What is the definition of a threat according to ISO/IEC 27000?

Comprehensive and Detailed Explanation From Exact Extract ISO/IEC 27000 standards:

According to ISO/IEC 27000:2018, Clause 3.74, athreatis defined as:

“Potential cause of an unwanted incident, which can result in harm to a system or organization.”

This definition directly matches option A.

Option B refers to an “information security incident” (ISO/IEC 27000:2018, Clause 3.32).

Option C describes a “vulnerability” (ISO/IEC 27000:2018, Clause 3.67).

Option D refers to “residual risk” (ISO/IEC 27000:2018, Clause 3.61).

The standard emphasizes that threats exploit vulnerabilities, causing incidents that can harm information confidentiality, integrity, and availability. Correctly identifying threats is critical for risk assessment (Clause 6.1.2). Thus, the correct definition per ISO/IEC 27000 isA.