Back to all documents
    Excel Workbooks
    template
    risk
    excel

    Risk Register Template (Excel)

    Multi-sheet ISO 27001 risk register with scoring matrix. First sheet preview only - extra sheets unlock with the pack.

    Excel workbook preview

    ISO 27001 Risk Register - workbook walkthrough

    Live preview

    A 7-sheet Excel workbook for running the full ISO 27001:2022 risk process: instructions, live dashboard, the main risk register, 5x5 matrix and legends, reference drop-down lists, Annex A control library and a treatment plan tracker. Below is a sheet-by-sheet preview of what's actually inside the file.

    1Sheet 1 of 7

    Instructions

    Read-first sheet that explains how the workbook is structured, what each tab is for, and the recommended completion order.

    • -Tab-by-tab description of the workbook
    • -Recommended completion order
    • -Notes on document control and review
    A1fxSection
    AB
    1SectionDescription
    21. InstructionsThis sheet - read first.
    32. DashboardLive summary view of risks once entries are added.
    43. Risk RegisterMain working sheet. Add one row per identified risk.
    54. Risk Matrix & Legends5x5 likelihood x impact matrix and scoring legends.
    65. Reference ListsDrop-down source lists. Update only if your scheme changes.
    76. Annex A ControlsISO 27001:2022 Annex A control reference (93 controls).
    87. Treatment PlanTreatment actions tracker linked to the register by Risk ID.
    Instructions
    2Sheet 2 of 7

    Dashboard

    Document control block plus a live overview of total, extreme and high risks, open treatments and the inherent vs residual count by level - all driven by formulas off the Risk Register.

    • -Document control: owner, approver, version, classification
    • -KPI tiles for total / extreme / high / open / overdue
    • -Inherent vs Residual count per risk level
    A1fxMetric
    ABCD
    1MetricFormula / ValueInterpretationStatus
    2Total risks8Total active risk lines in the registerReview
    3Extreme inherent risks2Requires urgent treatment and escalationReview
    4High inherent risks6Treatment actions should be plannedMonitor
    5Open treatment actions8Open, in-progress or pending treatment actionsMonitor
    6Overdue actions0Actions past due date and not closedOK
    7Accepted residual risks0Residual risks formally accepted by the ownerMonitor
    Chart: Risk count by level - Inherent vs Residual
    76543210LowModerateHighExtreme
    Inherent Count Residual Count
    KPIs auto-calculate from the Risk Register. Chart below shows the inherent vs residual count per level.
    Dashboard
    3Sheet 3 of 7

    Risk Register

    The main working sheet. One row per identified risk with 30 columns covering identification, scoring (inherent and residual), treatment and review. Inherent and residual scores and levels are computed by formula.

    • -8 sample risks pre-populated, ready to edit
    • -30 columns from Risk ID through Review Date and Notes
    • -Inherent / Residual Score and Level calculated by formula
    A1fxRisk ID
    ABCDEFGHI
    1Risk IDBusiness ProcessAssetThreatLIScoreLevelTreatment
    2R-001Identity and Access ManagementCloud admin consoleCredential compromise4520ExtremeReduce
    3R-002Endpoint ManagementEmployee laptopsLost or stolen device3412HighReduce
    4R-003Vulnerability ManagementInternet-facing applicationExploitation of known vulnerability4416ExtremeReduce
    5R-004Supplier ManagementCritical SaaS providerThird-party service outage3515HighShare / Reduce
    6R-005Backup and RecoveryProduction database backupsBackup failure or restore failure3515HighReduce
    7R-006Security MonitoringSIEM / logging platformDelayed detection of incident3412HighReduce
    8R-007Human Resources SecurityEmployee lifecycle recordsAccess retained after role change3412HighReduce
    7 of 8 sample rows shown; columns abbreviated for preview. Full sheet has 30 columns including Residual scoring, Evidence Reference, Review Date and Notes.
    Risk Register
    4Sheet 4 of 7

    Risk Matrix & Legends

    Defines the 5x5 likelihood x impact matrix plus the rating, likelihood and impact legends used across the workbook.

