Hereby a question on how to write good risk statements using the known ISO risk component from 27005, Annex D (Threat, Vulnerability).
Various articles (e.g. ISACA) highlight a risk statement on the formula:
[Event that has an effect on objectives] caused by [cause/s] resulting in [consequence/s].
Can that in the ISO world be translated into:
Threat (that has an effect on objectives) caused by a vulnerability resulting in a business consequence. So taking 27005, Annex D, the first row in the table, the Risk Statement will be: There is a risk of "breach of information system maintainability" due to "insufficient maintenance installation of storage media." This may lead to XWY.
Or is it the other way round. That the risk is the "vulnerability"???