Identifying threats and vulnerabilities
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Answer: I'm assuming you are talking about the article "ISO 27001 risk assessment: How to match assets, threats and vulnerabilities" (https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/). That said, technically there is no difference if you start first with identifying threats or vulnerabilities (this choice is basically upon which element you know best considering your context). However, in operational terms, the best approach is to identify the vulnerabilities first, since they are easier to be confirmed (assets and controls that may have them are under your management). In case of threats, specially those external to your organization, not always you will have enough information to confirm if they are applicable.
This material will also help you regarding threats and vulnerabilities:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
Aug 24, 2017