The risk register is the central document of your risk management process. It consolidates everything from risk identification, analysis, and evaluation — every information security risk with its description, assessment, owner, and current treatment status.
ISO 27001 requires a documented risk assessment process (Clause 6.1) and its regular execution (Clause 8.2). ISO 27005 provides the methodological framework. The risk register is where these requirements materialise into a concrete, auditable document.
What does it contain?
The CSV template covers the full risk assessment cycle. Key columns:
- Risk ID and title — unique identifier and a clear description of the scenario
- Risk source, threat, vulnerability — the three components that give rise to the risk
- Affected assets — link to the asset register
- Likelihood and impact — each on a defined scale
- Risk level — calculated from likelihood and impact
- Risk owner — the person who decides on treatment
- Treatment decision and status — what is being done, and how far along is implementation?
How to use it
Build it during risk analysis. The register is populated during risk identification and analysis. For each asset in the asset register, you examine which threats and vulnerabilities are relevant. Each plausible combination yields a risk scenario — one entry in the register. This process works best as a workshop with IT, business departments, and senior management.
Assessment and prioritisation. Each risk is assessed by likelihood and impact. The resulting risk level determines priority. Risks above the defined acceptance threshold must be treated — the treatment decision is documented directly in the register.
A living document. The risk register is an ongoing effort. After the initial build, it is updated whenever material changes occur: new systems, organisational restructuring, evolving threat landscapes, security incidents. The annual ISMS review checks completeness.
| ID | Risikotitel | Beschreibung | Asset / Prozess | Bedrohung | Schwachstelle | Eigentümer | Eintrittswahrscheinlichkeit (1-5) | Auswirkung Finanziell | Auswirkung Operativ | Auswirkung Reputation | Auswirkung Recht/Regulierung | Auswirkung Personen/Sicherheit | Maximale Auswirkung | Inhärenter Wert | Inhärentes Risikolevel | Vorhandene Kontrollen | Restwahrscheinlichkeit | Restmaximale Auswirkung | Restrisikowert | Restrisikolevel | Behandlungsentscheidung | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Ransomware auf Fileservern | Angreifer verschlüsseln zentralen Fileshare und Backup-Shares über kompromittiertes Admin-Konto | Fileserver FS-01 + zentraler SMB-Share | Ransomware | Flaches Admin-Netz, geteilte Backup-Zugangsdaten | IT-Betriebsleitung | 4 | 5 | 5 | 5 | 4 | 1 | 5 | 20 | Kritisch | EDR, MFA für Admin-Konten, Offline-Backups, Netzsegmentierung teilweise | 2 | 4 | 8 | Mittel | Mindern | Offen |
| R-002 | Phishing mit Zugangsdatenkompromittierung | Mitarbeitende geben Zugangsdaten auf geklonter M365-Anmeldeseite ein | Alle Benutzerkonten | Phishing | Awareness-Lücke, keine phishing-resistente MFA | ISB | 4 | 4 | 3 | 4 | 3 | 1 | 4 | 16 | Kritisch | Mailfilter, Awareness-Training, Phishing-Simulationen, MFA (TOTP) | 3 | 3 | 9 | Mittel | Mindern | Offen |
| R-003 | Insider-Datenabfluss über private E-Mail | Ausscheidende Mitarbeitende senden Kundenliste an private Gmail-Adresse | Kundendatenbank | Böswilliger Insider | Schwacher DLP für ausgehende E-Mails, breiter CRM-Zugriff | HR-Leitung | 2 | 3 | 2 | 4 | 4 | 1 | 4 | 8 | Mittel | Geheimhaltungsvereinbarung, rollenbasierte Zugriffskontrolle, Leaver-Prozess | 2 | 3 | 6 | Mittel | Mindern | Offen |
| R-004 | Lieferantenausfall betrifft Logistikportal | Kritischer SaaS-Anbieter erleidet 8-h-Ausfall in Spitzenzeit | Logistikportal (SaaS) | Lieferantenausfall | Einziger Anbieter, kein Fallback-Prozess | IT-Betriebsleitung | 3 | 4 | 4 | 3 | 2 | 1 | 4 | 12 | Hoch | SLA, Vorfallmonitoring, manuelle Fallback-Checkliste | 3 | 3 | 9 | Mittel | Mit Monitoring akzeptieren | Offen |
