ISO27005 Threats & Vulnerabilities
Assign topic to the user
Regarding threats, ISO 27005 provides information about its type (e.g., physical damage, natural event, technical failure, etc.), examples (e.g., fire, dust, flood, defective software, etc.) and origin (e.g., intentional, accidental, etc.), but does not provide definitions, explanations or contextual examples. The exception is to human-related threats, where it provides information about threat source, motivation and potential consequences.
Regarding vulnerabilities, ISO 27005 provides information regarding vulnerability types, examples and possible threats associated to them.
These articles will provide you further explanation about threats and vulnerabilities:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/
These materials will also help you regarding risk management:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Thanks but I was referring to the actual threat 'events' in the threat & vulnerability catalogue, i.e. is there a definition anywhere of what constitutes the difference between for example 'unauthorised access to info systems' opposed to 'access to network by unauthorised persons' or 'info leakage' opposed to 'disclosure of info' etc., etc.
Comment as guest or Sign in
Oct 27, 2017