Checklist of cyber threats & safeguards

when working from home

Copyright ©2021 Advisera Expert Solutions Ltd. All rights reserved.

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 1
 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
User-level related threats

A device left on the Use lockable

desk, or in another filing When working from home, it is not only important to establish
A.11.2.6 -
unsecure place, cabinets to that information is protected – equipment must be physically
Security of
Theft of asset / Inadequate when unattended increase the safe at all times.
1 equipment and
data storage can easily be picked difficultly of
assets off-
up by an unauthorized For further information, see: How to implement equipment
premises
unauthorized access to the physical protection according to ISO 27001 A.11.2 – Part 2.
person. device.

A.11.1.1 - A dedicated space for work at home not only helps one focus
A workspace where
Work in a Physical security on his/her job, but also on protecting information and
everyone can freely
Theft of asset / Free access to separate room perimeter equipment.
2 walk in increases
data working area with a lockable A.11.1.2 -
the chance of the
door. Physical entry For further information, see: Physical security in ISO 27001:
device being stolen.
controls How to protect the secure areas.

Because information and assets at a workspace are in one of

their most vulnerable places, the adoption of some low-tech
Information left on and easy-to-implement practices to block access to
the screen, or on information can help reduce the risk of security breaches.
Block access to
the table, when not A.11.2.9 - Clear
Information information
3 Visibly exposed in use can be seen desk and clear For further information, see: Clear desk and clear screen policy
disclosure when not in
easily by an screen policy – What does ISO 27001 require?.
use.
unauthorized
person. To see what a Clear Desk and Clear Screen Policy looks like,
take a look at this free demo: Clear Desk and Clear Screen
Policy.

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 2

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control

Outside the facilities of the organization, information could be

A.9.4.1 - accessible to anyone, so if you want to protect confidential
Information information against unauthorized access, encryption is a good
Data stored as plain solution.
access
text can be Protect
Information Data stored as restriction
4 accessed easily if information
disclosure plain text A.10.1.1 - Policy For further information, see: How to use the cryptography
the media is with encryption
on the use of according to ISO 27001 control A.10.
compromised.
cryptographic
controls To see what a Policy on the Use of Encryption looks like, take a
look at this free demo: Policy on the Use of Encryption.

The potential damage of data loss to the company – in terms of

money or other impacts like legal, reputation, etc., can be
prevented by ensuring copies of the data are created regularly,
Data is Make copies of and kept separated from the original data.
Data loss (on Single copy of unrecoverable if its sensitive data
A.12.3.1 -
5 physical / data on local single copy is and keep them
Backup For further information, see: Backup policy – How to
electronic media) device destroyed or on corporate
determine backup frequency.
corrupted. servers.

To see what a Backup Policy looks like, take a look at this free
demo: Backup Policy.

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 3

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
ICT-level related threats

If an incident or event occurs, logs can help to determine what

Improper use of has happened, and they also can help analyze trends or detect
information and Keep records of possible fraudulent activities before any major incidents occur.
Unauthorized
resources, or assets usage
activities in Unsupervised A.12.4.1 - Event
6 violation of laws and review For further information, see: Logging and monitoring according
information asset logging
and contracts, can them to ISO 27001 A.12.4.
systems
go unnoticed for a periodically.
long time. To see what the definition of logging looks like, take a look at
this free demo: Security Procedures for IT Department.
Information leaks,
data destruction, or Rules enforced by IT systems can make user passwords hard to
Unauthorized Enforce the use A.9.4.3 -
fraud can be easier guess, increasing information security.
access to Use of weak of strong Password
7 to achieve if users
information passwords passwords by management
are allowed to To see what the rules to ensure strong passwords look like,
systems employees. system
adopt easy-to- take a look at this free demo: Password Policy.
guess passwords.
Information leaks, By using two-factor authentication, you create an additional
data destruction, or Adopt two- layer of protection, because even if the password is
Unauthorized
fraud can be factor A.9.4.2 - Secure compromised, it will be useless without the information of the
access to Compromised
8 committed through authentication log-on second authentication factor.
information password
the use of for systems procedures
systems
compromised access. For further information, see: How two-factor authentication
credentials. enables compliance with ISO 27001 access controls.

