Assurance is a de-facto requirement in modern information systems (IS). The diversity and complexity of emerging IS underlines the lack of a common way of security knowledge representation. In the paper we set the foundations for establishing a knowledge-based, ontology-centric framework with respect to the security management of an IS; we present a knowledge-rich structure, which can model the security requirements of an enterprise IT environment from a variety of information sources, exploiting process-based risk management frameworks which are applied in modern organizations. We define our overall security management framework and implement critical components such as countermeasure refinement. Our approach is represented in a neutral manner and can be used for security knowledge reusability and exchange.