Risk Register

Overview

The Risk Register is the central module for identifying, assessing, and treating information security risks. ISO 27001 requires organisations to define and apply a risk assessment process that identifies risks to the confidentiality, integrity, and availability of information. In Standardise, every risk is assessed using a structured 5x5 likelihood-by-consequence matrix and linked to treatment options.

Risk descriptions are encrypted at rest using AES-256-GCM envelope encryption, ensuring that sensitive risk information is protected even at the database level.

Risk Scoring Matrix

Each risk is assessed on two dimensions, each scored from 1 to 5:

• Likelihood — How probable is it that the risk event will occur? Scored from 1 (rare) to 5 (almost certain).
• Consequence — What is the potential impact if the risk materialises? Scored from 1 (insignificant) to 5 (catastrophic).

The overall risk score is calculated as likelihood x consequence, producing a score between 1 and 25. Risks are then classified into four severity levels:

• Low (1-4) — Acceptable risk; monitor periodically.
• Medium (5-9) — Moderate risk; consider treatment measures.
• High (10-15) — Significant risk; treatment plan required.
• Critical (16-25) — Severe risk; immediate action required.

Risk Treatment Options

For each identified risk, you must select a treatment option. ISO 27001 defines four standard approaches:

1. Accept — Acknowledge the risk and accept it without further action. Appropriate for low risks where the cost of treatment exceeds the potential impact.
2. Mitigate — Implement controls to reduce the likelihood or consequence of the risk. This is the most common treatment and should reference specific Annex A controls in your SoA.
3. Transfer — Shift the risk to a third party, typically through insurance or outsourcing. The residual risk and third-party obligations must still be managed.
4. Avoid — Eliminate the risk entirely by removing the activity or asset that creates it. This is appropriate when no acceptable level of residual risk can be achieved.

Heat Map Visualisation

The risk heat map provides a visual overview of your organisation's risk landscape. It plots all risks on a 5x5 grid with likelihood on one axis and consequence on the other. Each cell is colour-coded from green (low) to red (critical), and shows the count of risks in that position. This gives management a quick, at-a-glance understanding of the overall risk posture and helps prioritise treatment efforts.

Creating and Editing Risks

Click the Create Risk button to open the risk creation dialog. You will be asked to provide:

• Title — A concise name for the risk.
• Description — A detailed explanation of the risk scenario. This field is encrypted at rest.
• Likelihood and Consequence — Scored 1-5 each.
• Treatment — Accept, mitigate, transfer, or avoid.
• Owner — The team member responsible for managing this risk.

All risks can be exported to CSV for reporting, stakeholder review, or integration with external risk management tools.

ISO 27001 Mapping

The Risk Register addresses three key clauses in ISO 27001:2022: Clause 6.1.2 requires organisations to define and apply an information security risk assessment process. Clause 8.2 requires the organisation to perform information security risk assessments at planned intervals or when significant changes occur. Clause 8.3 requires the organisation to implement the risk treatment plan. Together, these clauses form the core of the plan-do-check-act cycle for risk management.