Skip to content

Class: Risk

An identified information security risk that may affect information security properties within the ISMS scope.

URI: iso27001:Risk

 classDiagram
    class Risk
    click Risk href "../Risk/"
      NamedEntity <|-- Risk
        click NamedEntity href "../NamedEntity/"

      Risk : affected_assets





        Risk --> "*" Asset : affected_assets
        click Asset href "../Asset/"



      Risk : affected_cia_properties

      Risk : created_date

      Risk : description

      Risk : existing_controls





        Risk --> "*" SecurityControl : existing_controls
        click SecurityControl href "../SecurityControl/"



      Risk : id

      Risk : impact





        Risk --> "0..1" ImpactRating : impact
        click ImpactRating href "../ImpactRating/"



      Risk : inherent_risk_level





        Risk --> "0..1" RiskLevel : inherent_risk_level
        click RiskLevel href "../RiskLevel/"



      Risk : likelihood





        Risk --> "0..1" LikelihoodRating : likelihood
        click LikelihoodRating href "../LikelihoodRating/"



      Risk : modified_date

      Risk : name

      Risk : related_treatment_plan





        Risk --> "0..1" RiskTreatmentPlan : related_treatment_plan
        click RiskTreatmentPlan href "../RiskTreatmentPlan/"



      Risk : residual_risk_level





        Risk --> "0..1" RiskLevel : residual_risk_level
        click RiskLevel href "../RiskLevel/"



      Risk : risk_owner

      Risk : risk_source

      Risk : risk_treatment_option





        Risk --> "0..1" RiskTreatmentOption : risk_treatment_option
        click RiskTreatmentOption href "../RiskTreatmentOption/"



      Risk : threat_description

      Risk : treatment_priority

      Risk : version

      Risk : vulnerability_description

Inheritance

Slots

Name Cardinality and Range Description Inheritance
risk_source 0..1
String		 Source or origin of the risk direct
threat_description 0..1
String		 Description of the threat exploiting the vulnerability direct
vulnerability_description 0..1
String		 Description of the vulnerability that could be exploited direct
affected_assets *
Asset		 Assets affected by this risk or incident direct
affected_cia_properties *
String		 Which CIA properties are affected (confidentiality, integrity, availability) direct
risk_owner 0..1
String		 Person accountable for managing the risk direct
likelihood 0..1
LikelihoodRating		 Assessed likelihood of risk occurrence direct
impact 0..1
ImpactRating		 Assessed impact if risk materializes direct
inherent_risk_level 0..1
RiskLevel		 Risk level before controls are applied direct
existing_controls *
SecurityControl		 Controls currently in place affecting this risk direct
residual_risk_level 0..1
RiskLevel		 Risk level after controls are applied direct
risk_treatment_option 0..1
RiskTreatmentOption		 Selected treatment option for the risk direct
treatment_priority 0..1
String		 Priority for treating this risk direct
related_treatment_plan 0..1
RiskTreatmentPlan		 Risk treatment plan addressing this risk direct
id 1
Uriorcurie		 Unique identifier for this entity instance NamedEntity
name 1
String		 Human-readable name or title NamedEntity
description 0..1
String		 Detailed description of the entity NamedEntity
created_date 0..1
Date		 Date when the entity was created NamedEntity
modified_date 0..1
Date		 Date when the entity was last modified NamedEntity
version 0..1
String		 Version identifier for the entity NamedEntity

Usages

used by used in type used
InformationSecurityObjective related_risks range Risk
RiskAssessment risks_identified range Risk
RiskTreatmentPlan risks_addressed range Risk
Asset related_risks range Risk

In Subsets

Comments

  • Links threat, vulnerability, and affected assets to risk ownership
  • Supports likelihood, impact, treatment, and residual risk tracking
  • Reference: ISO/IEC 27001:2022 Clause 6.1.2. ISO/IEC standards text is copyright ISO - not reproduced here.

Identifier and Mapping Information

Annotations

property value
iso27001_clause 6.1.2

Schema Source

  • from schema: https://w3id.org/lmodel/iso27001

Mappings

Mapping Type Mapped Value
self iso27001:Risk
native iso27001:Risk

LinkML Source

Direct

name: Risk
annotations:
  iso27001_clause:
    tag: iso27001_clause
    value: 6.1.2
description: An identified information security risk that may affect information security
  properties within the ISMS scope.
comments:
- Links threat, vulnerability, and affected assets to risk ownership
- Supports likelihood, impact, treatment, and residual risk tracking
- 'Reference: ISO/IEC 27001:2022 Clause 6.1.2. ISO/IEC standards text is copyright
  ISO - not reproduced here.'
in_subset:
- risk_management
from_schema: https://w3id.org/lmodel/iso27001
is_a: NamedEntity
slots:
- risk_source
- threat_description
- vulnerability_description
- affected_assets
- affected_cia_properties
- risk_owner
- likelihood
- impact
- inherent_risk_level
- existing_controls
- residual_risk_level
- risk_treatment_option
- treatment_priority
- related_treatment_plan

