Culture and Org. -> Design: Conduction of simple threat modelling on business level

Risk and Opportunity

Risk: Business related threats are discovered too late in the development and deployment process.

Opportunity: Threat modelling of business functionality is performed during the product backlog creation to facilitate early detection of security defects.

Exploit details

Usefullness: Medium

Required knowledge: Low (one discipline)

Required time: Medium

Required resources (systems): Very Low

OWASP SAMM 1 Mapping: TA1-A

ISO27001:2017 Controls Mapping:

not explicitly covered by ISO 27001
may be part of risk assessment
8.2.1
14.2.1