CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

ISO 27001 risk assessment: How to match assets, threats and vulnerabilities

Author: Dejan Kosutic

The 2013 revision of ISO 27001 allows you to identify risks using any methodology you like; however, the old methodology (defined by the old 2005 revision of ISO 27001), which requires identification of assets, threats and vulnerabilities, is still dominating. (See also: What has changed in risk assessment in ISO 27001:2013.)

So, how do you combine assets, threats and vulnerabilities in order to identify risks?

How to document the risk identification

Risk identification is the first half of the risk assessment process, after which comes the evaluation part (assessing the impacts and likelihood) – see the details here: How to write ISO 27001 risk assessment methodology.

To make your risk assessment easier, you can use a sheet with assets, threats and vulnerabilities in columns; you should also include some other information like risk ID, risk owners, impact and likelihood, etc.

I found it the easiest to start listing items column by column, not row by row – this means you should list all of your assets first, and only then start finding a couple of threats for each asset, and finally find a couple of vulnerabilities for each threat.

To learn which types of assets you should take into account, read this article: How to handle Asset register (Asset inventory) according to ISO 27001, and click here to see a catalog of threats and vulnerabilities appropriate for smaller and mid-sized companies.

Relationship between assets, threats and vulnerabilities

So, let’s see what this matching of the three components could look like – for example:

  • Asset: paper document:
    • threat: fire; vulnerability: document is not stored in a fire-proof cabinet (risk related to the loss of availability of the information)
    • threat: fire; vulnerability: there is no backup of the document (potential loss of availability)
    • threat: unauthorized access; vulnerability: document is not locked in a cabinet (potential loss of confidentiality)
  • Asset: digital document:
    • threat: disk failure; vulnerability: there is no backup of the document (potential loss of availability)
    • threat: virus; vulnerability: anti-virus program is not properly updated (potential loss of confidentiality, integrity and availability)
    • threat: unauthorized access; vulnerability: access control scheme is not properly defined (potential loss of confidentiality, integrity and availability)
    • threat: unauthorized access; vulnerability: the access was given to too many people (potential loss of confidentiality, integrity and availability)
  • Asset: system administrator:
    • threat: unavailability of this person; vulnerability: there is no replacement for this position (potential loss of availability)
    • threat: frequent errors; vulnerability: lack of training (potential loss of integrity and availability)
    • etc.

This might seem complicated at first glance, but once you start doing this you’ll see it goes rather quickly. Some people prefer using tools for this kind of work, and I agree this could be a good move for larger companies, but for smaller ones using a tool would only take too much time: When to use tools for ISO 27001/ISO 22301 and when to avoid them.

How much is enough?

Very often people ask me – how many risks should they identify? If they start being really thorough, for each asset they could find 10 threats, and for each threat at least 5 vulnerabilities – this is quite realistic, isn’t it?

Now if you are a small company with 50 assets, this would mean you would end up with 2,500 risks, which would probably be overkill for this size of a company. This is why you should focus only on the most important threats and vulnerabilities, while including all the assets; that would mean that per each asset you should identify on average 5 threats, and for each threat on average 2 vulnerabilities. This way you would end up with 500 risks for a smaller company with 50 assets, which is quite manageable.

Why is this methodology still good?

I personally like this assets-threats-vulnerabilities methodology quite a bit – not that I’m nostalgic for the 2005 revision of ISO 27001, but I think this methodology gives a good balance between doing the risk assessment quickly, and at the same time doing it both systematically and detailed enough so that one can pinpoint where the potential security problem is.

And this is what risk assessment is really about: find out about a potential problem before it actually happens. In other words, ISO 27001 tells you: better safe than sorry.

In this free ISO 27001 Foundations Online Course you’ll see examples on how to identify assets, threats and vulnerabilities compliant with ISO 27001.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

2 responses to “ISO 27001 risk assessment: How to match assets, threats and vulnerabilities”

  1. usman says:

    limiting the threats or vulnerabilities, we may overlook some risks.
    can we

    1.Group assets of alike threats and list all possible vulnerabilities.
    2. Access risks for a service (with all assets involved) rather then assessing asset by asset to make it more normalize,

    Low risk level can be accepted, but once documented cannot be ignored next time.
    what do you think

    • Usman, yes it is possible to group similar assets and identify vulnerabilities and threats for such assets – an example would be to list all the physical assets and then list environmental threats (e.g. earthquake) for all of these assets.

      If you assess risks on the level of service, you might miss some important threats or vulnerabilities that are specific for assets that are part of that service, while those assets/threats/vulnerabilities might not be visible from the service itself. For example, if you consider only the hosting service, you might easily overlook the risks related to fire.

      Regarding your comment that you may overlook some risks if you limit the number of threats and vulnerabilities, the question is: is it better to have this shortened version of risk assessment, or to have a risk assessment that would last 6 months, and that would consume huge amount of resources?

Leave a Reply

Your email address will not be published. Required fields are marked *

Dejan Kosutic
Lead ISO 27001/ISO 22301 Expert, Advisera


Upcoming free webinar
How to set the ISMS scope according to ISO 27001
Wednesday – July 3, 2019



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.