A risk register is the operating document of the ISMS. Auditors expect to see it; boards expect to be briefed from it; control owners expect their work to be traceable to it. When something goes wrong, the register is the first artefact reviewed.
The minimum schema for a useful register has seven fields:
- A unique identifier.
- A scenario description, specific enough to be actionable. Not "data breach" but "customer PII exposed via misconfigured S3 bucket".
- The loss event frequency and loss magnitude estimates (quantified or banded).
- The inherent and residual risk levels.
- The control treatment selected.
- The named owner.
- The next review date.
Registers fail in two predictable ways. They go stale, because nobody owns the cadence. Or they expand without discipline, because every observation gets logged as a new risk and the register stops being navigable. The fix is the same in both cases: define the review cadence in the ISMS, name an accountable owner per risk, and treat the register as something the agent maintains rather than something a consultant produces and hands over.