What Is a Risk Register in ISO 27001?
A risk register is a structured document that records all identified information security risks, their assessment scores, assigned owners, treatment decisions, and current status. It is the operational output of your risk assessment process and one of the most scrutinized documents during certification audits.
Under ISO 27001:2022, Clause 6.1.2 requires you to apply an information security risk assessment process that identifies risks, analyzes them, and evaluates them. Clause 6.1.3 requires you to determine appropriate risk treatment options. Your risk register is where all of this is recorded and maintained.
Essential Risk Register Columns
A well-structured risk register needs these columns at minimum:
Identification
| Column | Description | Example |
|---|---|---|
| Risk ID | Unique identifier | RISK-001 |
| Title | Short descriptive name | Unauthorized access to customer database |
| Description | Detailed risk description | An attacker gains unauthorized access to the production customer database through compromised credentials or unpatched vulnerabilities |
| Category | Risk category | Access Control |
| Asset | Affected asset | Customer database (PostgreSQL) |
| Threat | What could go wrong | External attacker, malicious insider |
| Vulnerability | What weakness enables the threat | Weak password policy, missing MFA, unpatched database |
Assessment
| Column | Description | Example |
|---|---|---|
| Inherent Likelihood | Likelihood before controls (1-5) | 4 (Likely) |
| Inherent Impact | Impact before controls (1-5) | 5 (Critical) |
| Inherent Risk Score | Likelihood x Impact | 20 (Critical) |
| Existing Controls | Controls already in place | Firewall, basic authentication, quarterly patching |
| Control Effectiveness | How effective are existing controls (1-5) | 2 (Partially effective) |
| Residual Likelihood | Likelihood after controls (1-5) | 3 (Possible) |
| Residual Impact | Impact after controls (1-5) | 5 (Critical) |
| Residual Risk Score | Residual L x Residual I | 15 (High) |
Treatment
| Column | Description | Example |
|---|---|---|
| Treatment Decision | Accept, mitigate, transfer, avoid | Mitigate |
| Treatment Plan | What actions will reduce the risk | Implement MFA, deploy database activity monitoring, increase patching to monthly |
| Risk Owner | Person accountable for the risk | CTO |
| Treatment Owner | Person responsible for treatment actions | Security Engineer |
| Due Date | When treatment must be completed | 2026-06-30 |
| Status | Current status | In Progress |
Review
| Column | Description | Example |
|---|---|---|
| Last Review Date | When the risk was last reviewed | 2026-03-15 |
| Next Review Date | When the risk should be reviewed again | 2026-06-15 |
| Notes | Additional context or updates | MFA implementation 60% complete, on track for deadline |
How to Score Risks
Likelihood Scale
| Level | Label | Description |
|---|---|---|
| 1 | Rare | Could occur in exceptional circumstances (less than once in 5 years) |
| 2 | Unlikely | Could occur but not expected (once in 2-5 years) |
| 3 | Possible | Might occur at some point (once per year) |
| 4 | Likely | Will probably occur in most circumstances (multiple times per year) |
| 5 | Almost Certain | Expected to occur frequently (monthly or more) |
Impact Scale
| Level | Label | Financial | Operational | Reputational |
|---|---|---|---|---|
| 1 | Negligible | < $1,000 | No disruption | No external awareness |
| 2 | Minor | $1,000 - $10,000 | Hours of disruption | Limited local awareness |
| 3 | Moderate | $10,000 - $100,000 | Days of disruption | Industry awareness |
| 4 | Major | $100,000 - $1M | Weeks of disruption | National media coverage |
| 5 | Critical | > $1M | Extended outage | International media, regulatory action |
Risk Matrix
| Impact 1 | Impact 2 | Impact 3 | Impact 4 | Impact 5 | |
|---|---|---|---|---|---|
| Likelihood 5 | 5 Medium | 10 High | 15 High | 20 Critical | 25 Critical |
| Likelihood 4 | 4 Low | 8 Medium | 12 High | 16 Critical | 20 Critical |
| Likelihood 3 | 3 Low | 6 Medium | 9 Medium | 12 High | 15 High |
| Likelihood 2 | 2 Low | 4 Low | 6 Medium | 8 Medium | 10 High |
| Likelihood 1 | 1 Low | 2 Low | 3 Low | 4 Low | 5 Medium |
Risk Treatment Options
For each risk above your risk appetite threshold, choose a treatment option:
Mitigate (Modify): Implement additional controls to reduce likelihood or impact. This is the most common treatment option.
Transfer (Share): Transfer the risk to a third party, typically through insurance or outsourcing to a specialist provider. Note: you transfer the financial impact, not the accountability.
Avoid (Terminate): Eliminate the risk by stopping the activity that creates it. Example: if processing a certain type of sensitive data creates unacceptable risk, stop collecting that data.
Accept (Retain): Accept the risk without additional treatment because it falls within your risk appetite. Document the rationale and get formal approval from the risk owner.
Maintaining Your Risk Register
Your risk register is a living document. Schedule regular reviews:
- Monthly: Review risks rated Critical and High
- Quarterly: Review all risks and treatment progress
- Annually: Full risk reassessment
- Event-driven: After security incidents, major changes, or new threats
Each review should be documented in your audit trail.
Use a Professional Risk Management Tool
Managing a risk register in Excel works for small organizations, but it quickly becomes unwieldy as your risk count grows. The Risk Assessment tool on iso27001kit.com provides a structured risk assessment workflow with automated scoring and a built-in risk matrix.
For organizations ready for a full risk management platform, the Risk Manager offers a complete risk register with treatment tracking, control mapping, and audit trail capabilities.
The ISO 27001 Document Pack includes a professionally formatted Risk Register Template in Excel format, ready to customize for your organization.
Start your risk assessment now - free
Found this article helpful?
Share it with your colleagues.
