Risk assessment table

This table is designed as a practical reference for assessing vulnerabilities, threats, and risks in your organisation. It is not a checklist where you simply tick boxes — it is a conversation starter to identify what could go wrong, why, and how to mitigate it.

Each row connects what can go wrong (vulnerability), how it might happen (threats), what kind of threat it is (deliberate, accidental, environmental), which ISO 27001 control it maps to, and how you can reduce the risk (mitigating controls).

Threat types: D = Deliberate, A = Accidental, E = Environmental

Security
area

Vulnerability

Example
threats

Threat
type

ISO 27001
Annex A

Suggested mitigating control

Hardware

Outdated firmware, default passwords

Physical tampering, malware installation

D

A.8 Asset management,
A.9 Access control

Automated firmware management, version control, secure configuration baselines, device hardening

Hardware

Unsecured USB ports

Malware introduction via removable media

D, A

A.12 Operations security

Disable/lock unused ports, enforce removable media policies, endpoint protection

Hardware

Insufficient periodic replacement schedule

Device failures, degraded security

A

A.8 Asset management

Equipment lifecycle management, replacement schedules, asset tracking

Hardware

Susceptible to temperature/humidity variations

Equipment malfunction, data loss

E

A.11 Physical security

Environmental controls (HVAC, monitoring, alarms), temperature thresholds

Hardware

Lack of device hardening (open services, default configs)

Exploitation, malware installation

D

A.12 Operations security

Device hardening standards, configuration baselines, regular security audits, monitoring

Hardware

End-of-life devices still in use

No patches, unsupported security

A

A.12 Operations security,
A.8 Asset management

Retirement plan, replacement schedule, asset lifecycle policy

Hardware

Poor cable management or exposed connectors

Accidental disconnections, tampering

A, D

A.11 Physical security

Structured cabling, cable covers, access restriction, physical inspections

Software

Unpatched OS or applications

Exploitation, ransomware

D

A.12 Operations security

Automated patch management, vulnerability scanning, patch testing procedures

Software

Misconfigured web apps or APIs

SQL injection, XSS, data exposure

D

A.14 System acquisition, development, maintenance

Secure coding standards, code review, penetration testing, API security testing

Software

Insecure third-party libraries

Supply chain compromise

D

A.15 Supplier relationships

Dependency management, software composition analysis, supplier security assessment

Software

Misconfiguration of software

System downtime, data exposure

A

A.12 Operations security

Configuration management, change control, security baselines, automated compliance checks

Software

Misuse of software by users

Data corruption, unauthorised actions

A

A.7 Human resource security

User training, access controls, activity monitoring, approval workflows

Software

Legacy or unsupported software

Security gaps, compatibility issues

A

A.12 Operations security

Software upgrade plan, vendor support agreements, migration roadmap

Data/Information

Unencrypted data at rest

Data theft, unauthorised access

D

A.10 Cryptography

Encryption at rest, key management, data classification

Data/Information

Inadequate data classification

Mishandling of sensitive data

A

A.8 Asset management

Data classification scheme, labelling, handling procedures

Data/Information

Poor data retention practices

Compliance violations, data exposure

A

A.5 Information security policies

Retention policies, automated deletion, archive procedures

Data/Information

Inadequate data backup

Data loss, business disruption

A, E

A.12 Operations security

Regular backups, backup testing, offsite storage, recovery procedures

Network

Open/misconfigured ports

Unauthorised access, network scanning

D

A.9 Access control,
A.13 Communications security

Firewall rules, network hardening, regular port scanning, change control

Network

Weak VPN/Wi-Fi credentials

Brute force, credential stuffing

D

A.9 Access control

Strong password policy, MFA, VPN security hardening, WPA3 for Wi-Fi

Network

Lack of network segmentation

Lateral movement

D

A.13 Communications security

VLANs, DMZ, zero-trust principles, micro-segmentation, access control lists

Network

Insufficient monitoring

Undetected intrusions

A, D

A.12 Operations security,
A.16 Incident management

SIEM, alerting, log review, anomaly detection, security operations centre

Network

Insufficient mechanisms for proof of sending/receiving messages

Message tampering, spoofing

D

A.10 Cryptography,
A.13 Communications security

Digital signatures, non-repudiation mechanisms, secure protocols (S/MIME, TLS)

