Risk Register Template (Excel)
Multi-sheet ISO 27001 risk register with scoring matrix. First sheet preview only - extra sheets unlock with the pack.
Excel workbook preview
ISO 27001 Risk Register - workbook walkthrough
A 7-sheet Excel workbook for running the full ISO 27001:2022 risk process: instructions, live dashboard, the main risk register, 5x5 matrix and legends, reference drop-down lists, Annex A control library and a treatment plan tracker. Below is a sheet-by-sheet preview of what's actually inside the file.
Instructions
Read-first sheet that explains how the workbook is structured, what each tab is for, and the recommended completion order.
- -Tab-by-tab description of the workbook
- -Recommended completion order
- -Notes on document control and review
| A | B | |
|---|---|---|
| 1 | Section | Description |
| 2 | 1. Instructions | This sheet - read first. |
| 3 | 2. Dashboard | Live summary view of risks once entries are added. |
| 4 | 3. Risk Register | Main working sheet. Add one row per identified risk. |
| 5 | 4. Risk Matrix & Legends | 5x5 likelihood x impact matrix and scoring legends. |
| 6 | 5. Reference Lists | Drop-down source lists. Update only if your scheme changes. |
| 7 | 6. Annex A Controls | ISO 27001:2022 Annex A control reference (93 controls). |
| 8 | 7. Treatment Plan | Treatment actions tracker linked to the register by Risk ID. |
Dashboard
Document control block plus a live overview of total, extreme and high risks, open treatments and the inherent vs residual count by level - all driven by formulas off the Risk Register.
- -Document control: owner, approver, version, classification
- -KPI tiles for total / extreme / high / open / overdue
- -Inherent vs Residual count per risk level
| A | B | C | D | |
|---|---|---|---|---|
| 1 | Metric | Formula / Value | Interpretation | Status |
| 2 | Total risks | 8 | Total active risk lines in the register | Review |
| 3 | Extreme inherent risks | 2 | Requires urgent treatment and escalation | Review |
| 4 | High inherent risks | 6 | Treatment actions should be planned | Monitor |
| 5 | Open treatment actions | 8 | Open, in-progress or pending treatment actions | Monitor |
| 6 | Overdue actions | 0 | Actions past due date and not closed | OK |
| 7 | Accepted residual risks | 0 | Residual risks formally accepted by the owner | Monitor |
Risk Register
The main working sheet. One row per identified risk with 30 columns covering identification, scoring (inherent and residual), treatment and review. Inherent and residual scores and levels are computed by formula.
- -8 sample risks pre-populated, ready to edit
- -30 columns from Risk ID through Review Date and Notes
- -Inherent / Residual Score and Level calculated by formula
| A | B | C | D | E | F | G | H | I | |
|---|---|---|---|---|---|---|---|---|---|
| 1 | Risk ID | Business Process | Asset | Threat | L | I | Score | Level | Treatment |
| 2 | R-001 | Identity and Access Management | Cloud admin console | Credential compromise | 4 | 5 | 20 | Extreme | Reduce |
| 3 | R-002 | Endpoint Management | Employee laptops | Lost or stolen device | 3 | 4 | 12 | High | Reduce |
| 4 | R-003 | Vulnerability Management | Internet-facing application | Exploitation of known vulnerability | 4 | 4 | 16 | Extreme | Reduce |
| 5 | R-004 | Supplier Management | Critical SaaS provider | Third-party service outage | 3 | 5 | 15 | High | Share / Reduce |
| 6 | R-005 | Backup and Recovery | Production database backups | Backup failure or restore failure | 3 | 5 | 15 | High | Reduce |
| 7 | R-006 | Security Monitoring | SIEM / logging platform | Delayed detection of incident | 3 | 4 | 12 | High | Reduce |
| 8 | R-007 | Human Resources Security | Employee lifecycle records | Access retained after role change | 3 | 4 | 12 | High | Reduce |
Risk Matrix & Legends
Defines the 5x5 likelihood x impact matrix plus the rating, likelihood and impact legends used across the workbook.
- -Score bands: 1-4 Low, 5-9 Moderate, 10-15 High, 16-25 Extreme
- -Full Likelihood scale (Rare -> Almost Certain) with examples
- -Full Impact scale (Insignificant -> Critical) with examples
| A | B | C | D | E | F | |
|---|---|---|---|---|---|---|
| 1 | Impact \ Likelihood | 1 | 2 | 3 | 4 | 5 |
| 2 | 5 Critical | 5 | 10 | 15 | 20 | 25 |
| 3 | 4 Major | 4 | 8 | 12 | 16 | 20 |
| 4 | 3 Moderate | 3 | 6 | 9 | 12 | 15 |
| 5 | 2 Minor | 2 | 4 | 6 | 8 | 10 |
| 6 | 1 Insignificant | 1 | 2 | 3 | 4 | 5 |
| 5 Catastrophic | 1 | 1 | 1 | ||
|---|---|---|---|---|---|
| 4 Major | 1 | 2 | 1 | ||
| 3 Moderate | 1 | ||||
| 2 Minor | 1 | ||||
| 1 Insignificant | |||||
| 1 Rare | 2 Unlikely | 3 Possible | 4 Likely | 5 Certain |
Reference Lists
Source lists for the workbook's drop-downs: Classification, Asset Category, CIA Impact Area, Treatment Option, Implementation Status, Residual Accepted and Risk Levels.
