The vulnerability concept is quite common in information security modeling, as our comparison with multiple ontologies showed. However the ISO 27001 standard did not explicitly mention it. In order to support this phase the vulnerability concept should be added to the metamodel so it can be instantiated, just like the threat concept can be.