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 4

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
The definition of access profiles according to the systems and
Users with lower information the user needs to access decreases the risk of
security levels can information compromise on devices or in shared
Unauthorized have access to environments.
A.9.2.2 - User
access to Single device for information that Implement
9 access
information multiple users should be available access profiles. For further information, see: How to handle access control
provisioning
systems only to users with according to ISO 27001.
higher security
levels. To see what access control looks like, take a look at this free
demo: Access Control Policy.
By protecting communication channels with encryption, and
accepting only authorized connections, you can increase
information security.
Information Transmitted data in
Implement
intercepted on Use of public / plain text can be A.13.1.1 - For further information, see: How to manage network security
Virtual Private
10 the user-owned accessed if the Network according to ISO 27001 A.13.1 and How to manage the security
Networks
communication networks channel is controls of network services according to ISO 27001 A.13.1.2.
(VPNs).
channel compromised.
To see what the inclusion of a VPN approach in information
security looks like, take a look at this free demo: Security
Procedures for IT Department.
Separate
All computers and computers and Segregated networks minimize which assets can be accessed if
assets can be assets in small A.13.1.3 - a network breach occurs.
Unauthorized Single network
11 compromised due networks with Segregation in
network access domain
to a single network controlled networks For further information, see: Requirements to implement
breach. access between network segregation according to ISO 27001 control A.13.1.3.
them

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 5

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
Anti-virus and anti-spam are effective tools to minimize the
Malicious software risk of exploitation of defective software, by identifying and
Install anti- eliminating malware before it can act.
can be used to
malware to
exploit design A.12.2.1 -
Defective detect and
12 Malware flaws, or poor Controls against For further information, see: How can ISO 27001 help protect
software eliminate
implementation, to malware your company against ransomware?
malicious
compromise
software.
information. To see what the application of controls against malware looks
like, take a look at this free demo: IT Security Policy.
Monitor
manufacturers
Hardware / and special The sooner you can identify outdated hardware and software
software that is no communities to A.12.6.1 - in your organization, the more time you will have to devise
Outdated how to handle the situation.
longer supported identify Management of
13 Malware hardware /
can be overcome outdated technical
software
by more recent hardware and vulnerabilities For further information, see: How to manage technical
attack techniques. software and vulnerabilities according to ISO 27001 control A.12.6.1.
new attack
techniques.
Corrections must be implemented quickly, but in a controlled
Known flaws that manner to ensure security.
Implement a
are not corrected
procedure to
can be used to gain A.12.1.2 -
Patch not quickly For further information, see: How to manage changes in an
14 Malware unauthorized Change
installed implement ISMS according to ISO 27001 A.12.1.2.
access and management
released
compromise
patches. To see what the definition of controlled changes looks like,
information.
take a look at this free demo: Change Management Policy.

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 6

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control

Improper By handling software installation properly, an organization can

configuration of decrease the risks related to malicious code and user errors.
software installed Implement
A.12.6.2 -
by users can be restrictions on
User with full Restrictions on For further information, see: Implementing restrictions on
15 Malware exploited to gain which software
admin rights software software installation using ISO 27001 control A.12.6.2.
unauthorized can be installed
installation
access and by users.
compromise To see what restrictions on software installation look like, take
information. a look at this free demo: IT Security Policy.

Incidents will occur, no matter how prepared you are, so

Have an defining how to act in case of a disaster can allow you to
Information decrease the impact and resume operations faster.
alternative A.17.1.2 -
services cannot
Outage on provider that is Implementing
No alternative resume if they
16 organization's not susceptible information For further information, see: How to use ISO 22301 for the
provider depend on a single,
infrastructure to the same security implementation of business continuity in ISO 27001.
unavailable
incident at the continuity
provider.
same time. To see what measures to handle a disaster look like, take a
look at this free demo: Disaster Recovery Plan.