- -Keeps the Risk Register consistent
- -Update only if your classification scheme changes
- -Backs every drop-down on the Risk Register
| A | B | C | D | |
|---|---|---|---|---|
| 1 | Classification | Asset Category | CIA Impact Area | Treatment Option |
| 2 | Public | Information Asset | Confidentiality | Reduce |
| 3 | Internal | Application | Integrity | Accept |
| 4 | Confidential | Cloud Service | Availability | Avoid |
| 5 | Restricted | Database / Storage | Confidentiality; Integrity | Share / Transfer |
| 6 | Endpoint | Confidentiality; Availability | Share / Reduce | |
| 7 | Network / Supplier / People / Process | Integrity; Availability |
Annex A Controls
ISO/IEC 27001:2022 Annex A control reference list. Used to tag each risk with the relevant Annex A controls on the register.
- -All 93 Annex A:2022 controls pre-loaded
- -Includes Theme, Control Type and Cybersecurity Concept
- -Typical Policy / Evidence Link column for each control
| A | B | C | D | E | |
|---|---|---|---|---|---|
| 1 | Control ID | Theme | Control Name | Control Type | Cybersecurity Concept |
| 2 | A.5.1 | Organizational | Policies for information security | Preventive | Identify, Protect |
| 3 | A.5.7 | Organizational | Threat intelligence | Preventive, Detective, Corrective | Identify, Detect, Respond |
| 4 | A.5.15 | Organizational | Access control | Preventive | Protect |
| 5 | A.6.3 | People | Awareness, education and training | Preventive | Protect |
| 6 | A.8.8 | Technological | Management of technical vulnerabilities | Preventive, Corrective | Identify, Protect |
| 7 | A.8.13 | Technological | Information backup | Corrective | Recover |
Treatment Plan
Tracks each treatment action linked to a risk on the register, with owner, target date, priority, status, evidence link and an effectiveness review marker.
- -Linked to the register by Risk ID
- -Treatment Option, Annex A Control(s), Priority and Status
- -Effectiveness Review column for post-implementation check
| A | B | C | D | E | F | G | |
|---|---|---|---|---|---|---|---|
| 1 | Treatment ID | Risk ID | Option | Action Description | Target Date | Priority | Status |
| 2 | T-001 | R-001 | Reduce | Enforce MFA, privileged access review, document quarterly access review. | 2026-05-26 | High | In Progress |
| 3 | T-002 | R-003 | Reduce | Define vulnerability remediation SLA and scanning cadence. | 2026-06-25 | High | Open |
| 4 | T-003 | R-005 | Reduce | Perform backup restore test and document evidence. | 2026-05-26 | High | In Progress |
Unlock the full workbook
Buy just this template, or unlock the full ISO 27001 policy and template set in clean, editable Word format with the Document Pack for $99.
About this Risk Register Template (Excel)
The Risk Register Template (Excel) is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors.
Multi-sheet ISO 27001 risk register with scoring matrix. First sheet preview only - extra sheets unlock with the pack. Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.
What's inside
- - Pre-written purpose, scope and policy statements
- - Roles and responsibilities aligned with ISO 27001:2022
- - Control requirements mapped to ISO 27001:2022
- - Review, approval and version-control sections
- - Editable Word (.docx) version in the Document Pack
Who is this for
- - Companies pursuing ISO 27001:2022 certification
- - ISMS managers and information security leads
- - Consultants delivering ISO 27001 implementations
- - Auditors preparing evidence packs for Stage 1 / Stage 2
- - SaaS and tech teams formalizing security policies
ISO 27001:2022 relevance
- Supports ISO 27001:2022 of ISO 27001:2022
- Contributes to the documented information required by clause 7.5
How to customise
- - Insert your organisation name, scope, and document owner.
- - Adapt scope statements and definitions to your environment.
- - Align responsibilities with your actual roles and team structure.
- - Approve, version, and publish via your document control process.
Evidence auditors may expect
- - Approved and dated version of the document
- - Evidence the document is communicated to relevant staff
- - Records showing the controls described are actually performed
- - Review history demonstrating the document is kept current
Auditor may ask
These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.
Related ISO 27001 documents
Get the editable Risk Register Template (Excel)
Buy this template on its own for $39, or unlock the full Document Pack for $99 (one-time).
