CALL US 1-888-553-2256

ISO 27001/ISO 22301 Knowledge base

Dejan Kosutic

Catalogue of threats & vulnerabilities

Author: Dejan Kosutic

This list of threats and vulnerabilities can serve as a help for implementing risk assessment within the framework of ISO 27001 or ISO 22301. This list is not final – each organization must add their own specific threats and vulnerabilities that endanger the confidentiality, integrity and availability of their assets.


Below is a list of threats – this is not a definitive list, it must be adapted to the individual organization:

  • Access to the network by unauthorized persons
  • Bomb attack
  • Bomb threat
  • Breach of contractual relations
  • Breach of legislation
  • Compromising confidential information
  • Concealing user identity
  • Damage caused by a third party
  • Damages resulting from penetration testing
  • Destruction of records
  • Disaster (human caused)
  • Disaster (natural)
  • Disclosure of information
  • Disclosure of passwords
  • Eavesdropping
  • Embezzlement
  • Errors in maintenance
  • Failure of communication links
  • Falsification of records
  • Fire
  • Flood
  • Fraud
  • Industrial espionage
  • Information leakage
  • Interruption of business processes
  • Loss of electricity
  • Loss of support services
  • Malfunction of equipment
  • Malicious code
  • Misuse of information systems
  • Misuse of audit tools
  • Pollution
  • Social engineering
  • Software errors
  • Strike
  • Terrorist attacks
  • Theft
  • Thunderstroke
  • Unintentional change of data in an information system
  • Unauthorized access to the information system
  • Unauthorized changes of records
  • Unauthorized installation of software
  • Unauthorized physical access
  • Unauthorized use of copyright material
  • Unauthorized use of software
  • User error
  • Vandalism


Below is a list of vulnerabilities – this is not a definitive list, it must be adapted to the individual organization:

  • Complicated user interface
  • Default passwords not changed
  • Disposal of storage media without deleting data
  • Equipment sensitivity to changes in voltage
  • Equipment sensitivity to moisture and contaminants
  • Equipment sensitivity to temperature
  • Inadequate cabling security
  • Inadequate capacity management
  • Inadequate change management
  • Inadequate classification of information
  • Inadequate control of physical access
  • Inadequate maintenance
  • Inadequate network management
  • Inadequate or irregular backup
  • Inadequate password management
  • Inadequate physical protection
  • Inadequate protection of cryptographic keys
  • Inadequate replacement of older equipment
  • Inadequate security awareness
  • Inadequate segregation of duties
  • Inadequate segregation of operational and testing facilities
  • Inadequate supervision of employees
  • Inadequate supervision of vendors
  • Inadequate training of employees
  • Incomplete specification for software development
  • Insufficient software testing
  • Lack of access control policy
  • Lack of clean desk and clear screen policy
  • Lack of control over the input and output data
  • Lack of internal documentation
  • Lack of or poor implementation of internal audit
  • Lack of policy for the use of cryptography
  • Lack of procedure for removing access rights upon termination of employment
  • Lack of protection for mobile equipment
  • Lack of redundancy
  • Lack of systems for identification and authentication
  • Lack of validation of the processed data
  • Location vulnerable to flooding
  • Poor selection of test data
  • Single copy
  • Too much power in one person
  • Uncontrolled copying of data
  • Uncontrolled download from the Internet
  • Uncontrolled use of information systems
  • Undocumented software
  • Unmotivated employees
  • Unprotected public network connections
  • User rights are not reviewed regularly

To learn more, download this free Diagram of ISO 27001:2013 Risk Assessment and Treatment process.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.