Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

ISO27005 Threats & Vulnerabilities

  Quote
Guest
brianhopla Created:   Sep 19, 2017 Last commented:   Sep 21, 2017

ISO27005 Threats & Vulnerabilities

Does ISO27005 contain any further information about the nature of the catalogue of threats & vulnerabilities; for example, does it provide definitions, explanations or contextual examples of each threat?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 21, 2017

Regarding threats, ISO 27005 provides information about its type (e.g., physical damage, natural event, technical failure, etc.), examples (e.g., fire, dust, flood, defective software, etc.) and origin (e.g., intentional, accidental, etc.), but does not provide definitions, explanations or contextual examples. The exception is to human-related threats, where it provides information about threat source, motivation and potential consequences.

Regarding vulnerabilities, ISO 27005 provides information regarding vulnerability types, examples and possible threats associated to them.

These articles will provide you further explanation about threats and vulnerabilities:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Quote
0 0
Guest
brianhopla Oct 27, 2017

Thanks but I was referring to the actual threat 'events' in the threat & vulnerability catalogue, i.e. is there a definition anywhere of what constitutes the difference between for example 'unauthorised access to info systems' opposed to 'access to network by unauthorised persons' or 'info leakage' opposed to 'disclosure of info' etc., etc.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Sep 19, 2017

Oct 27, 2017