Security controls for E-Commerce?

2. what is the basic difference between threat and risk..?

Answers:
1.- I am sorry but in the Annex A of ISO 27001:2013 there is no specific control related to security protocols in E-commerce, although you can use the control “14.1.2 Securing application services on public networks”, and “A.14.1.3 Protecting application services transactions" which are related to the protection of application services and application services transactions, that you can use for e-commerce.

2.- The basic difference is that the threat can harm a system or your organization, and the risk can give you information about what parts of your organization need to be protected implementing security controls, reducing the probability that a threat be materialized. About the threats, you can see here a list of most common “Catalog of threats & vulnerabilities” : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

This article about the risk asses sment, where we talk about risks and threats can be also interesting for you “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

Finally, our online course can be also interesting for you because we give more information about risks and threats “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/