What is a Threat in ISO 27001?

Overview

A Threat is any potential cause of an unwanted incident that may result in harm to your information systems or organization. In ISO 27001:2022, identifying threats is a fundamental part of risk assessment (Clause 6.1.2) and determines which security controls you need to implement.

Understanding threats helps you assess the likelihood and impact of risks to your information assets.

Threats in Practice

During risk assessment, you identify threats that could exploit vulnerabilities in your assets and cause security incidents. Threats can be:

• Intentional: Deliberate actions by threat actors (hackers, malicious insiders, competitors)

• Accidental: Unintentional actions causing harm (employee errors, misconfigurations)

• Environmental: Natural events or physical conditions (fires, floods, power outages)

Categories of Threats

Cyber Threats

Threats targeting digital systems and data:

• Malware: Viruses, ransomware, trojans, spyware

• Phishing: Social engineering to steal credentials or sensitive information

• Distributed Denial of Service (DDoS): Overwhelming systems to disrupt availability

• Advanced Persistent Threats (APTs): Sophisticated, targeted attacks

• SQL injection and web attacks: Exploiting application vulnerabilities

• Zero-day exploits: Attacks using previously unknown vulnerabilities

Example: A ransomware threat could exploit an unpatched server vulnerability (A.8.8) to encrypt business-critical data, causing financial loss and operational disruption.

Human Threats

Threats involving people:

• Malicious insiders: Employees or contractors intentionally stealing data or sabotaging systems

• Social engineering: Manipulating users to bypass security controls

• Privilege abuse: Authorized users exceeding their access rights

• Unintentional errors: Accidental data deletion, misconfiguration, or sending sensitive information to wrong recipients

Example: An employee clicking a phishing email could provide credentials that allow unauthorized access to customer data (countered by security awareness training A.6.3 and MFA A.5.17).

Physical Threats

Threats to physical assets and facilities:

• Theft: Stealing laptops, servers, backup media

• Unauthorized access: Intruders entering secure areas

• Vandalism: Intentional damage to equipment

• Natural disasters: Earthquakes, floods, fires

• Infrastructure failures: Power outages, HVAC failures, water damage

Example: Fire in a data center threatens server availability (addressed by physical security controls A.7.1-A.7.14 and backup procedures A.8.13).

Third-Party Threats

Threats from suppliers, partners, and service providers:

• Supply chain attacks: Compromised software or hardware from vendors

• Cloud service failures: Provider outages or security breaches

• Contractor negligence: Third parties failing to maintain security controls

Example: A cloud provider breach exposing customer data (mitigated by supplier security assessments A.5.19-A.5.23 and contractual security requirements).

Threat Assessment in Risk Assessment

When conducting risk assessment (Clause 6.1.2), you evaluate threats by considering:

• Threat source: Who or what could cause the threat (cybercriminals, competitors, natural events)

• Motivation: Why they would target your organization (financial gain, espionage, disruption)

• Capability: Their skill level and resources

• Likelihood: Probability the threat will materialize and exploit a vulnerability

Example threat scenario:

• Asset: Customer payment database

• Vulnerability: Weak password policy (no MFA)

• Threat: External hacker seeking financial gain

• Risk: Unauthorized access to payment data, resulting in data breach and regulatory fines

• Treatment: Implement MFA (A.5.17), strong password policy (A.5.17), and encryption (A.8.24)

Threat Intelligence

ISO 27001:2022 Annex A includes A.5.7 (Threat Intelligence) as a new control requiring organizations to collect and analyze threat intelligence to understand relevant threats.

Sources of threat intelligence:

• National cybersecurity agencies (CISA, NCSC, CERT)

• Industry information sharing groups (ISACs)

• Commercial threat feeds and security vendors

• Dark web monitoring services

• Incident reports from peer organizations

Threat vs. Vulnerability vs. Risk

These terms are related but distinct:

• Threat: The potential cause of an incident (e.g., ransomware attack)

• Vulnerability: A weakness that can be exploited (e.g., unpatched software)

• Risk: The combination of threat, vulnerability, likelihood, and impact (e.g., high risk of ransomware encrypting unpatched servers, causing business disruption)

Controls address risks by:

• Reducing vulnerabilities (e.g., patch management A.8.8)

• Detecting or blocking threats (e.g., malware protection A.8.7)

• Limiting impact if a threat succeeds (e.g., backups A.8.13)

Common Threats by Industry

Financial Services

Advanced persistent threats, phishing targeting customer credentials, DDoS attacks, insider trading, regulatory scrutiny.

Healthcare

Ransomware targeting patient systems, theft of medical records, insider access abuse, medical device vulnerabilities.

Retail/E-commerce

Payment card data theft, credential stuffing, supply chain attacks, DDoS during peak sales, fraudulent transactions.

SaaS/Technology

API abuse, account takeovers, data breaches, insider threats, cloud misconfigurations, zero-day exploits.

Related Terms

• Risk Assessment – Process for identifying and evaluating threats

• Asset – What threats target

• Control – Measures that mitigate threats

• Risk Treatment – How you address identified threats