Designing an Ontology-Based Framework for ISO 27002-Based Information Security Risk Management

Youssef El Marzak; Lamia Moudoubah; Abdelilah Chahid; Sophia Faris; Khalifa Mansouri

doi:10.48084/etasr.15794

Authors

Youssef El Marzak M2S2I Laboratory, ENSET Mohammedia, Hassan II University of Casablanca, Morocco
Lamia Moudoubah M2S2I Laboratory, ENSET Mohammedia, Hassan II University of Casablanca, Morocco
Abdelilah Chahid M2S2I Laboratory, ENSET MohammediaHassan II, University of Casablanca, Morocco
Sophia Faris M2S2I Laboratory, ENSET Mohammedia, Hassan II University of Casablanca, Morocco
Khalifa Mansouri M2S2I Laboratory, ENSET Mohammedia, Hassan II University of Casablanca, Morocco

Volume: 16 | Issue: 1 | Pages: 31741-31747 | February 2026 | https://doi.org/10.48084/etasr.15794

Received: 27 October 2025 | Revised: 3 December 2025 | Accepted: 10 December 2025 | Online: 9 February 2026

Corresponding author: Youssef El Marzak

Abstract

Information Security Risk Management (ISRM) is an essential requirement for organizations seeking to ensure the governance and protection of their information assets. Ontology-based knowledge representation has emerged as a promising solution to address information security challenges, as it enables the formalization of concepts, relationships, and constraints within a given domain. This paper proposes an ontology-based framework aligned with the ISO/IEC 27002 standard. The approach consists of extracting relevant concepts from textual sources using UML modeling and TF-IDF filtering, and representing them in OWL using the Protégé environment. The resulting ontology formally captures key ISRM entities—including assets, threats, vulnerabilities, risks, controls, and monitoring mechanisms. The ontology was validated using the FACT++ reasoner to assess consistency and semantic completeness. The results show that the proposed model ensures traceability across ISO/IEC 27002 control families, supports governance alignment, and improves visibility across risk treatment processes.

Keywords:

ISRM, ISO 27002, ONTOLOGY, TF-IDF, OWL, UML

Downloads

Download data is not yet available.

References

Í. Oliveira, T. P. Sales, J. P. A. Almeida, R. Baratella, M. Fumagalli, and G. Guizzardi, "Ontology-based security modeling in ArchiMate," Software and Systems Modeling, vol. 23, no. 4, pp. 925–952, Aug. 2024. DOI: https://doi.org/10.1007/s10270-024-01149-1

J. Bonar and J. Hastings, "Transforming Information Systems Management: A Reference Model for Digital Engineering Integration," 2024. DOI: https://doi.org/10.1109/CARS61786.2024.10778791

Y. Chen, "Information security management: compliance challenges and new directions," Journal of Information Technology Case and Application Research, vol. 24, no. 4, pp. 243–249, Oct. 2022. DOI: https://doi.org/10.1080/15228053.2022.2148979

A. Santos-Olmo et al., "Towards an integrated risk analysis security framework according to a systematic analysis of existing proposals," Frontiers of Computer Science, vol. 18, no. 3, June 2024, Art. no. 183808. DOI: https://doi.org/10.1007/s11704-023-1582-6

D. Preuveneers and W. Joosen, "An Ontology-Based Cybersecurity Framework for AI-Enabled Systems and Applications," Future Internet, vol. 16, no. 3, Feb. 2024, Art. no. 69. DOI: https://doi.org/10.3390/fi16030069

S. Fenz, S. Plieschnegger, and H. Hobel, "Mapping information security standard ISO 27002 to an ontological structure," Information & Computer Security, vol. 24, no. 5, pp. 452–473, Nov. 2016. DOI: https://doi.org/10.1108/ICS-07-2015-0030

S. Fenz and A. Ekelhart, "Formalizing information security knowledge," in Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, Sydney, Australia, Mar. 2009, pp. 183–194. DOI: https://doi.org/10.1145/1533057.1533084

A. Herzog, N. Shahmehri, and C. Duma, "An Ontology of Information Security," International Journal of Information Security and Privacy, vol. 1, no. 4, pp. 1–23, Oct. 2007. DOI: https://doi.org/10.4018/jisp.2007100101

F. Kitsios, E. Chatzidimitriou, and M. Kamariotou, "The ISO/IEC 27001 Information Security Management Standard: How to Extract Value from Data in the IT Sector," Sustainability, vol. 15, no. 7, Mar. 2023, Art. no. 5828. DOI: https://doi.org/10.3390/su15075828

F. A. Vargas and S. Fenz, Mapping iso 27002 into security ontology. 2012. [Online]. Available: https://upcommons.upc.edu/bitstream/2099.1/17302/4/memoria.pdf.

