Skip to main content
Threat Modelling in ISO 27001

Threat Modelling in ISO 27001

$299.00
Toolkit Included:
Includes a practical, ready-to-use toolkit containing implementation templates, worksheets, checklists, and decision-support materials used to accelerate real-world application and reduce setup time.
Who trusts this:
Trusted by professionals in 160+ countries
How you learn:
Self-paced • Lifetime updates
Your guarantee:
30-day money-back guarantee — no questions asked
When you get access:
Course access is prepared after purchase and delivered via email
Adding to cart… The item has been added

This curriculum equips teams to implement threat modelling as an ongoing, integrated practice within ISO 27001-aligned risk and compliance workflows, comparable to the iterative cycles seen in multi-phase internal audit preparation and continuous control improvement programs.

Module 1: Aligning Threat Modelling with ISO 27001 Risk Assessment Processes

  • Integrate threat modelling outputs directly into Statement of Applicability (SoA) justification for control selection.
  • Map identified threats to ISO 27001 Annex A controls to validate coverage gaps in existing controls.
  • Determine whether threat modelling occurs before or after risk treatment planning to avoid redundant analysis.
  • Define ownership for maintaining threat models when risk assessments are updated annually or post-incident.
  • Use threat modelling to support risk scenario development in line with ISO 27005 risk assessment methodology.
  • Ensure threat model scope aligns with ISMS scope boundaries, especially in multi-tenant or hybrid environments.
  • Document threat modelling assumptions in risk assessment records for auditor review and traceability.
  • Coordinate threat modelling timelines with internal audit schedules to ensure findings are addressed in corrective action plans.

Module 2: Scoping and Asset Identification for Targeted Threat Analysis

  • Select critical systems for threat modelling based on business impact analysis and data classification levels.
  • Define data flows for high-value assets such as customer PII, intellectual property, and financial records.
  • Identify shadow IT components that process sensitive data but are excluded from the ISMS scope.
  • Classify assets by residency (on-prem, cloud, third-party) to adjust threat modelling techniques accordingly.
  • Establish criteria for re-scoping threat models when new applications are integrated into existing systems.
  • Use data flow diagrams (DFDs) to visualize trust boundaries between internal and external systems.
  • Validate asset ownership with business unit leads to ensure accountability in threat response planning.
  • Exclude non-critical legacy systems from detailed modelling while documenting risk acceptance rationale.

Module 3: Selecting and Adapting Threat Modelling Methodologies

  • Choose STRIDE over PASTA for internal systems where technical architecture details are well-documented.
  • Apply attack trees for high-risk payment processing systems to quantify exploit paths and likelihood.
  • Modify the OCTAVE Allegro approach to include compliance drivers specific to ISO 27001 control objectives.
  • Use hybrid models when cloud services require both architectural and policy-level threat analysis.
  • Standardize template formats for threat models to ensure consistency across business units and audit readiness.
  • Adjust methodology rigor based on system criticality—lightweight models for low-risk internal tools.
  • Train architects to apply threat modelling during design phase rather than retrofitting post-deployment.
  • Document methodology selection rationale in the risk register for auditor traceability.

Module 4: Identifying and Prioritizing Threat Agents and Motivations

  • Classify threat agents by capability and intent (e.g., insider with admin access vs. script kiddie).
  • Assess likelihood based on historical incident data from SIEM and SOC reports.
  • Factor in geopolitical risks when systems are hosted in high-threat jurisdictions.
  • Include third-party vendors as potential threat sources in supply chain risk assessments.
  • Adjust threat agent profiles when mergers or layoffs increase insider risk.
  • Use threat intelligence feeds to update profiles for emerging APT groups targeting the industry.
  • Differentiate between opportunistic and targeted attacks when allocating mitigation budgets.
  • Validate threat agent assumptions with physical security and HR teams for insider scenarios.

Module 5: Defining and Validating Attack Vectors and Vulnerabilities

  • Map attack vectors to specific system interfaces (APIs, user inputs, file uploads).
  • Correlate identified vulnerabilities with existing findings from penetration tests and vulnerability scans.
  • Assess default configurations in cloud services (e.g., S3 buckets, IAM roles) as potential attack vectors.
  • Validate zero-day assumptions by consulting vendor advisories and CERT bulletins.
  • Include misconfigurations due to IaC (Terraform, CloudFormation) templates in vulnerability analysis.
  • Identify privilege escalation paths through service accounts with excessive permissions.
  • Document insecure deserialization or injection points in custom-developed applications.
  • Use automated SAST tools to verify manual threat model findings during code review.

Module 6: Evaluating Controls and Mitigation Strategies

  • Assess whether existing ISO 27001 controls (e.g., A.9 Access Control) sufficiently mitigate identified threats.
  • Design compensating controls when technical mitigations are not feasible within project timelines.
  • Implement WAF rules to address injection threats when code remediation is delayed.
  • Justify control enhancements based on cost-benefit analysis tied to single loss expectancy (SLE).
  • Integrate logging and monitoring controls to detect exploitation of residual threats.
  • Enforce MFA for administrative access as a baseline mitigation for credential theft threats.
  • Use network segmentation to isolate high-risk systems when end-to-end encryption is not viable.
  • Document control effectiveness metrics for inclusion in management review reports.

Module 7: Integrating Threat Modelling into SDLC and Change Management

  • Embed threat modelling checkpoints in sprint planning for Agile development teams.
  • Require threat model updates before production deployment in change advisory board (CAB) reviews.
  • Assign security champions to facilitate threat modelling in development teams without dedicated security staff.
  • Automate threat model validation using CI/CD pipelines with policy-as-code tools (e.g., OPA).
  • Update threat models when third-party libraries are upgraded or replaced.
  • Archive outdated threat models and link them to version-controlled system documentation.
  • Conduct threat modelling re-assessments after major architectural changes (e.g., migration to microservices).
  • Train DevOps engineers to interpret threat model outputs for infrastructure hardening.

Module 8: Reporting, Documentation, and Audit Readiness

  • Structure threat model reports to align with ISO 27001 documentation requirements for risk treatment plans.
  • Include threat model outputs in internal audit workpapers upon request.
  • Maintain version history of threat models to demonstrate continuous improvement.
  • Redact sensitive details in threat models shared with external auditors or regulators.
  • Link residual risks from threat models to risk acceptance forms signed by business owners.
  • Use standardized templates to ensure all threat models contain threat descriptions, mitigations, and owners.
  • Archive threat models in the organization’s GRC platform for centralized access.
  • Prepare executive summaries of high-risk threats for inclusion in board-level risk reports.

Module 9: Continuous Threat Model Maintenance and Review

  • Schedule quarterly reviews of threat models for critical systems regardless of changes.
  • Trigger ad-hoc reviews following security incidents affecting similar system architectures.
  • Update threat models when new regulatory requirements (e.g., NIS2, DORA) impact control expectations.
  • Integrate threat intelligence updates into model assumptions about attacker capabilities.
  • Reassess threat models after onboarding new cloud service providers.
  • Assign accountability for model updates to system owners in the risk register.
  • Use automated asset discovery tools to detect unmodelled systems processing sensitive data.
  • Measure model effectiveness by tracking whether predicted threats materialized in incident data.
!