ISO 27001 is a risk based system that means the inclusion of controls and the level of those controls is based on risk. You use a risk register to record what the risk is, you allocate it a risk score and decide how you are going to treat the risk. You then record the risk score after the change and this is your residual risk. Risks are allocated owners and action plans are tracked and managed as part of the management review team meeting.
Table of contents
- What is it?
- Applicability to Small Business, Tech Startups, and AI Companies
- ISO 27001 Risk Register Template
- Why you need it
- When you need it
- Who needs it?
- Where you need it
- How to write it
- How to implement it
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 toolkit can help
- Information security standards that need it
- Relevant ISO 27001:2022 controls
- ISO 27001 Risk Register Example
- Why is a risk register important?
- What should and ISO 27001 Risk Register Contain?
- ISO 27001 Risk Register FAQ
What is it?
A Risk Register is a living document – a spreadsheet, really – that helps you track and manage risks to your information. You list the risks, figure out how likely they are to happen, what their impact would be, and what you’re doing to fix them. It’s your personal risk diary, and it’s super important for showing you’re serious about security.
Applicability to Small Business, Tech Startups, and AI Companies
This risk register is super important for different types of businesses, but for slightly different reasons.
- Small Businesses: You can use a Risk Register to protect customer lists and financial info. It helps you see where you’re vulnerable and what to fix first without getting overwhelmed.
- Tech Startups: For you, it’s about protecting your unique ideas and customer data. It helps you show potential investors and clients that you’re trustworthy and have a solid plan.
- AI Companies: Your secret sauce is your data! A Risk Register helps you protect your AI models and the data you train them on. It’s crucial for making sure your tech stays safe and reliable.
ISO 27001 Risk Register Template
The ISO 27001:2022 risk register template allows the recording and management of risks in this simple and effective template that also includes the management of residual risk and management reporting. is part of the Ultimate ISO 27001 Toolkit and also exclusively available stand-alone.
Why you need it
You need a Risk Register because it’s the foundation of your ISO 27001 certification. It proves to auditors that you’ve thought about what could go wrong and have a plan to deal with it. Without it, you can’t get certified.
When you need it
You should start creating your Risk Register as soon as you decide to pursue ISO 27001. It’s one of the very first things you do. You’ll need to update it regularly, maybe every six months or whenever something big changes in your business.
Who needs it?
Your whole team plays a role! While a single person might be the “owner,” everyone contributes. For example, your IT team can help identify risks related to your network, and your sales team can point out risks related to customer data.
Where you need it
You’ll keep your Risk Register in a safe, central location – like a shared drive or a dedicated security platform. This way, everyone who needs to see it can access it easily.
How to write it
- Find the Risks: Get your team together and brainstorm. Think about all the things that could threaten your information.
- Analyse: For each risk, figure out how likely it is to happen and how bad it would be if it did.
- Treat: Decide what you’ll do about each risk. Do you have to fix it, or is it a minor risk you can live with?
- Write it down: Put all this information into your template.
Time needed: 1 hour
How to create a risk register
- Create an Excel spreadsheet with two tabs.
Using a spreadsheet application create two tabs. The first tab is the document control and the second tab is the actual risk register.
- Add document mark up.
Document mark up is required. This document is not confidential so place the document classification ‘internal’ in the footer or header. Add a version control table to the document control tab that includes the author, the date, the reason for change and the version number.
- Add a reference field.
This is an internal reference that you will refer to the risk by.
- Add an External Reference field.
External reference number that shows where the risk came from, for example a Helpdesk ticket, an audit number, an Annex A control, a GDPR clause.
- Add a Risk Description
A description of what the risk is can be very useful.
- Add an Asset Field
The thing that the risk applies to, for example a data set, a system, a website, a building, a group of people, a physical order book.
- Add a Threat Field
The threat to the asset.
- Add a Vulnerability Field
The vulnerability in the control or lack of control.
- Add an Outcome Field
Cover what will happen if the risk is realised, for example a financial penalty, a loss of customers, a loss of revenue.
- Add a CIA Field
Whether the risk impacts on the confidentiality, integrity or availability of the asset – can be a combination.
- Add a Current Control Field
If there is a current control in place, a description of what it is or state no current control.
- Add an Impact Field
The impact as a score, usual 1, 3 or 9 that scores the impact from low to high.
- Add a Likelihood Field
The likelihood as a score, usual 1, 3 or 9 that scores the impact from low to high.