E. Alatrish, D. Tosic, and N. Milenkovic, "Building ontologies for different natural languages," Computer Science and Information Systems, vol. 11, no. 2, pp. 623–644, 2014. DOI: https://doi.org/10.2298/CSIS130429023A

R. J. Rovetto, "The ethics of conceptual, ontological, semantic and knowledge modeling," AI & SOCIETY, vol. 39, no. 4, pp. 1547–1568, Aug. 2024. DOI: https://doi.org/10.1007/s00146-022-01563-3

J. M. Banda, M. Seneviratne, T. Hernandez-Boussard, and N. H. Shah, "Advances in Electronic Phenotyping: From Rule-Based Definitions to Machine Learning Models," Annual Review of Biomedical Data Science, vol. 1, no. 1, pp. 53–68, July 2018. DOI: https://doi.org/10.1146/annurev-biodatasci-080917-013315

R. Du, H. An, K. Wang, and W. Liu, "A Short Review for Ontology Learning: Stride to Large Language Models Trend." arXiv, 2024.

Y. Ren, J. Han, Y. Lin, X. Mei, and L. Zhang, "An Ontology-Based and Deep Learning-Driven Method for Extracting Legal Facts from Chinese Legal Texts," Electronics, vol. 11, no. 12, June 2022, Art. no. 1821. DOI: https://doi.org/10.3390/electronics11121821

P. Cimiano and J. Völker, "Text2Onto," in Natural Language Processing and Information Systems, vol. 3513, A. Montoyo, R. Muńoz, and E. Métais, Eds. Springer Berlin Heidelberg, 2005, pp. 227–238. DOI: https://doi.org/10.1007/11428817_21

S. Azzi, "A methodology for building a medical ontology a with a limited domain experts’ involvement." In Review, Nov. 11, 2024. DOI: https://doi.org/10.21203/rs.3.rs-5305559/v1

K. Sarawan, J. Polpinij, G. Somprasertsri, and B. Luaphol, "Analyzing Hybrid Feature Representations for Improved Multiclass Bug Severity Classification," Engineering, Technology & Applied Science Research, vol. 15, no. 4, pp. 24561–24569, Aug. 2025. DOI: https://doi.org/10.48084/etasr.11090

A. Mishra and S. Vishwakarma, "Analysis of TF-IDF Model and its Variant for Document Retrieval," in 2015 International Conference on Computational Intelligence and Communication Networks (CICN), Jabalpur, India, Dec. 2015, pp. 772–776. DOI: https://doi.org/10.1109/CICN.2015.157

M. Mujahid et al., "Data oversampling and imbalanced datasets: an investigation of performance for machine learning and feature engineering," Journal of Big Data, vol. 11, no. 1, June 2024, Art. no. 87. DOI: https://doi.org/10.1186/s40537-024-00943-4

M. H. L. Vo and Q. Hoang, "Transformation of UML class diagram into OWL Ontology," Journal of Information and Telecommunication, vol. 4, no. 1, pp. 1–16, Jan. 2020. DOI: https://doi.org/10.1080/24751839.2019.1686681

G. Antoniou and F. V. Harmelen, "Web Ontology Language: OWL," in Handbook on Ontologies, S. Staab and R. Studer, Eds. Springer Berlin Heidelberg, 2009, pp. 91–110. DOI: https://doi.org/10.1007/978-3-540-92673-3_4

A. Belghiat, "An Approach based AToM3 for the Generation of OWL Ontologies from UML Diagrams," International Journal of Computer Applications, vol. 41, no. 3, pp. 41–48, Mar. 2012. DOI: https://doi.org/10.5120/5525-7566

A. Chatterjee, N. Pahari, A. Prinz, and M. Riegler, "Machine learning and ontology in eCoaching for personalized activity level monitoring and recommendation generation," Scientific Reports, vol. 12, no. 1, Nov. 2022, Art. no. 19825. DOI: https://doi.org/10.1038/s41598-022-24118-4

M. Richard, X. Aimé, M. O. Krebs, and J. Charlet, "LOVMI : vers une méthode interactive pour la validation d’ontologies," in 26es journées francophones d’Ingénierie des Connaissances (IC), Rennes, France, Apr. 2015.

Designing an Ontology-Based Framework for ISO 27002-Based Information Security Risk Management

Authors

Abstract

Keywords:

Downloads

References

Downloads

How to Cite

Metrics

License