    • -Score bands: 1-4 Low, 5-9 Moderate, 10-15 High, 16-25 Extreme
    • -Full Likelihood scale (Rare -> Almost Certain) with examples
    • -Full Impact scale (Insignificant -> Critical) with examples
    A1fxImpact \ Likelihood
    ABCDEF
    1Impact \ Likelihood12345
    25 Critical510152025
    34 Major48121620
    43 Moderate3691215
    52 Minor246810
    61 Insignificant12345
    Chart: 5x5 Risk Heat Map (likelihood x impact)
    5 Catastrophic111
    4 Major121
    3 Moderate1
    2 Minor1
    1 Insignificant
    1 Rare2 Unlikely3 Possible4 Likely5 Certain
    CriticalHighMediumLowNegligible
    Risk Matrix & Legends
    5Sheet 5 of 7

    Reference Lists

    Source lists for the workbook's drop-downs: Classification, Asset Category, CIA Impact Area, Treatment Option, Implementation Status, Residual Accepted and Risk Levels.

    • -Keeps the Risk Register consistent
    • -Update only if your classification scheme changes
    • -Backs every drop-down on the Risk Register
    A1fxClassification
    ABCD
    1ClassificationAsset CategoryCIA Impact AreaTreatment Option
    2PublicInformation AssetConfidentialityReduce
    3InternalApplicationIntegrityAccept
    4ConfidentialCloud ServiceAvailabilityAvoid
    5RestrictedDatabase / StorageConfidentiality; IntegrityShare / Transfer
    6EndpointConfidentiality; AvailabilityShare / Reduce
    7Network / Supplier / People / ProcessIntegrity; Availability
    Reference Lists
    6Sheet 6 of 7

    Annex A Controls

    ISO/IEC 27001:2022 Annex A control reference list. Used to tag each risk with the relevant Annex A controls on the register.

    • -All 93 Annex A:2022 controls pre-loaded
    • -Includes Theme, Control Type and Cybersecurity Concept
    • -Typical Policy / Evidence Link column for each control
    A1fxControl ID
    ABCDE
    1Control IDThemeControl NameControl TypeCybersecurity Concept
    2A.5.1OrganizationalPolicies for information securityPreventiveIdentify, Protect
    3A.5.7OrganizationalThreat intelligencePreventive, Detective, CorrectiveIdentify, Detect, Respond
    4A.5.15OrganizationalAccess controlPreventiveProtect
    5A.6.3PeopleAwareness, education and trainingPreventiveProtect
    6A.8.8TechnologicalManagement of technical vulnerabilitiesPreventive, CorrectiveIdentify, Protect
    7A.8.13TechnologicalInformation backupCorrectiveRecover
    6 of 93 controls shown - the full Annex A:2022 list is loaded in the workbook.
    Annex A Controls
    7Sheet 7 of 7

    Treatment Plan

    Tracks each treatment action linked to a risk on the register, with owner, target date, priority, status, evidence link and an effectiveness review marker.

    • -Linked to the register by Risk ID
    • -Treatment Option, Annex A Control(s), Priority and Status
    • -Effectiveness Review column for post-implementation check
    A1fxTreatment ID
    ABCDEFG
    1Treatment IDRisk IDOptionAction DescriptionTarget DatePriorityStatus
    2T-001R-001ReduceEnforce MFA, privileged access review, document quarterly access review.2026-05-26HighIn Progress
    3T-002R-003ReduceDefine vulnerability remediation SLA and scanning cadence.2026-06-25HighOpen
    4T-003R-005ReducePerform backup restore test and document evidence.2026-05-26HighIn Progress
    Treatment Plan

    Unlock the full workbook

    Buy just this template, or unlock the full ISO 27001 policy and template set in clean, editable Word format with the Document Pack for $99.

    About this Risk Register Template (Excel)

    The Risk Register Template (Excel) is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors.

    Multi-sheet ISO 27001 risk register with scoring matrix. First sheet preview only - extra sheets unlock with the pack. Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to ISO 27001:2022
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Supports ISO 27001:2022 of ISO 27001:2022
    • Contributes to the documented information required by clause 7.5

    How to customise

    • - Insert your organisation name, scope, and document owner.
    • - Adapt scope statements and definitions to your environment.
    • - Align responsibilities with your actual roles and team structure.
    • - Approve, version, and publish via your document control process.

    Evidence auditors may expect

    • - Approved and dated version of the document
    • - Evidence the document is communicated to relevant staff
    • - Records showing the controls described are actually performed
    • - Review history demonstrating the document is kept current

    Auditor may ask

    Q.Who owns the risk register template (excel), and when was it last reviewed?
    Q.How is this document communicated to the people who need it?
    Q.What evidence shows the controls described are operating?
    Q.How is the document updated when scope or risk changes?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Get the editable Risk Register Template (Excel)

    Buy this template on its own for $39, or unlock the full Document Pack for $99 (one-time).