AuditRubric
id-ra-3 high Identify / Risk Assessment

Internal and external threats to the organization are identified and recorded

A vulnerability scan tells you about weaknesses in your assets, but threat identification tells you who might exploit them and how. Understanding the realistic threat landscape for your industry, size, and technology stack helps you focus controls on the most likely attack paths rather than defending against everything equally. Threat identification is the bridge between knowing your weaknesses and understanding your actual risk.

Estimated effort: 4h
threat-modelingriskthreats
Complete first: id-ra-1 , id-ra-2

Implementation steps

  1. 1

    Identify threat categories relevant to your organization

    Enumerate the threat actors and categories that realistically apply to your organization. Consider: opportunistic cybercriminals targeting your industry, insider threats from employees or contractors, nation-state actors if you hold sensitive government or critical infrastructure data, and supply chain threats through your vendors. Use MITRE ATT&CK as a reference for attacker tactics and techniques.

    mitre-attack-navigator
  2. 2

    Conduct a structured threat modeling exercise

    For your primary systems and data flows, run a threat modeling session using a structured method such as STRIDE or PASTA. Involve engineering and product stakeholders. Document identified threats with a description of the threat actor, the attack vector, and the asset or data targeted.

    microsoft-threat-modeling-tooliriusrisklucidchart
  3. 3

    Record threats in a register and keep it current

    Maintain a threat register that lists each identified threat, its source (internal or external), the assets it targets, and the date it was identified. Update the register when your threat intelligence sources flag new active campaigns, when you add new systems or enter new markets, or at least annually.

    confluencejirasharepoint

Evidence required

Threat register or threat model documentation

A record of identified internal and external threats, including threat actor category, attack vector, and targeted assets.

  • · STRIDE threat model output for a primary application
  • · Threat register spreadsheet with threat descriptions and targeted assets
  • · MITRE ATT&CK navigator layer showing relevant adversary techniques

Evidence of regular threat identification review

Proof that the threat landscape was reviewed and updated within the last 12 months.

  • · Dated threat model workshop notes or output document
  • · Annual security review meeting notes referencing threat identification
  • · Updated threat register with a recent review date

Related controls

id-ra-4 high

Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded

Risk Assessment
id-ra-1 critical

Vulnerabilities in assets are identified, validated, and recorded

Risk Assessment
id-ra-10 high

Critical suppliers are assessed prior to acquisition

Risk Assessment
id-ra-2 medium

Cyber threat intelligence is received from information sharing forums and sources

Risk Assessment