisationstartsafire duringthe night
Alorrycarryinghazardouswaste hasanaccidentoutside your office
The sub-stationsupplyingyourareahasameltdown
There isasuspectedleakandall suppliesare turnedoff
Yournewdatatransferprocedure doesn'tcaterforunexpected circumstancesandcardholderdataislostorsenttothe wrong destination
Acrime happensinornearyouroffice andthe areaissealed off bypolice
Likelihood
This table should be used to decide upon the most appropriate likelihood for a particular threat.
LIKELIHOOD DESCRIPTION SUMMARY
1 Improbable Has never happened before and there is no reason to think it is any more likely now
2 Unlikely There is a possibility that it could happen, but it probably won't
3 Likely On balance, the risk is more likely to happen than not
4 Very Likely It would be a surprise if the risk did not occur either based on past frequency or current circumstances
5 Almost certain Either already happens regularly or there is some reason to believe it is virtually imminent
Impact
This table should be used as guidance to help to decide upon the correct impact rating for a particular threat.
ISO/IEC27001Asset-basedriskassessmentandtreatmenttooldashboard Torefreshchartdataontheriskdashboard,clickon“RefreshAll”ontheDataribbon.
Pre-treatmentassessment
Numberofpre-treatmentrisks
Post-treatmentassessment
Numberofpost-treatmentrisks
Classificationofrisklevel
Pre-treatmentrisklevelsbyriskowner
Numberofrisksbyrisklevelpreandposttreatment Risksbytreatmentoptionchosen
Riskprofilediagram
Thechartbelowshowstheratingschemeusedtodeterminerisklevelbasedonacombinationoflikelihoodandimpact. Thechartsbelowshowthespreadofriskseveritiesbeforeandafterrisktreatment.
