UnixTime

Research Note

Risk Knowledge Base

This section holds reusable risk knowledge for ISO/IEC 27005-style analysis and future GRC software modeling.

On this page

Purpose

How to use this page

Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.

This section holds reusable risk knowledge for ISO/IEC 27005-style analysis and future GRC software modeling.

It should grow into catalogs for:

  • assets;
  • threats;
  • vulnerabilities;
  • risk scenarios;
  • treatments;
  • evidence expectations;
  • control mappings.

Current model

Working rule

Every risk scenario should be written in the chain:

01 Asset What must be protected: data, service, process, person, or facility.
02 Threat Event, actor, or condition that can cause harm.
03 Vulnerability Weakness that makes the threat relevant.
04 Risk Scenario with likelihood, impact, owner, and priority.
05 Treatment Avoid, mitigate, transfer, or accept the risk.
06 Control Safeguard selected through ISO 27001/27002 and the SoA.
07 Evidence Record proving the control exists and operates.
08 Audit Independent verification, finding, or assurance result.

Scenario catalog

  • Risk
  • Iso27005
  • Grc
  • Moc

Note Metadata

Aliases: Risk KB

Source: 13 GRC Knowledge Model/Risk Knowledge Base MOC.md

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.

Risk treatment artifacts

Risk records, mappings, and treatment-supporting references.