Checklist of cyber threats & safeguards

when working from home

Copyright ©2020 Advisera Expert Solutions Ltd. All rights reserved.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 1
 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
User-level related threats
A device left on
Use lockable
the desk, or in When working from home, it is not only important to
filing
another unsecure A.11.2.6 - establish that information is protected – equipment must
cabinets to
place, when Security of be physically safe at all times.
Theft of asset / Inadequate increase the
1 unattended can equipment
data storage difficultly of
easily be picked and assets off- For further information, see: How to implement
unauthorized
up by an premises equipment physical protection according to ISO 27001
access to the
unauthorized A.11.2 – Part 2.
device.
person.
A workspace A.11.1.1 -
A dedicated space for work at home not only helps one
where everyone Physical
Work in a focus on his/her job, but also on protecting information
can freely walk in security
Theft of asset / Free access to separate room and equipment.
2 increases the perimeter
data working area with a lockable
chance of the A.11.1.2 -
door. For further information, see: Physical security in ISO
device being Physical entry
27001: How to protect the secure areas.
stolen. controls
Because information and assets at a workspace are in
one of their most vulnerable places, the adoption of
Information left some low-tech and easy-to-implement practices to block
on the screen, or access to information can help reduce the risk of security
on the table, Block access to A.11.2.9 - breaches.
Information when not in use information Clear desk and
3 Visibly exposed
disclosure can be seen easily when not in clear screen For further information, see: Clear desk and clear screen
by an use. policy policy – What does ISO 27001 require?.
unauthorized
person. To see what a Clear Desk and Clear Screen Policy looks
like, take a look at this free demo: Clear Desk and Clear
Screen Policy.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 2

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control

Outside the facilities of the organization, information

A.9.4.1 - could be accessible to anyone, so if you want to protect
Information confidential information against unauthorized access,
Data stored as access encryption is a good solution.
Protect
plain text can be restriction
Information Data stored as information
4 accessed easily if A.10.1.1 - For further information, see: How to use the
disclosure plain text with
the media is Policy on the cryptography according to ISO 27001 control A.10.
encryption
compromised. use of
cryptographic To see what a Policy on the Use of Encryption looks like,
controls take a look at this free demo: Policy on the Use of
Encryption.

The potential damage of data loss to the company – in

terms of money or other impacts like legal, reputation,
etc., can be prevented by ensuring copies of the data are
Make copies created regularly, and kept separated from the original
Data is
Data loss (on of sensitive data.
Single copy of unrecoverable if
physical / data and keep A.12.3.1 -
5 data on local its single copy is
electronic them on Backup
device destroyed or For further information, see: Backup policy – How to
media) corporate
corrupted. determine backup frequency.
servers.
To see what a Backup Policy looks like, take a look at this
free demo: Backup Policy.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 3

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
ICT-level related threats
If an incident or event occurs, logs can help to determine
what has happened, and they also can help analyze
Improper use of trends or detect possible fraudulent activities before any
information and Keep records major incidents occur.
Unauthorized
resources, or of assets
activities in Unsupervised A.12.4.1 -
6 violation of laws usage and For further information, see: Logging and monitoring
information asset Event logging
and contracts, review them according to ISO 27001 A.12.4.
systems
can go unnoticed periodically.
for a long time. To see what the definition of logging looks like, take a
look at this free demo: Security Procedures for IT
Department.
Information leaks,
data destruction,
Rules enforced by IT systems can make user passwords
Unauthorized or fraud can be Enforce the A.9.4.3 - hard to guess, increasing information security.
access to Use of weak easier to achieve use of strong Password
7
information passwords if users are passwords by management
To see what the rules to ensure strong passwords look
systems allowed to adopt employees. system
easy-to-guess like, take a look at this free demo: Password Policy.
passwords.

Information leaks, By using two-factor authentication, you create an

data destruction, Adopt two- additional layer of protection, because even if the
Unauthorized password is compromised, it will be useless without the
or fraud can be factor A.9.4.2 -
access to Compromised information of the second authentication factor.
8 committed authentication Secure log-on
information password
through the use for systems procedures For further information, see: How two-factor
systems
of compromised access. authentication enables compliance with ISO 27001
credentials. access controls.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 4

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
The definition of access profiles according to the systems
Users with lower
and information the user needs to access decreases the
security levels can
risk of information compromise on devices or in shared
Unauthorized have access to
Implement A.9.2.2 - User environments.
access to Single device for information that
9 access access
information multiple users should be For further information, see: How to handle access
profiles. provisioning
systems available only to control according to ISO 27001.
users with higher
To see what access control looks like, take a look at this
security levels.
free demo: Access Control Policy.
By protecting communication channels with encryption,
and accepting only authorized connections, you can
increase information security.
Information Transmitted data
Implement For further information, see: How to manage network
intercepted on Use of public / in plain text can A.13.1.1 -
Virtual Private security according to ISO 27001 A.13.1 and How to
10 the user-owned be accessed if the Network
Networks manage the security of network services according to ISO
communication networks channel is controls
(VPNs). 27001 A.13.1.2.
channel compromised.
To see what the inclusion of a VPN approach in
information security looks like, take a look at this free
demo: Security Procedures for IT Department.
Separate
computers Segregated networks minimize which assets can be
All computers and
and assets in accessed if a network breach occurs.
assets can be A.13.1.3 -
Unauthorized Single network small
11 compromised due Segregation in For further information, see: Requirements to implement
network access domain networks with
to a single networks network segregation according to ISO 27001 control
controlled
network breach. A.13.1.3.
access
between them

