Catalogue of threats & vulnerabilities

This list of threats and vulnerabilities can serve as a help for implementing risk assessment within the
framework of ISO 27001 or ISO 22301. This list is not final – each organization must add their own
specific threats and vulnerabilities that endanger the confidentiality, integrity and availability of their
assets.

Threats

Threat Vulnerabilities
Below is a list of threats – this is not a definitive Below is a list of vulnerabilities – this is not a
list, it must be adapted to the individual definitive list, it must be adapted to the individual
organization: organization:
• Complicated user interface
• Access to the network by unauthorized
• Default passwords not changed
persons
• Disposal of storage media without deleting
• Bomb attack
data
• Bomb threat
• Equipment sensitivity to changes in
• Breach of contractual relations
voltage
• Breach of legislation
• Equipment sensitivity to moisture and
• Compromising confidential information
contaminants
• Concealing user identity
• Equipment sensitivity to temperature
• Damage caused by a third party
• Inadequate cabling security
• Damages resulting from penetration testing
• Inadequate capacity management
• Destruction of records
• Inadequate change management
• Disaster (human caused)
• Inadequate classification of information
• Disaster (natural)
• Inadequate control of physical access
• Disclosure of information
• Inadequate maintenance
• Disclosure of passwords
• Inadequate network management
• Eavesdropping
• Inadequate or irregular backup
• Embezzlement
• Inadequate password management
• Errors in maintenance
• Inadequate physical protection
• Failure of communication links
• Inadequate protection of cryptographic
• Falsification of records
keys
• Fire
• Inadequate replacement of older
• Flood
equipment
• Fraud
• Inadequate security awareness
• Industrial espionage
• Inadequate segregation of duties
• Information leakage
• Inadequate segregation of operational and
• Interruption of business processes
• Loss of electricity testing facilities
• Loss of support services • Inadequate supervision of employees
• Malfunction of equipment • Inadequate supervision of vendors
• Malicious code • Inadequate training of employees
• Misuse of information systems • Incomplete specification for software
• Misuse of audit tools development
• Pollution • Insufficient software testing
• Social engineering • Lack of access control policy
• Software errors • Lack of clean desk and clear screen policy
• Strike • Lack of control over the input and output
• Terrorist attacks data
• Theft • Lack of internal documentation
• Thunder-stroke • Lack of or poor implementation of internal
• Unintentional change of data in an audit
information system • Lack of policy for the use of cryptography
• Unauthorized access to the information • Lack of procedure for removing access
system rights upon termination of employment
• Unauthorized changes of records • Lack of protection for mobile equipment
• Unauthorized installation of software • Lack of redundancy
• Unauthorized physical access • Lack of systems for identification and
• Unauthorized use of copyright material authentication
• Unauthorized use of software • Lack of validation of the processed data
• User error • Location vulnerable to flooding
• Vandalism • Poor selection of test data
• Single copy
• Too much power in one person
• Uncontrolled copying of data
• Uncontrolled download from the Internet
• Uncontrolled use of information systems
• Undocumented software
• Unmotivated employees
• Unprotected public network connections
• User rights are not reviewed regularly