Unified and formal knowledge models of the information security domain are fundamental requirements for supporting and enhancing existing risk management approaches. This paper describes a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best-practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches. Categories and Subject Descriptors I.2.4 [Knowledge Representation Formalisms and Methods]: Representations (procedural and rule-based) General Terms Security Keywords Security ontology, information security, risk management