What Is a Security Risk Register?
A security risk register is the single place where an organization writes down what it is worried about and what it is doing about it. It is the prioritized catalog of your real, plausible risks, with an owner and a plan attached to each. Without it, risk management is a conversation that happens once and then evaporates. With it, risk becomes something you can track, report, and answer for.
A security risk register is the single place where an organization writes down what it is worried about and what it is doing about it. It is the prioritized catalog of your real, plausible risks, with an owner and a plan attached to each. Without it, risk management is a conversation that happens once and then evaporates. With it, risk becomes something you can track, report, and answer for.
It is also the document an auditor will ask to see first, because it shows whether risk management is a habit or a slide.
What a register records
| Field | Why it is there |
|---|---|
| Risk description | The risk to the confidentiality, integrity, or availability of information. |
| Risk owner | The named person accountable for the risk and for accepting any residual risk. Required by ISO 27001. |
| Likelihood | The realistic chance the risk event occurs. |
| Impact | The consequence if it does: financial, operational, reputational, or legal. |
| Risk level | Likelihood and impact combined, compared against your risk criteria. |
| Treatment and controls | The chosen option (reduce, transfer, avoid, accept) and the specific controls applied. |
| Residual risk | What remains after treatment, compared against your risk tolerance to decide if more is needed. |
A register is only as useful as the columns in it. Each field exists to answer a specific question, and ISO 27001 requires several of them by name.
Building the register
The register is the output of a process, not a thing you fill in once. ISO 27001 lays out that process in Clauses 6.1.2 and 6.1.3, from setting your criteria to accepting what remains.
[[INSIGHT: The field that separates a real risk register from a checkbox is the risk owner. A risk without a name attached belongs to no one, which means it gets managed by no one. ISO 27001 makes the owner mandatory for exactly this reason.]]
- A risk register is the central, prioritized log of identified risks and their treatment.
- Core fields: description, owner, likelihood, impact, risk level, treatment, and residual risk.
- ISO 27001 requires a named risk owner who approves treatment and accepts residual risk.
- The register is the output of the risk assessment and treatment process, not a one-time form.
- Residual risk is compared against your risk tolerance to decide whether to do more.
Frequently asked questions
What is a security risk register?
A central document that logs an organization’s identified risks and tracks their treatment. It is the prioritized catalog of relevant, plausible risks and the plan for each.
What should a risk register contain?
At minimum: a risk description, a named risk owner, likelihood, impact, the resulting risk level, the chosen treatment and controls, and the residual risk that remains after treatment.
What is residual risk?
The level of risk that remains after the planned controls are implemented. ISO 27001 requires the risk owner to approve the treatment plan and formally accept the residual risk.
How does the risk register relate to ISO 27001?
ISO 27001 Clauses 6.1.2 and 6.1.3 require a documented risk assessment and treatment process. The register is how organizations record risk owners, analysis, treatment decisions, and residual risk to meet that requirement.
