The above diagram explains how threat modelling, information security management and data privacy management relate.
As we have seen in our video, threat modelling deals with information assets processed within the information system being analysed. It allows for the identification of the threats pertaining to the system and documents the most appropriate countermeasures.
Information security management is about protecting information assets against adverse events, using a risk-based approach. This means threats to the information assets need to be inventoried and mitigation measures, (for instance security controls from the ISO27002 standard, or from any similar reference such as the NIST cybersecurity framework) proposed.
Lastly, data privacy management concerns specific information assets, namely personal data. Organizations processing personal data are supposed to perform data protection impact assessments on their IT systems, which corresponds to identifying threats, quantifying the associated risk and propose technical and organisational measures to reduce those risks.
Using a common threat catalogue and common controls builds the bridge between the three domains and allows leveraging the power of threat modelling for the benefit of both information security and data privacy management.
Our team will get back to you as soon as possible