Risk Register
What is Risk Register?
Risk RegisterA living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
A risk register is the central record produced by risk management activities. Each entry typically captures a unique identifier, a clear risk description, affected assets or processes, threat sources, inherent and residual scores, the risk owner, agreed treatment, key controls, and review dates. The register is reviewed at defined intervals and updated when new threats emerge, projects change, or incidents occur. It supports board reporting, internal audit, regulator inquiries, and prioritization of security investment. A well-maintained register avoids both blind spots and risk fatigue by keeping entries actionable rather than turning into a static spreadsheet.
● Examples
- 01
GRC tool tracking 250 enterprise risks with quarterly reviews.
- 02
Project risk register feeding into the enterprise risk register at the steering committee.
● Frequently asked questions
What is Risk Register?
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Risk Register mean?
A living inventory of identified risks with their description, owner, scores, treatment, and status, used to track the organization's exposure over time.
How does Risk Register work?
A risk register is the central record produced by risk management activities. Each entry typically captures a unique identifier, a clear risk description, affected assets or processes, threat sources, inherent and residual scores, the risk owner, agreed treatment, key controls, and review dates. The register is reviewed at defined intervals and updated when new threats emerge, projects change, or incidents occur. It supports board reporting, internal audit, regulator inquiries, and prioritization of security investment. A well-maintained register avoids both blind spots and risk fatigue by keeping entries actionable rather than turning into a static spreadsheet.
How do you defend against Risk Register?
Defences for Risk Register typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Risk Register?
Common alternative names include: Risk log, Cyber risk register.
● Related terms
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 935
Risk Assessment
A structured activity within risk management that identifies threats, vulnerabilities, and impacts on specific assets and rates the resulting risk to support treatment decisions.
- compliance№ 939
Risk Treatment
The decision and actions taken to modify a risk, typically by accepting, mitigating, transferring, or avoiding it, based on the organization's risk criteria.
- compliance№ 923
Residual Risk
The risk that remains after planned controls and treatments have been applied, which the organization must either accept, transfer, or treat further.
- compliance№ 383
Enterprise Risk Management (ERM)
An integrated, organization-wide approach to identifying, governing, and treating strategic, financial, operational, compliance, and cyber risks in line with business objectives.
- compliance№ 557
ISO/IEC 27001
The international standard specifying requirements for an Information Security Management System (ISMS), against which organizations can be formally certified.
● See also
- № 938Risk Tolerance
- № 534Inherent Risk
- № 888Qualitative Risk Analysis