All types Page Article White Paper Download
Solutions The best route to security compliance
Hicomply Privacy™ ISO 27001 ISO 9001 ISO 14001 SOC 2 NHS DSPT NIST 800-53 Hicomply GRC™ Services & Customer Support
Platform A powerful suite of ISMS features
Dashboard ISMS Scoping Policy Management Risk Management Information Asset Management Task Management Integrations Hicomply for Enterprises Trust Centre Controls Monitor Hicomply AI SCIM Integration
Resources Everything you need to know
Knowledge & Insights Resources Hub Case Studies Sectors Glossary News ROI Calculator
Knowledge Base Learn more about infosec
ISO 27001 Knowledge Base SOC 2 Knowledge Base NHS DSPT Knowledge Base PCI DSS Knowledge Base NIST 800-53 Knowledge Base DORA Knowledge Base
Company Security and customers first
About News Partners Contact
Back to Knowledge & Insights

ISMS Risk Register

ISMS Risk Register

What is a risk register?

An ISMS risk register is a way to categorise information security risks and forms the backbone of a successful information security management system (ISMS).

A risk register includes a set of risks, each given a risk score, a method of dealing with the risk, and a risk owner within the organisation. Risks are tracked on an ongoing basis by an organisation’s management team in review meetings.

A risk register documents how your organisation has dealt with risk over time and, hopefully, how risk has been reduced through this process.

For ISO 27001 compliance, a risk register is a mandatory document, so critical for businesses to create.

ISMS Risk Register Template

The following considerations should be included in your risk register, and can be used as a starting point or template for creating your own risk register. It’s worth noting that this is not an extensive and all-encompassing risk; there may be industry- or organisation-specific factors that you have to consider, but this is a good starting point.

Your risk register should contain the following:

  1. Risk name – This should be clear and not create any doubt or overlap with other risks.
  2. Risk description – The description should provide a succinct and clear definition of the risk, pitched at a level relevant to the management team reviewing it.
  3. Risk likelihood – All organisations have risks, either internal or external, so this should provide a realistic estimate of the risk’s likelihood of occurring. You can use a 1-5 scale for this.
  4. Risk impact – This section concerns the level of impact on your organisation, should the risk occur. Again, you can use a 1-5 scale for this.
  5. Risk controls – What controls are currently in place to prevent the risk, or to mitigate the risk, should it occur.
  6. Risk owner – Who, within the management team or wider organisation, is responsible for this risk?
  7. Risk status – This should cover the current status of this risk on an ongoing basis.

As well as considering these factors, organisations can also use a risk matrix tool, which plots the likelihood of a risk occurring (point 3 above) against its impact (point 4 above).

In a matrix like this, risks are categorised on a sliding scale as follows:

  • Low impact and low likelihood – These are considered low-priority.
  • Low impact but high likelihood – These are considered medium-priority.
  • High impact but low likelihood – These are considered medium-priority.
  • High impact and high likelihood – These are considered high-priority.

ISMS Risk Register Example

In practical terms, an Excel spreadsheet is a perfect format to create and maintain a risk register. Organisations should assign columns for the seven categories listed above, with each risk occupying a separate row.

To effectively maintain a risk register, management should use this risk register document to consistently review the organisation’s information security risks, updating it on an ongoing basis and using it to track how you have dealt with the risks identified.

To learn more about ISMS and ISO 27001 implementation with Hicomply, read about the Top 10 Benefits of Implementing An ISMS or ISO 27001.

More Insights

ISO27001
ISMS Implementation
ISO27001
Defining ISMS Objectives
ISO27001
The importance of data integration in compliance