Which threats are relevant to your organisation? Ransomware, insider attacks, natural disasters, supply chain failures? A.5.7 requires you to collect and analyse information about threats to information security. The threat register provides the structured foundation for this analysis — and the starting point for every risk scenario.
What does it contain?
The template structures threats so they feed directly into the risk management process per ISO 27005:
- Threat — name of the threat (e.g. ransomware, social engineering, power outage)
- Category — classification by threat type (e.g. deliberate/human, negligent/human, environmental, technical)
- Description — what exactly is the threat and how does it manifest?
- Affected protection goals — which goals are at risk? (confidentiality, integrity, availability)
- Typical attack vectors / triggers — how does the threat typically materialise?
- Relevance — how relevant is the threat to your organisation? (high, medium, low)
How to use the template
1. Start with the template. The CSV contains a curated selection of threats relevant to most organisations. It covers deliberate attacks (malware, phishing, DDoS), human error (misconfiguration, accidental data loss), technical failures (hardware defect, software bug), and environmental events (power outage, water damage, fire).
2. Add sector-specific threats. Do you operate critical infrastructure? Then targeted sabotage and state-sponsored attacks belong in the register. Healthcare? Manipulation of medical data. Financial sector? Fraud and regulatory sanctions.
3. Remove what does not apply. An earthquake threat is negligible in regions with no seismic activity. An attack on industrial control systems (OT) does not concern a pure software company. Remove what is irrelevant to your context — and briefly document why.
4. Link to vulnerabilities and assets. The real work begins when threats meet specific vulnerabilities and assets. The combination “threat + vulnerability + asset” produces risk scenarios that are assessed in the risk register.
5. Update regularly. Threat landscapes change quickly. Schedule a review at least annually — and respond on an ad-hoc basis to new threats surfaced by threat intelligence, incidents, or industry developments.
| ID | Bedrohung | Kategorie | Quelle | Beschreibung | TTP (MITRE ATT&CK) | Relevanz | Betroffene Assets | Wahrscheinlichkeit | Potenzielle Auswirkung | Kontrollen zur Minderung | Zuletzt überprüft |
|---|---|---|---|---|---|---|---|---|---|---|---|
| T-001 | Ransomware (Double Extortion) | Schadsoftware | BSI CSW + CERT-EU | Finanziell motivierte Gruppen (LockBit Black Basta Akira) zielen auf mittelständische Logistik | T1486 T1190 T1566.001 | Hoch | Fileserver Domain Controller Backups | Hoch | Kritisch | Offline-Backups EDR MFA Segmentierung Awareness | 2026-04-01 |
| T-002 | Zugangsdaten-Phishing | Social Engineering | BSI Lagebericht 2025 | Großangelegtes Phishing mit Adversary-in-the-Middle-Kits | T1566.002 T1111 | Hoch | Benutzerkonten M365 | Hoch | Hoch | Mailfilter Awareness Phishing-resistente MFA | 2026-04-01 |
| T-003 | Business E-Mail Compromise (CEO-Fraud) | Social Engineering | Allianz Cyber-Report | Imitation von CEO/CFO gezielt auf Finanzen | T1534 T1656 | Mittel | Finanzteam | Mittel | Hoch | Vier-Augen-Prinzip bei Zahlungen BEC-Training | 2026-04-01 |
| T-004 | Lieferketten-Kompromittierung | Lieferkette | ENISA Threat Landscape 2025 | Kompromittierung über Updates oder Abhängigkeiten (xz SolarWinds-Stil) | T1195.002 | Mittel | Build-Pipeline Abhängigkeiten | Mittel | Kritisch | SBOM Dependency-Scan Lieferanten-Risikoreview | 2026-04-01 |
| T-005 | Exploitation öffentlich erreichbarer Dienste | Schwachstelle | CISA KEV | Massenhafte Ausnutzung von VPN Firewall Edge (Fortinet Ivanti Citrix) | T1190 | Hoch | VPN Firewall Perimeter | Hoch | Hoch | Patch-SLA Asset-Exposure-Monitoring Pentests | 2026-04-01 |
| T-006 | Insider-Bedrohung - böswilliger Leaver | Insider | ACFE-Bericht | Ausscheidende Mitarbeitende exfiltrieren Daten über private Cloud/E-Mail | T1537 T1048 | Mittel | CRM HR Finanzdaten | Mittel | Hoch | DLP Leaver-Prozess Zugriffsreview | 2026-04-01 |
| T-007 | DDoS auf kundenseitige Dienste | DoS | NCSC Advisory | Hacktivistischer oder Erpressungs-DDoS | T1498 T1499 | Mittel | Kundenportal Website | Mittel | Mittel | CDN/L7-Schutz Rate-Limiting | 2026-04-01 |
