Skip to main content

Risk Register

Also known as: Risk Log

The single source of truth recording every identified risk, its assessment, the control treatment chosen, the owner, and the review date.

Written by Askara Solutions editorial team · Updated

A risk register is the operating document of the ISMS. Auditors expect to see it; boards expect to be briefed from it; control owners expect their work to be traceable to it. When something goes wrong, the register is the first artefact reviewed.

The minimum schema for a useful register has seven fields:

  • A unique identifier.
  • A scenario description, specific enough to be actionable. Not "data breach" but "customer PII exposed via misconfigured S3 bucket".
  • The loss event frequency and loss magnitude estimates (quantified or banded).
  • The inherent and residual risk levels.
  • The control treatment selected.
  • The named owner.
  • The next review date.

Registers fail in two predictable ways. They go stale, because nobody owns the cadence. Or they expand without discipline, because every observation gets logged as a new risk and the register stops being navigable. The fix is the same in both cases: define the review cadence in the ISMS, name an accountable owner per risk, and treat the register as something the agent maintains rather than something a consultant produces and hands over.

Related terms

Where this connects.

  • Risk Assessment

    The structured process of identifying threats, estimating likelihood and impact, and producing a defensible record of which risks the organisation accepts, treats, or transfers.

  • Statement of Applicability

    ISO 27001 document that records, for every Annex A control, whether it is applied, why it is applied, and what evidence demonstrates that it operates.

  • ISO 27001

    International standard that defines the requirements for an information security management system (ISMS), including risk assessment, control selection, and management review.

  • FAIR

    Quantitative risk-analysis methodology that expresses cyber risk as financial loss exposure rather than ordinal severity scores, by decomposing it into loss event frequency and loss magnitude.

  • Annual Loss Expectancy

    The expected annual cost of a risk scenario in financial terms, calculated as Loss Event Frequency multiplied by Loss Magnitude, expressed as a probability distribution rather than a point estimate.

Authoritative sources

Where to read more.

Back to Risk ManagementBack to glossary