A threat assessment is the systematic identification and evaluation of threats and vulnerabilities that could cause harm to information assets. It forms the core of the risk management process per ISO 27005.
The process includes: identifying the assets to protect, determining relevant threats, analyzing existing vulnerabilities, and assessing likelihood and impact. The result is a prioritized risk list that serves as the basis for the risk treatment plan. In an ISMS, the threat assessment is repeated regularly — at least annually and on an ad-hoc basis when significant changes occur in the IT landscape or threat environment.