Threats identification

Answer: To identify threats you should consider how the information confidentiality, integrity and availability aspects may be compromised by a computer. Some examples of threats you should consider are:

- Unauthorized access.
- Loss of access to information.
- Computer damaged.

This article will provide you further explanation about identifying threats:
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

This material can provide you some other examples of threats:
- Catalogue of threats & vulnerabilities https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

These materials will also help you regarding threats identification:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Thanks! well, we use shared folders and have a policy to not save any information on clients. this implies that information values such as A/I/C can not be affected, so in this case I assume that it is not necessary to list computers in the risk assessment process, right?

In your scenario you use the computer only to access information, not storing it, but if the computer is somehow compromised the information can be at risk.

For example, if a malware is installed in the computer, files can be downloaded without user knowledge. Another point is that only a policy defining information is not to be saved in clients may not be enough to prevent user to actually download files, and sometimes, depending upon the information system, information can be downloaded to clients (as temp files), and if the system is not well configured to properly delete temp files, they may remain in the client.

So, my suggestion is you should consider computers in you risk assessment process. During the process you may identify that there are no relevant risks regarding the computer (there is no risk or the risk value is acceptable), and no further actions are required.

thanks, very helpful input. will consider your suggestions.