CWE (Common Weakness Enumeration) is a classification of common software weaknesses maintained by the MITRE Corporation. Unlike CVE (individual vulnerabilities), CWE describes categories of weaknesses — e.g., CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), or CWE-287 (Improper Authentication).
In an ISMS context, CWE supports secure software development under ISO 27001 Annex A controls A.8.25 and A.8.28. Development teams can use CWE categories to systematically address common error sources — in code reviews, training, and SAST tool configurations. The annually published CWE Top 25 (Most Dangerous Software Weaknesses) provides a priority list. Together with CVE and CVSS, CWE forms a triad for vulnerability management: CWE classifies the weakness, CVE identifies the specific vulnerability, CVSS rates the severity.