- Add a Risk Score Field
A formula that multiplies the impact by the likelihood. The higher the score the higher the risk and the more likely you will want to address the risk.
- Add a Treatment Field
Record if you accept the risk, are transferring the risk or reducing the risk
- Add a Treatment Plan Field
What is the plan to address the risk
- Add a Treatment Owner field.
Who is going to do the remediation and implement the treatment plan
- Add a Treatment Date field.
By what date will the treatment plan be implemented.
- Add a Residual Risk field
Residual risk that shows the score after the plan was implemented and the affect that had on the risk sore by comparison.
How to implement it
After you’ve created your Risk Register, you need to use it!
- Assign Owners: Make sure each risk has a person responsible for it.
- Take Action: Start working on the plans you wrote down.
- Review: Meet with your team regularly to check on progress and update the register.
Examples of using it for small businesses
- Risk: A sales team member’s laptop gets stolen.
- Impact: Customer contact info is exposed.
- Treatment: Encrypt all company laptops.
Examples of using it for tech startups
- Risk: A developer accidentally puts sensitive code on a public site like GitHub.
- Impact: Your secret sauce is revealed to competitors.
- Treatment: Implement a rule that requires code reviews before any changes are committed.
Examples of using it for AI companies
- Risk: An AI model is trained on biased data, leading to unfair results.
- Impact: Legal issues and damage to your reputation.
- Treatment: Implement a process to regularly audit your training data for bias.
How the ISO 27001 toolkit can help
An ISO 27001 toolkit is a collection of pre-made documents, like a pre-filled Risk Register template. It makes the process much faster and easier, so you don’t have to guess what to write. It’s like having training wheels for your certification journey.
Information security standards that need it
This risk register is a key part of ISO 27001, which is an international standard for managing information security. Other standards that need it include:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
Relevant ISO 27001:2022 controls
The ISO 27001:2022 standard has specific controls that require a risk register. Some of the most important ones include:
- ISO 27001:2022 Clause 6.1.2: Information Security Risk Assessment
- ISO 27001:2022 Clause 6.1.3: Information Security Risk Treatment
- ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 8.3 Information Security Risk Treatment
ISO 27001 Risk Register Example
This is a great example of the ISO 27001 risk register.
Why is a risk register important?
A risk register is a fundamental document in risk management. It is the primary record of risks and contains everything you need to effectively manage information security risk. In addition it provides an historic record of how risk has changed over time. This includes how risk has been reduced and the risks of the organisation have been managed.
For ISO 27001 it is a mandatory document. ISO 27001 is a risk based system and the core of a risk based system is a risk register.
What should and ISO 27001 Risk Register Contain?
The very basic level of information that should be included in an ISO 27001 risk register includes:
- The name of the risk
- A description of the risk
- The likelihood of the risk occurring
- The impact of the risk if it occurs
- The controls that are in place to mitigate the risk
- The owner of the risk
- The status of the risk
ISO 27001 Risk Register FAQ
Yes ISO 27001 is a risk based management system.
A risk based management system is a system of controls where the selection of the controls is based on risk. It is acceptable not to implement certain controls and the risk accepted. The higher the risk the more control rigour you would implement.
Yes a risk register is a fundamental part of the ISO 27001 standard and management system. It allows you to record and manage risk.
Yes but we do not recommend it. Having a risk register that is dedicated to governance risk and compliance is preferred. Different risk registers often address different concerns and having a separate risk register can greatly aid its management.
You do not need to purchase a risk management tool. They can be expensive and restrictive once you understand risk management. They are ideal for the novice user or for teams where consistency of approach and repletion are key across multiple departments but a simple spreadsheet as described in the tutorial is more than adequate.
This is not a requirement if you have document version control but is good practice.
A threat is what could happen (a hacker), and a risk is the chance of it happening and its effect (a hacker stealing your data).
No, you have to review and update it regularly.
At least once a year, or whenever there’s a big change.
No, a simple spreadsheet works just fine!
The person responsible for managing and fixing a specific risk.
Focus on the ones that matter most as these are the ones with a high chance of happening or a big impact.
You can choose to accept it if the cost of fixing it is too high compared to the risk.
Just make your best guess and write down why you think that.
They’ll look at it to make sure you’ve identified and planned for your biggest risks.
It’s a good idea to share risks that affect their work.
You’d update the register to show what happened and what you did about it.
A number you get from multiplying the likelihood and impact as it helps you prioritise risks.
It’s your plan to deal with a risk so you can either fix it, accept it, or transfer it (like with insurance).