Network

Insecure network architecture

Lateral movement, MITM attacks

D

A.13 Communications security

Network design review, defence in depth, segmentation, secure routing protocols

Network

Unprotected network connections

Eavesdropping, data interception

D

A.13 Communications security

Encrypted protocols (TLS 1.3+), VPN, secure Wi-Fi (WPA3), certificate validation

Network

Misconfigured load balancers or proxies

Traffic interception, service disruption

D, A

A.12 Operations security

Configuration review, security hardening, access control, health monitoring

Cloud/SaaS

Misconfigured cloud storage

Data exposure, unauthorised access

D, A

A.9 Access control,
A.14 System development

Cloud security posture management, least privilege, regular audits

Cloud/SaaS

Inadequate cloud access controls

Unauthorised resource access

D

A.9 Access control

IAM policies, MFA, privileged access management, regular access reviews

Cloud/SaaS

Shadow cloud services

Data leakage, compliance violations

A, D

A.12 Operations security,
A.5 Policies

Cloud access security broker (CASB), approved service catalogue, monitoring

Mobile

Lost or stolen mobile devices

Data theft, unauthorised access

D, A

A.8 Asset management,
A.11 Physical security

Remote wipe, encryption, device tracking, clear desk policy

Mobile

BYOD security risks

Malware, data leakage

D, A

A.6 Organisation of information security

BYOD policy, mobile device management (MDM), containerisation

Mobile

Inadequate mobile device management

Unpatched devices, policy violations

A

A.12 Operations security

MDM solution, automated patching, compliance monitoring, device inventory

Human

Weak/reused passwords

Credential theft, account takeover

D

A.9 Access control

Password policies, password managers, MFA, breach monitoring, training

Human

Phishing susceptibility

Malware execution, data theft

D

A.7 Human resource security,
A.8 Asset management

Awareness training, simulated phishing exercises, email filtering, reporting mechanisms

Human

Excessive privileges

Insider misuse, sabotage

D, A

A.9 Access control,
A.6 Organisation of information security

Role-based access, least privilege principle, periodic access reviews, approval workflows

Human

Absence of key personnel

Delayed response, unmonitored systems

A, E

A.6 Organisation of information security

Cross-training, shift coverage, succession planning, documented procedures

Human

Shadow IT usage

Use of unapproved software/services

A, D

A.12 Operations security,
A.5 Policies

IT asset inventory, approval processes, monitoring, user education

Human

Social engineering vulnerability

Disclosure of sensitive information

D

A.7 Human resource security

Awareness training, verification processes, incident reporting, security culture

Human

Inadequate security awareness

Policy violations, security incidents

A

A.7 Human resource security

Regular training, role-specific education, testing, security champions programme

Physical/Site

Uncontrolled physical access

Theft of devices, media

D

A.11 Physical security

Badge access, locks, surveillance cameras, visitor controls, access logs

Physical/Site

Poor environmental controls

Fire/flood → system damage

E

A.11 Physical security

HVAC systems, fire suppression, water detection, environmental monitoring

Physical/Site

Inadequate visitor management

Tailgating, unauthorised access

D, A

A.11 Physical security

Visitor logs, escorts, badge system, policy enforcement, reception procedures

Physical/Site

Insecure storage of backups

Data theft, destruction

D, E

A.12 Operations security

Offsite encrypted backups, secure storage facilities, access controls

Physical/Site

Inadequate power protection

Outages, device damage

E

A.11 Physical security

UPS systems, surge protection, backup generators, power monitoring

Physical/Site

Improper disposal of equipment/media

Data recovery from discarded items

D, A

A.11 Physical security,
A.8 Asset management

Secure disposal procedures, data wiping, physical destruction, certificates of destruction

Organisational

Missing or outdated policies/procedures

Compliance breaches, inconsistent practices

A

A.5 Information security policies

Policy creation, regular review and approval, awareness communications, version control

Organisational

Lack of continuity/incident planning

Extended downtime, data loss

E

A.17 Business continuity,
A.16 Incident management

BCP/DR plans, regular testing, documented procedures, communication plans

Organisational

Poor vendor/supplier management

Third-party compromise

D

A.15 Supplier relationships

Vendor risk assessments, security requirements in contracts, ongoing monitoring

Organisational

Weak audit and monitoring

Undetected insider activity

D, A

A.12 Operations security

Centralised logging, audit trail reviews, automated alerting, periodic security audits

Organisational

Inadequate staff training

Mistakes, security incidents

A

A.7 Human resource security

Comprehensive awareness programmes, role-based training, testing, continuous learning

Organisational

Incomplete recordkeeping

Legal, regulatory or operational risk

A, E

A.12 Operations security,
A.18 Compliance

Standardised records management, retention policies, regular audits, backup procedures

Organisational

Lack of incident response capability

Poor incident handling, extended impact

A

A.16 Information security incident management

Incident response plan, response team, playbooks, training and exercises

Backup/Recovery

Untested backup procedures

Recovery failures, data loss

A

A.12 Operations security,
A.17 Business continuity

Regular backup testing, documented recovery procedures, recovery time objectives

Backup/Recovery

Insufficient backup frequency

Data loss between backups

A

A.12 Operations security

Risk-based backup schedule, automated backups, monitoring and alerting

Backup/Recovery

Lack of backup verification

Corrupted or incomplete backups

A

A.12 Operations security

Automated verification, integrity checks, regular restoration tests