| T-008 | Datenabfluss durch Fehlkonfiguration | Fehlkonfiguration | Cloud-Security-Berichte | Offene Cloud-Buckets oder Datenbanken versehentlich exponiert | T1530 | Mittel | Cloud-Speicher Datenbanken | Mittel | Hoch | IaC-Scan Least-Privilege Account-Guardrails | 2026-04-01 |
| T-009 | Bösartige Browser-Erweiterungen | Schadsoftware | Chrome-Advisories | Kompromittierte Erweiterungen exfiltrieren Cookies und Session-Tokens | T1176 | Mittel | Endgeräte | Mittel | Hoch | Erweiterungs-Allowlist Browser-Hardening | 2026-04-01 |
| T-010 | Living-off-the-Land-Angriffe | Post-Exploitation | MITRE-Berichte | Angreifer nutzen legitime Tools (PsExec WMI PowerShell) | T1059.001 T1021.002 | Mittel | Windows-Server | Mittel | Hoch | EDR-Verhaltensregeln PowerShell-Logging | 2026-04-01 |
| T-011 | Drive-by-Kompromittierung via Watering Hole | Web | Google TAG-Berichte | Gezielte Websites liefern Exploits aus | T1189 | Niedrig | Endgeräte | Niedrig | Mittel | Web-Filter Browser-Patching | 2026-04-01 |
| T-012 | Physischer Diebstahl von Geräten | Physisch | Interne Historie | Laptop-Diebstahl aus Fahrzeugen oder auf Reisen | N/A | Mittel | Laptops Mobilgeräte | Mittel | Mittel | Full-Disk-Encryption Remote-Wipe Awareness | 2026-04-01 |
| ID | Threat | Category | Source | Description | TTP (MITRE ATT&CK) | Relevance | Targeted Assets | Likelihood | Potential Impact | Mitigation Controls | Last Reviewed |
|---|---|---|---|---|---|---|---|---|---|---|---|
| T-001 | Ransomware (double extortion) | Malware | BSI CSW + CERT-EU | Financially motivated groups (LockBit Black Basta Akira) target mid-size logistics | T1486 T1190 T1566.001 | High | File servers domain controllers backups | High | Critical | Offline backups EDR MFA segmentation awareness | 2026-04-01 |
| T-002 | Credential phishing | Social engineering | BSI Lagebericht 2025 | Large-scale phishing with adversary-in-the-middle kits | T1566.002 T1111 | High | User accounts M365 | High | High | Mail filter awareness phishing-resistant MFA | 2026-04-01 |
| T-003 | Business email compromise (CEO fraud) | Social engineering | Allianz Cyber-Report | Impersonation of CEO/CFO targeting finance | T1534 T1656 | Medium | Finance team | Medium | High | Dual approval for payments BEC training | 2026-04-01 |
| T-004 | Supply chain compromise | Supply chain | ENISA Threat Landscape 2025 | Compromise via updates or dependencies (xz SolarWinds-style) | T1195.002 | Medium | Build pipeline dependencies | Medium | Critical | SBOM dependency scan vendor risk review | 2026-04-01 |
| T-005 | Exploitation of public-facing services | Vulnerability | CISA KEV | Mass exploitation of VPN firewall edge (Fortinet Ivanti Citrix) | T1190 | High | VPN firewall perimeter | High | High | Patch SLA asset exposure monitoring pentests | 2026-04-01 |
| T-006 | Insider threat - malicious leaver | Insider | ACFE report | Leavers exfiltrating data via personal cloud/email | T1537 T1048 | Medium | CRM HR finance data | Medium | High | DLP leaver process access review | 2026-04-01 |
| T-007 | DDoS against customer-facing services | DoS | NCSC advisory | Hacktivist or extortion DDoS | T1498 T1499 | Medium | Customer portal website | Medium | Medium | CDN/L7 protection rate limiting | 2026-04-01 |
| T-008 | Data leakage via misconfiguration | Misconfiguration | Cloud security reports | Open cloud buckets DBs accidentally exposed | T1530 | Medium | Cloud storage databases | Medium | High | IaC scan least-privilege account guardrails | 2026-04-01 |
| T-009 | Malicious browser extensions | Malware | Chrome advisories | Compromised extensions exfiltrate cookies and session tokens | T1176 | Medium | User endpoints | Medium | High | Extension allowlist browser hardening | 2026-04-01 |
| T-010 | Living-off-the-land attacks | Post-exploit | MITRE reports | Attackers using legitimate tools (PsExec WMI PowerShell) | T1059.001 T1021.002 | Medium | Windows servers | Medium | High | EDR behaviour rules PowerShell logging | 2026-04-01 |
| T-011 | Drive-by compromise via watering hole | Web | Google TAG reports | Targeted websites serving exploits | T1189 | Low | User endpoints | Low | Medium | Web filter browser patching | 2026-04-01 |
| T-012 | Physical theft of equipment | Physical | Internal history | Laptop theft from vehicles or travel | N/A | Medium | Laptops mobile devices | Medium | Medium | Full disk encryption remote wipe awareness | 2026-04-01 |
Sources
- ISO/IEC 27001:2022 A.5.7 — Threat intelligence
- ISO/IEC 27005:2022 — Information security risk management
- BSI IT-Grundschutz: Elementary threats — Catalogue of elementary threats