UnixTime

Research Note

Asset Threat Vulnerability Risk Control Evidence Data Model

This note defines the practical data chain for the KB and future software model.

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This note defines the practical data chain for the KB and future software model.

01 Asset What must be protected: data, service, process, person, or facility.
02 Threat Event, actor, or condition that can cause harm.
03 Vulnerability Weakness that makes the threat relevant.
04 Risk Scenario with likelihood, impact, owner, and priority.
05 Treatment Avoid, mitigate, transfer, or accept the risk.
06 Control Safeguard selected through ISO 27001/27002 and the SoA.
07 Evidence Record proving the control exists and operates.
08 Audit Independent verification, finding, or assurance result.

Entity map

Entity Plain-language meaning Example Related standard view
Asset Something valuable to protect Customer database ISO 27005 Knowledge Base MOC
Threat Event or source that can cause harm Ransomware campaign ISO 27005 Risk Process Notes
Vulnerability Weakness that makes harm possible Unpatched VPN Risk Assessment
Risk Effect of uncertainty on security objective Customer data compromise Risk and Control Mapping Table
Treatment Decision on what to do with risk Mitigate through monitoring and patching Statement of Applicability
Control Safeguard or process A.5.7 Threat Intelligence ISO 27002 Knowledge Base MOC
Evidence Record proving operation Threat register, IOC review, SIEM update Audit Evidence Index
Audit Independent verification Interview and evidence sample ISO 27001 Auditor Guide MOC

Example chain

Step Example
Asset Customer database
Threat Ransomware group targeting exposed VPNs
Vulnerability Delayed patching or weak monitoring
Risk Customer data compromise
Treatment Monitor threat intelligence and update detections
Control A.5.7 Threat Intelligence
Evidence Threat Intelligence Register, IOC review records, detection updates
Audit A.5.7 Audit Evidence Pack

Software object mapping

Object Key fields
Asset owner, classification, business process, location, criticality
Threat source, event type, affected assets, intelligence source
Vulnerability weakness, affected assets, severity, status
Risk scenario, likelihood, impact, owner, rating, status
Treatment option, controls, actions, residual risk, approval
Control standard, control ID, owner, objective, implementation status
Evidence type, control, risk, owner, location, frequency, retention
Audit scope, criteria, samples, evidence, findings
Finding requirement, evidence, severity, root cause, corrective action