Tutorial: Let's build a risk register
How to create a risk register
In this tutorial video I show you how to create a risk register in just under 5 minutes. Risk management is the foundation of data security and many industry certifications including GDPR, ISO 27001, PCI DSS, SOC and a host of others. Risk Management doesn’t have to be hard and it really is easy to create a basic functioning risk register from scratch.
Fields to include in the risk register
You really don’t need a fancy tool for a risk register. Good old Excel is more than adequate. Grab yourself a blank Excel spreadsheet and lets go.
Ref: An internal reference that you will refer to the risk by
External Reference: External reference number that shows where the risk came from, for example a Helpdesk ticket, an audit number, an Annex A control, a GDPR clause.
Risk Description: Whilst not feature in the video a description of what the risk is can be very useful.
Asset: The thing that the risk applies to, for example a data set, a system, a website, a building, a group of people, a physical order book.
Asset owner: Every asset should be assigned an owner. They have responsibilities that we will not cover here. For now record it.
Threat: the threat to the asset
Vulnerability: the vulnerability in the control or lack of control
Outcome: what will happen if the risk is realised, for example a financial penalty, a loss of customers, a loss of revenue.
CIA: whether the risk impacts on the confidentiality, integrity or availability of the asset – can be a combination.
Current Control: if there is a current control in place, a description of what it is or state no current control.
Impact: the impact as a score, usual 1, 3 or 9 that scores the impact from low to high.
Liklihood: as a score, usual 1, 3 or 9 that scores the impact from low to high.
Risk Score: a formula that multiplies the impact by the likelihood. The higher the score the higher the risk and the more likely you will want to address the risk.
Treatment: record if you accept the risk, are transferring the risk or reducing the risk
Treatment plan: what is the plan to address the risk
Treatment owner: who is going to do the remediation and implement the treatment plan
Treatment date: by what date will the treatment plan be implemented.
Additional Risk Register Columns
A control sheet that shows the author, version, version history and document classification
Residual risk that shows the score after the plan was implemented and the affect that had on the risk sore by comparison.
Control testing that show who and when a test of the new control will be undertaken.