Risk Register

A risk register is a structured record of an organization's identified information security risks. It serves as the central artifact in any risk management process and is a mandatory component of an ISO 27001 Information Security Management System. Auditors will review your risk register during certification audits to verify that risks are identified, assessed, and treated systematically.

What a Risk Register Contains

A well-structured risk register typically includes the following fields for each identified risk:

• Risk ID — A unique identifier for tracking
• Risk description — A clear statement of the threat, vulnerability, and potential impact
• Risk owner — The person accountable for managing the risk
• Asset affected — The information asset, system, or process at risk
• Likelihood — The probability of the risk materializing (often rated 1-5)
• Impact — The severity of consequences if the risk materializes (often rated 1-5)
• Inherent risk score — Likelihood multiplied by impact, before controls
• Current controls — Existing measures that mitigate the risk
• Residual risk score — Risk level after accounting for current controls
• Treatment decision — Mitigate, transfer, accept, or avoid
• Treatment plan — Specific actions to further reduce the risk
• Status — Open, in treatment, accepted, or closed
• Review date — When the risk will next be reassessed

Why It Matters

The risk register is not just a compliance checkbox — it is the backbone of risk-based security decision-making. Without one, security investments are driven by gut feeling, vendor marketing, or the loudest voice in the room. A well-maintained risk register ensures that resources are directed at the risks that matter most.

For ISO 27001, the risk register directly informs your Statement of Applicability. Each Annex A control you select (or exclude) should trace back to risks identified in the register. Auditors verify this traceability.

Common Mistakes

Overcomplicating the methodology. A simple 5x5 likelihood-impact matrix works for most organizations. Do not build a quantitative Monte Carlo model for your first risk assessment.

Setting and forgetting. Risk registers require regular review — quarterly at minimum, and whenever significant changes occur in your environment. Stale risk registers are a common audit finding.

Treating it as an IT exercise. Information security risks span the entire organization. Include risks related to people, processes, physical security, and third parties — not just technology.

Tools for Managing Risk Registers

Spreadsheets work for small organizations but become unwieldy beyond 50-100 risks. Compliance automation platforms like Vanta and Drata include built-in risk management modules that link risks directly to controls and evidence.