-1

I have a study project related to establishing of ISO 27001.

I will do GAP analyses on "fictional" company over all ISO 27001 Annex A controls using ISO 27002.

After I do that, I will detect the risks using the results of that GAP analyses.

So my question is if there is a list of potential risks per each ISO 27001 Annex A control (or at least per each clause 5-18) ?

OrangeSpider
  • 31
  • 1
  • 4
  • I don't think that you are asking the correct question. A list of risks is endless. What are you doing a gap analysis against? ISO 27002 is one side of the gap, what's the other? – schroeder Dec 02 '18 at 15:09
  • 2
    There are published Risk Catalogues and they can contain thousands of potential risks including version-specific vulnerabilities to "all the IT people quit at the same time". You need to narrow your focus quite a bit. – schroeder Dec 02 '18 at 15:11
  • @schroeder I have a "fictional" company which I will do the GAP analyses on using ISO 27002. – OrangeSpider Dec 02 '18 at 15:16
  • ok, then the company details provide the starting place for risks – schroeder Dec 02 '18 at 15:21

1 Answers1

1

"Controls", which is what clauses 5-18 are, are meant to mitigate risks. They help to reduce the impact or the likelihood of a risk crystalising to a level that the organisation is comfortable with.

So all those control clauses point to the risks they are meant to mitigate. Just think to yourself, "what would happen if this control was not there or if it failed?". Then you can build a (very) large list of risks that might be relevant to your example.

schroeder
  • 123,438
  • 55
  • 284
  • 319