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 5

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
Anti-virus and anti-spam are effective tools to minimize
Malicious the risk of exploitation of defective software, by
software can be Install anti- identifying and eliminating malware before it can act.
used to exploit malware to A.12.2.1 -
Defective design flaws, or detect and Controls For further information, see: How can ISO 27001 help
12 Malware
software poor eliminate against protect your company against ransomware?
implementation, malicious malware
to compromise To see what the application of controls against malware
software.
information. looks like, take a look at this free demo: IT Security
Policy.
Monitor
Hardware / manufacturers
software that is and special The sooner you can identify outdated hardware and
no longer communities A.12.6.1 - software in your organization, the more time you will
Outdated have to devise how to handle the situation.
supported can be to identify Management
13 Malware hardware /
overcome by outdated of technical
software
more recent hardware and vulnerabilities For further information, see: How to manage technical
attack software and vulnerabilities according to ISO 27001 control A.12.6.1.
techniques. new attack
techniques.
Corrections must be implemented quickly, but in a
Known flaws that controlled manner to ensure security.
Implement a
are not corrected
procedure to
can be used to A.12.1.2 - For further information, see: How to manage changes in
Patch not quickly
14 Malware gain unauthorized Change an ISMS according to ISO 27001 A.12.1.2.
installed implement
access and management
released To see what the definition of controlled changes looks
compromise
patches. like, take a look at this free demo: Change Management
information.
Policy.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 6

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control

Improper By handling software installation properly, an

configuration of organization can decrease the risks related to malicious
Implement code and user errors.
software installed
restrictions on A.12.6.2 -
by users can be
User with full which Restrictions on
15 Malware exploited to gain For further information, see: Implementing restrictions
admin rights software can software
unauthorized on software installation using ISO 27001 control A.12.6.2.
be installed by installation
access and
users.
compromise To see what restrictions on software installation look like,
information. take a look at this free demo: IT Security Policy.

Incidents will occur, no matter how prepared you are, so

Have an defining how to act in case of a disaster can allow you to
Information
alternative decrease the impact and resume operations faster.
services cannot A.17.1.2 -
provider that
Outage on resume if they Implementing
No alternative is not
16 organization's depend on a information For further information, see: How to use ISO 22301 for
provider susceptible to
infrastructure single, security the implementation of business continuity in ISO 27001.
the same
unavailable continuity
incident at the
provider. To see what measures to handle a disaster look like, take
same time.
a look at this free demo: Disaster Recovery Plan.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 7

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
Management-related threats

Identify which By identifying the specific legal requirements you need

laws, to comply with, you can optimize the required resources
Violation of laws regulations, A.18.1.1 - and minimize the risk of violating the requirements.
Breach of and contracts can and contracts Identification
No clear rules
contractual occur because related to of applicable For further information, see: How to identify ISMS
17 for working
relations / employees are working from legislation and requirements of interested parties in ISO 27001.
from home
legislation not aware of home your contractual
them. organization requirements To see what the identification of legal requirements
needs to looks like, take a look at this free demo: List of Legal,
comply with. Regulatory, Contractual and Other Requirements.

Improper use of Clear rules about telework helps to organize and prevent
information and the misuse of the resources allocated to this activity.
resources can Establish clear
Improper use of No clear rules occur because rules for A.6.2.2 -
For further information, see: How to apply information
18 enterprise for working employees are employees Teleworking
security controls in teleworking according to ISO 27001.
resources from home not aware of how working from policy
to proceed when home.
working from To see what a teleworking policy looks like, take a look at
home. this free demo: Mobile Device and Teleworking Policy.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 8

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
Improper use of The definition of business requirements for the
Establish clear
information and establishment of access profiles increases the
rules for
resources can effectiveness of information protection.
providing
occur because
Improper use of No clear rules access to A.9.1.1 -
employees are
19 enterprise for working information Access control For further information, see: How to handle access
not aware of how
resources from home and systems policy control according to ISO 27001.
to access
for those
resources when
working from To see what access control looks like, take a look at this
working from
home. free demo: Access Control Policy.
home.
Improper
administration of
infrastructure Keep Only protecting the end user side is not enough. The
related to documented organization also needs to define rules for how IT staff
working from information must proceed to ensure protection not only of
home can occur about how to information, but also of the infrastructure it relies on.
Improper A.12.1.1 -
No clear rules because perform
management of Documented
20 for working employees (IT critical For further information, see: 8 criteria to decide which
enterprise operating
from home staff) are not activities ISO 27001 policies and procedures to write.
resources procedures
aware of how to related to
operate and work-from- To see what a security procedure looks like, take a look
manage services home at this free demo: Procedures for Working in Secure
related to infrastructure. Areas.
working from
home.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 9

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
In the end, users are the last line of defense, and the
more prepared they are to identify and deal with
Provide information security situations, the better the
Users who work A.7.2.2 - performance of information security as a whole.
awareness and
from home can Information
training
Social Unaware / become victims security
21 sessions for For further information, see: How to perform training &
engineering Untrained user of email- and awareness,
employees awareness for ISO 27001 and ISO 22301.
Internet-based education and
who will work
schemes. training
from home. To see what a training and awareness plan looks like,
take a look at this free demo: Training and Awareness
Plan.

Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved. 10

 Advisera Expert Solutions Ltd
for electronic business and business consulting
Zavizanska 12, 10000 Zagreb
Croatia, European Union
Copyright © 2020 Advisera Expert Solutions Ltd. All rights reserved.
Email: support@advisera.com
U.S. (international): +1 (646) 759 9933
United Kingdom (international): +44 1502 449001
Toll-Free (U.S. and Canada): 1-888-553-2256
Toll-Free (United Kingdom): 0800 808 5485
Australia: +61 3 4000 0020
11