Tutorial: Let's build a risk register

How to create a risk register

In this tutorial video I show you how to create a risk register in just under 5 minutes. Risk management is the foundation of data security and many industry certifications including GDPR, ISO 27001, PCI DSS, SOC and a host of others. Risk Management doesn’t have to be hard and it really is easy to create a basic functioning risk register from scratch.

Fields to include in the risk register

You really don’t need a fancy tool for a risk register. Good old Excel is more than adequate. Grab yourself a blank Excel spreadsheet and lets go.

Ref: An internal reference that you will refer to the risk by

External Reference: External reference number that shows where the risk came from, for example a Helpdesk ticket, an audit number, an Annex A control, a GDPR clause.

Risk Description: Whilst not feature in the video a description of what the risk is can be very useful.

Asset: The thing that the risk applies to, for example a data set, a system, a website, a building, a group of people, a physical order book.

Asset owner: Every asset should be assigned an owner. They have responsibilities that we will not cover here. For now record it.

Threat: the threat to the asset

Vulnerability: the vulnerability in the control or lack of control

Outcome: what will happen if the risk is realised, for example a financial penalty, a loss of customers, a loss of revenue.

CIA: whether the risk impacts on the confidentiality, integrity or availability of the asset – can be a combination.

Current Control: if there is a current control in place, a description of what it is or state no current control.

Impact: the impact as a score, usual 1, 3 or 9 that scores the impact from low to high.

Liklihood: as a score, usual 1, 3 or 9 that scores the impact from low to high.

Risk Score: a formula that multiplies the impact by the likelihood. The higher the score the higher the risk and the more likely you will want to address the risk.

Treatment: record if you accept the risk, are transferring the risk or reducing the risk

Treatment plan: what is the plan to address the risk

Treatment owner: who is going to do the remediation and implement the treatment plan

Treatment date: by what date will the treatment plan be implemented.

Additional Risk Register Columns

To consider:

A control sheet that shows the author, version, version history and document classification

Residual risk that shows the score after the plan was implemented and the affect that had on the risk sore by comparison.

Control testing that show who and when a test of the new control will be undertaken.

High Table ISO 27001

20+ years in companies like yours across hundreds of ISO 27001 implementations and audits meeting FCA regulations. We have your back. Proven documents and processes honed over decades of continual improvement and external ISO 27001 audit.

Author Stuart Barker - The Data Security Guy

More posts by Stuart Barker - The Data Security Guy