**4.2 Step 2: Identifying vulnerabilities**

In this phase, the inherent vulnerabilities in the entities of IT systems are reviewed, identified and listed that have potential threats to affect the organizational assets and business process. This includes both software and hardware-level vulnerabilities of IT infrastructure. The list of vulnerabilities must have detailed information such as type, impact, measure, etc.
