Analyzing threats
Assign topic to the user
Answer:
From my point of view, in your case there are 3 different assets: the web application (asset of type software), the physical server (asset of type hardware), and the information that has the web application (asset of type information).
The threat (a) that you have identified is related to the asset physical server, and the threat (b) is related to web application, and there are others threats related to the web application like denial of service, elevation of privilege, SQL injection, etc. But the other assets also have more threats, that you need to identify.
So, the classification of assets is very important to identify each threat to each asset, this article can help you to identify assets based on a classification “How to handle Asset register (Asset inventory) according to ISO 27001” : https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
And for the identification of threats for each assets, you simply need a catalogue of threats/vulnerabilities, so this article can be also interesting for you “Catalogue of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
And this article about how to match assets, threats and vulnerabilities can be also interesting for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
Finally, in our online course you can also find more information about the identification of assets and threats “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
I am happy and appreciate that you have posted my question. Your response provides a structured approach to risk assessment process. I have pretty much followed that approach so far, thanks to having used your products and trainings. My fundamental doubt, however, remains a bit unclear. Let me re-establish my doubt using an example on your article titled: "How to match assets, threats and vulnerabilities" On that article, for the asset of Digital Information, the following threat and vulnerability had been identified - threat: disk failure; vulnerability: there is no backup of the document. I would had identified that threat as well, but my doubts are: a) Shouldn't that threat be listed under the physical server asset? (that is what I called "crossing the line" on my original questions; (b) Is it ok to have that threat be listed under two different assets?
Keep up the good work you guys do!
Regards,
Ricardo
Ricardo, ISO 27001 does not prescribe how you should combine assets, threats and vulnerabilities, which means you have to use a system that makes most sense for your situation.
In my view, if there are little risks related to a particular server, then you can view the server as a single asset where hardware, software and data are combined; if there are numerous risks that are related to this server, in such case you can view separately those three assets.
Comment as guest or Sign in
Feb 29, 2016