Purpose
How to use this page
Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.
This note defines the practical data chain for the KB and future software model.
01 Asset What must be protected: data, service, process, person, or facility.
02 Threat Event, actor, or condition that can cause harm.
03 Vulnerability Weakness that makes the threat relevant.
04 Risk Scenario with likelihood, impact, owner, and priority.
05 Treatment Avoid, mitigate, transfer, or accept the risk.
06 Control Safeguard selected through ISO 27001/27002 and the SoA.
07 Evidence Record proving the control exists and operates.
08 Audit Independent verification, finding, or assurance result.
Entity map
| Entity | Plain-language meaning | Example | Related standard view |
|---|---|---|---|
| Asset | Something valuable to protect | Customer database | ISO 27005 Knowledge Base MOC |
| Threat | Event or source that can cause harm | Ransomware campaign | ISO 27005 Risk Process Notes |
| Vulnerability | Weakness that makes harm possible | Unpatched VPN | Risk Assessment |
| Risk | Effect of uncertainty on security objective | Customer data compromise | Risk and Control Mapping Table |
| Treatment | Decision on what to do with risk | Mitigate through monitoring and patching | Statement of Applicability |
| Control | Safeguard or process | A.5.7 Threat Intelligence | ISO 27002 Knowledge Base MOC |
| Evidence | Record proving operation | Threat register, IOC review, SIEM update | Audit Evidence Index |
| Audit | Independent verification | Interview and evidence sample | ISO 27001 Auditor Guide MOC |
Example chain
| Step | Example |
|---|---|
| Asset | Customer database |
| Threat | Ransomware group targeting exposed VPNs |
| Vulnerability | Delayed patching or weak monitoring |
| Risk | Customer data compromise |
| Treatment | Monitor threat intelligence and update detections |
| Control | A.5.7 Threat Intelligence |
| Evidence | Threat Intelligence Register, IOC review records, detection updates |
| Audit | A.5.7 Audit Evidence Pack |
Software object mapping
| Object | Key fields |
|---|---|
| Asset | owner, classification, business process, location, criticality |
| Threat | source, event type, affected assets, intelligence source |
| Vulnerability | weakness, affected assets, severity, status |
| Risk | scenario, likelihood, impact, owner, rating, status |
| Treatment | option, controls, actions, residual risk, approval |
| Control | standard, control ID, owner, objective, implementation status |
| Evidence | type, control, risk, owner, location, frequency, retention |
| Audit | scope, criteria, samples, evidence, findings |
| Finding | requirement, evidence, severity, root cause, corrective action |
Related notes
- Grc
- Data model
- Risk
- Evidence
Note Metadata
Aliases: Risk Evidence Data Model
Source: 13 GRC Knowledge Model/Asset Threat Vulnerability Risk Control Evidence Data Model.md
Graph-sourced resources
Templates and evidence
Auditor evidence packs
Evidence collections and audit-facing verification material.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- ISO27001 ISMS KB - Start Here
- Risk Assessment
- Statement of Applicability
- ISO 27001 A.5.7 - Threat Intelligence
- A.5.7 Audit Evidence Pack
- ISO 27001 Auditor Guide
- ISO 27005 Risk Management Guide
- ISO 27005 Risk Process Notes
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27002 Annex A Control Interpretation Map
- ISO 27002 Knowledge Base
- ISO 27005 Knowledge Base
- GRC Knowledge Model
- Risk Knowledge Base
- Template - Risk and Control Mapping Table
- Template Risk Scenario
- Threat Intelligence Register
- Audit Evidence Index
- ISO 27001 Overview