Management-related threats

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 7

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control

Identify which By identifying the specific legal requirements you need to

laws, comply with, you can optimize the required resources and
regulations, and A.18.1.1 - minimize the risk of violating the requirements.
Violation of laws
Breach of contracts Identification of
No clear rules for and contracts can
contractual related to applicable For further information, see: How to identify ISMS
17 working from occur because
relations / working from legislation and requirements of interested parties in ISO 27001.
home employees are not
legislation home your contractual
aware of them.
organization requirements To see what the identification of legal requirements looks like,
needs to comply take a look at this free demo: List of Legal, Regulatory,
with. Contractual and Other Requirements.

Clear rules about telework helps to organize and prevent the

Improper use of misuse of the resources allocated to this activity.
information and
Establish clear
resources can occur
Improper use of No clear rules for rules for A.6.2.2 -
because employees For further information, see: How to apply information
18 enterprise working from employees Teleworking
are not aware of security controls in teleworking according to ISO 27001.
resources home working from policy
how to proceed
home.
when working from
home. To see what a teleworking policy looks like, take a look at this
free demo: Mobile Device and Teleworking Policy.

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 8

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control

Improper use of The definition of business requirements for the establishment

information and Establish clear of access profiles increases the effectiveness of information
resources can occur rules for protection.
Improper use of No clear rules for because employees providing access
A.9.1.1 - Access
19 enterprise working from are not aware of to information For further information, see: How to handle access control
control policy
resources home how to access and systems for according to ISO 27001.
resources when those working
working from from home. To see what access control looks like, take a look at this free
home. demo: Access Control Policy.

Improper
administration of Only protecting the end user side is not enough. The
Keep organization also needs to define rules for how IT staff must
infrastructure
documented proceed to ensure protection not only of information, but also
related to working
information of the infrastructure it relies on.
Improper from home can A.12.1.1 -
No clear rules for about how to
management of occur because Documented
20 working from perform critical
enterprise employees (IT staff) operating For further information, see: 8 criteria to decide which ISO
home activities
resources are not aware of procedures 27001 policies and procedures to write.
related to work-
how to operate and
from-home
manage services To see what a security procedure looks like, take a look at this
infrastructure.
related to working free demo: Procedures for Working in Secure Areas.
from home.

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 9

 ISO 27001
Explanation of
# Threats Vulnerabilities Safeguard Annex A Explanation of the safeguard
the risk
control
In the end, users are the last line of defense, and the
more prepared they are to identify and deal with
Provide information security situations, the better the
Users who work A.7.2.2 - performance of information security as a whole.
awareness and
from home can Information
training
Social Unaware / become victims security
21 sessions for For further information, see: How to perform training &
engineering Untrained user of email- and awareness,
employees awareness for ISO 27001 and ISO 22301.
Internet-based education and
who will work
schemes. training
from home. To see what a training and awareness plan looks like,
take a look at this free demo: Training and Awareness
Plan.

Check out ISO 27001 compliance software

To see how to use the ISO 27001 risk register with catalogs of assets, threats, and vulnerabilities, and get automated suggestions on how they are related,
sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved. 10

 Advisera Expert Solutions Ltd
for electronic business and business consulting
Our offices:
Zavizanska 12, 10000 Zagreb, Croatia
Via Maggio 1 C, Lugano, CH-6900, Switzerland
275 Seventh Ave, 7th Floor, New York, 10001, U.S.
Copyright © 2021 Advisera Expert Solutions Ltd. All rights reserved.
Email: support@advisera.com
U.S. (international): +1 (646) 759 9933
United Kingdom (international): +44 1502 449001
Toll-Free (U.S. and Canada): 1-888-553-2256
Toll-Free (United Kingdom): 0800 808 5485
Australia: +61 3 4000 0020
Switzerland: +41 41 588 0722
11