Purpose
How to use this page
Use this as a navigation and decision page. Follow the links for detailed control, audit, risk, evidence, and exam notes.
This section holds reusable risk knowledge for ISO/IEC 27005-style analysis and future GRC software modeling.
It should grow into catalogs for:
- assets;
- threats;
- vulnerabilities;
- risk scenarios;
- treatments;
- evidence expectations;
- control mappings.
Current model
- Asset Threat Vulnerability Risk Control Evidence Data Model
- ISO 27005 Knowledge Base MOC
- ISO 27005 Risk Process Notes
- Risk and Control Mapping Table
- A.5 Controls Implementation Audit Risk Mapping
Working rule
Every risk scenario should be written in the chain:
01 Asset What must be protected: data, service, process, person, or facility.
02 Threat Event, actor, or condition that can cause harm.
03 Vulnerability Weakness that makes the threat relevant.
04 Risk Scenario with likelihood, impact, owner, and priority.
05 Treatment Avoid, mitigate, transfer, or accept the risk.
06 Control Safeguard selected through ISO 27001/27002 and the SoA.
07 Evidence Record proving the control exists and operates.
08 Audit Independent verification, finding, or assurance result.
Related templates
Scenario catalog
- RISK-0001 Customer Data Compromise Due to Ransomware Campaign
- RISK-0002 Incident Escalation Failure Due to Unclear Ownership
- RISK-0003 Security Event Misclassification Delays Incident Response
- RISK-0004 Uncoordinated Incident Response Allows Compromise to Spread
- RISK-0005 Repeat Incidents Due to Missing Lessons Learned
- RISK-0006 Evidence Integrity Loss Due to Weak Chain of Custody
- RISK-0007 Excessive Access to Sensitive Assets Due to Weak Access Rules
- RISK-0008 Orphaned Identities After Role or Employment Change
- RISK-0009 Compromised Authentication Information Due to Weak Credential Handling
- RISK-0010 Stale Access Rights After Business Change
- RISK-0011 Unmanaged Supplier Security Exposure Due to Incomplete Supplier Inventory
- RISK-0012 Supplier Access Before Security Requirements Are Agreed
- RISK-0013 Inherited ICT Supply Chain Compromise Through Unreviewed Dependencies
- RISK-0014 Supplier Service Change Without Risk Review
- RISK-0015 Cloud Governance and Exit Failure Due to Weak Cloud Service Controls
- Risk
- Iso27005
- Grc
- Moc
Note Metadata
Aliases: Risk KB
Source: 13 GRC Knowledge Model/Risk Knowledge Base MOC.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Risk treatment artifacts
Risk records, mappings, and treatment-supporting references.
Related Notes
- RISK-0001 Customer Data Compromise Due to Ransomware Campaign
- RISK-0002 Incident Escalation Failure Due to Unclear Ownership
- RISK-0003 Security Event Misclassification Delays Incident Response
- RISK-0004 Uncoordinated Incident Response Allows Compromise to Spread
- RISK-0005 Repeat Incidents Due to Missing Lessons Learned
- RISK-0006 Evidence Integrity Loss Due to Weak Chain of Custody
- RISK-0007 Excessive Access to Sensitive Assets Due to Weak Access Rules
- RISK-0008 Orphaned Identities After Role or Employment Change
- RISK-0009 Compromised Authentication Information Due to Weak Credential Handling
- RISK-0010 Stale Access Rights After Business Change
- RISK-0011 Unmanaged Supplier Security Exposure Due to Incomplete Supplier Inventory
- RISK-0012 Supplier Access Before Security Requirements Are Agreed
- RISK-0013 Inherited ICT Supply Chain Compromise Through Unreviewed Dependencies
- RISK-0014 Supplier Service Change Without Risk Review
- RISK-0015 Cloud Governance and Exit Failure Due to Weak Cloud Service Controls
- ISO 27005 Risk Process Notes
- A.5 Controls Implementation Audit Risk Mapping
- ISO 27005 Knowledge Base
- Asset Threat Vulnerability Risk Control Evidence Data Model
- Template - Risk and Control Mapping Table
- Template Control Card
- Template Evidence Item
- Template Risk Scenario