Induced

name: Risk
annotations:
  iso27001_clause:
    tag: iso27001_clause
    value: 6.1.2
description: An identified information security risk that may affect information security
  properties within the ISMS scope.
comments:
- Links threat, vulnerability, and affected assets to risk ownership
- Supports likelihood, impact, treatment, and residual risk tracking
- 'Reference: ISO/IEC 27001:2022 Clause 6.1.2. ISO/IEC standards text is copyright
  ISO - not reproduced here.'
in_subset:
- risk_management
from_schema: https://w3id.org/lmodel/iso27001
is_a: NamedEntity
attributes:
  risk_source:
    name: risk_source
    description: Source or origin of the risk.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: risk_source
    owner: Risk
    domain_of:
    - Risk
    range: string
  threat_description:
    name: threat_description
    description: Description of the threat exploiting the vulnerability.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: threat_description
    owner: Risk
    domain_of:
    - Risk
    range: string
  vulnerability_description:
    name: vulnerability_description
    description: Description of the vulnerability that could be exploited.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: vulnerability_description
    owner: Risk
    domain_of:
    - Risk
    range: string
  affected_assets:
    name: affected_assets
    description: Assets affected by this risk or incident.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: affected_assets
    owner: Risk
    domain_of:
    - Risk
    - InformationSecurityEvent
    - InformationSecurityIncident
    range: Asset
    multivalued: true
  affected_cia_properties:
    name: affected_cia_properties
    description: Which CIA properties are affected (confidentiality, integrity, availability).
    comments:
    - Per 6.1.2 c) 1) risks associated with loss of CIA
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: affected_cia_properties
    owner: Risk
    domain_of:
    - Risk
    range: string
    multivalued: true
  risk_owner:
    name: risk_owner
    annotations:
      iso27001_clause:
        tag: iso27001_clause
        value: 6.1.2 c) 2)
    description: Person accountable for managing the risk.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: risk_owner
    owner: Risk
    domain_of:
    - Risk
    range: string
  likelihood:
    name: likelihood
    annotations:
      iso27001_clause:
        tag: iso27001_clause
        value: 6.1.2 d) 2)
    description: Assessed likelihood of risk occurrence.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: likelihood
    owner: Risk
    domain_of:
    - Risk
    range: LikelihoodRating
  impact:
    name: impact
    annotations:
      iso27001_clause:
        tag: iso27001_clause
        value: 6.1.2 d) 1)
    description: Assessed impact if risk materializes.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: impact
    owner: Risk
    domain_of:
    - Risk
    range: ImpactRating
  inherent_risk_level:
    name: inherent_risk_level
    description: Risk level before controls are applied.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: inherent_risk_level
    owner: Risk
    domain_of:
    - Risk
    range: RiskLevel
  existing_controls:
    name: existing_controls
    description: Controls currently in place affecting this risk.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: existing_controls
    owner: Risk
    domain_of:
    - Risk
    range: SecurityControl
    multivalued: true
  residual_risk_level:
    name: residual_risk_level
    description: Risk level after controls are applied.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: residual_risk_level
    owner: Risk
    domain_of:
    - Risk
    range: RiskLevel
  risk_treatment_option:
    name: risk_treatment_option
    description: Selected treatment option for the risk.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: risk_treatment_option
    owner: Risk
    domain_of:
    - Risk
    range: RiskTreatmentOption
  treatment_priority:
    name: treatment_priority
    description: Priority for treating this risk.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: treatment_priority
    owner: Risk
    domain_of:
    - Risk
    range: string
  related_treatment_plan:
    name: related_treatment_plan
    description: Risk treatment plan addressing this risk.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: related_treatment_plan
    owner: Risk
    domain_of:
    - Risk
    range: RiskTreatmentPlan
  id:
    name: id
    description: Unique identifier for this entity instance.
    comments:
    - Should use consistent URI/CURIE format across the dataset
    examples:
    - value: iso27001:risk-001
    - value: iso27001:control-5.1
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    identifier: true
    alias: id
    owner: Risk
    domain_of:
    - NamedEntity
    range: uriorcurie
    required: true
  name:
    name: name
    description: Human-readable name or title.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: name
    owner: Risk
    domain_of:
    - NamedEntity
    range: string
    required: true
  description:
    name: description
    description: Detailed description of the entity.
    comments:
    - Should provide sufficient detail for understanding without external reference
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: description
    owner: Risk
    domain_of:
    - NamedEntity
    range: string
  created_date:
    name: created_date
    description: Date when the entity was created.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: created_date
    owner: Risk
    domain_of:
    - NamedEntity
    range: date
  modified_date:
    name: modified_date
    description: Date when the entity was last modified.
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: modified_date
    owner: Risk
    domain_of:
    - NamedEntity
    range: date
  version:
    name: version
    description: Version identifier for the entity.
    comments:
    - Supports document control requirements per 7.5.3 e)
    examples:
    - value: '1.0'
    - value: 2.3.1
    from_schema: https://w3id.org/lmodel/iso27001
    rank: 1000
    alias: version
    owner: Risk
    domain_of:
    - NamedEntity
    range: string