ISMS Risk Register

What is a risk register?

An ISMS risk register is a way to categorise information security risks and forms the backbone of a successful information security management system (ISMS).

A risk register includes a set of risks; each given a risk score; a method of dealing with the risk; and a risk owner within the organisation. Risks are tracked on an ongoing basis by an organisation’s management team in review meetings.

A risk register documents how your organisation has dealt with risk over time and; hopefully; how risk has been reduced through this process.

For ISO 27001 compliance; a risk register is a mandatory document; so critical for businesses to create.

ISMS Risk Register Template

The following considerations should be included in your risk register; and can be used as a starting point or template for creating your own risk register. It’s worth noting that this is not an extensive and all-encompassing risk; there may be industry- or organisation-specific factors that you have to consider; but this is a good starting point.

Your risk register should contain the following:

• Risk name – This should be clear and not create any doubt or overlap with other risks.
• Risk description – The description should provide a succinct and clear definition of the risk; pitched at a level relevant to the management team reviewing it.
• Risk likelihood – All organisations have risks; either internal or external; so this should provide a realistic estimate of the risk’s likelihood of occurring. You can use a 1-5 scale for this.
• Risk impact – This section concerns the level of impact on your organisation; should the risk occur. Again; you can use a 1-5 scale for this.
• Risk controls – What controls are currently in place to prevent the risk; or to mitigate the risk; should it occur.
• Risk owner – Who; within the management team or wider organisation; is responsible for this risk?
• Risk status – This should cover the current status of this risk on an ongoing basis.

As well as considering these factors; organisations can also use a risk matrix tool; which plots the likelihood of a risk occurring (point 3 above) against its impact (point 4 above).

In a matrix like this; risks are categorised on a sliding scale as follows:

• Low impact and low likelihood – These are considered low-priority.

• Low impact but high likelihood – These are considered medium-priority.

• High impact but low likelihood – These are considered medium-priority.

• High impact and high likelihood – These are considered high-priority.

ISMS Risk Register Example

In practical terms; an Excel spreadsheet is a perfect format to create and maintain a risk register. Organisations should assign columns for the seven categories listed above; with each risk occupying a separate row.

To effectively maintain a risk register; management should use this risk register document to consistently review the organisation’s information security risks; updating it on an ongoing basis and using it to track how you have dealt with the risks identified.

To learn more about ISMS and ISO 27001 implementation with Hicomply; read about the Top 10 Benefits of Implementing An ISMS or ISO 27001.