| R-005 | DSGVO-Verletzung durch fehlkonfigurierten S3-Bucket | Öffentlicher Bucket legt 2000 Kundendatensätze offen | Marketing-Bucket s3://nwl-marketing | Fehlkonfiguration | Kein IaC-Review, kein geplantes Bucket-Audit | DSB | 3 | 3 | 2 | 5 | 5 | 1 | 5 | 15 | Hoch | Quartalsweises Konfig-Audit, Bucket-Policy-Vorlage | 2 | 4 | 8 | Mittel | Mindern | In Behandlung |
| R-006 | Verlust historischer Marketing-Assets durch lokales Hardware-Versagen | Alte Kampagnen-Creatives auf einer einzelnen Workstation gehen bei Festplattendefekt verloren | Marketing-Workstation MW-07 | Hardware-Ausfall | Keine automatisierte Sicherung des lokalen Creative-Ordners | Marketingleitung | 2 | 2 | 1 | 2 | 1 | 1 | 2 | 4 | Niedrig | Dateien älter als 12 Monate sind nicht geschäftskritisch und können neu erstellt oder bei Agenturpartnern wiederbeschafft werden | 2 | 2 | 4 | Niedrig | Akzeptieren | Akzeptiert |
| R-007 | Speicherung von Kreditkartendaten im eigenen ERP | Speicherung vollständiger PANs im ERP würde das Unternehmen in den PCI-DSS-Scope bringen und hohe regulatorische sowie reputative Exposition erzeugen | ERP (AST-007) | Unbefugte Offenlegung von Karteninhaberdaten | Keine Tokenisierung; keine PCI-konforme Segmentierung | CFO | 3 | 5 | 2 | 5 | 5 | 1 | 5 | 15 | Hoch | N/A — Risiko durch Design eliminiert | 1 | 1 | 1 | Niedrig | Vermeiden | Vermieden — Zahlungsabwicklung an PCI-DSS-Level-1-Anbieter (Stripe) ausgelagert, PANs berühren eigene Systeme zu keinem Zeitpunkt |
| ID | Risk Title | Description | Asset / Process | Threat | Vulnerability | Owner | Likelihood (1-5) | Impact Financial | Impact Operational | Impact Reputational | Impact Legal/Regulatory | Impact Health/Safety | Max Impact | Inherent Score | Inherent Risk Level | Existing Controls | Residual Likelihood | Residual Max Impact | Residual Score | Residual Risk Level | Treatment Decision | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Ransomware on file servers | Attackers encrypt central file share and backup shares via compromised admin account | File server FS-01 + central SMB share | Ransomware | Flat admin network, shared backup credentials | IT Operations Lead | 4 | 5 | 5 | 5 | 4 | 1 | 5 | 20 | Critical | EDR, MFA on admin accounts, offline backups, partial network segmentation | 2 | 4 | 8 | Medium | Mitigate | Open |
| R-002 | Phishing leading to credential compromise | Employee enters credentials on cloned M365 login page | All user accounts | Phishing | User awareness gap, no phishing-resistant MFA | ISO | 4 | 4 | 3 | 4 | 3 | 1 | 4 | 16 | Critical | Mail filter, awareness training, phishing simulations, MFA (TOTP) | 3 | 3 | 9 | Medium | Mitigate | Open |
| R-003 | Insider data exfiltration via personal email | Leaving employee sends customer list to private Gmail | Customer database | Malicious insider | Weak DLP on outbound email, broad CRM access | HR Lead | 2 | 3 | 2 | 4 | 4 | 1 | 4 | 8 | Medium | NDA, role-based access, leaver process | 2 | 3 | 6 | Medium | Mitigate | Open |
| R-004 | Supplier outage affecting logistics portal | Critical SaaS provider suffers 8h outage during peak period | Logistics portal (SaaS) | Supplier outage | Single provider, no fallback process | IT Operations Lead | 3 | 4 | 4 | 3 | 2 | 1 | 4 | 12 | High | SLA, incident monitoring, manual fallback checklist | 3 | 3 | 9 | Medium | Accept with monitoring | Open |
| R-005 | GDPR breach via misconfigured S3 bucket | Public bucket exposes 2000 customer records | Marketing bucket s3://nwl-marketing | Misconfiguration | No IaC review, no scheduled bucket audit | DPO | 3 | 3 | 2 | 5 | 5 | 1 | 5 | 15 | High | Quarterly config audit, bucket policy template | 2 | 4 | 8 | Medium | Mitigate | In treatment |
| R-006 | Loss of historical marketing assets due to local hardware failure | Old campaign creatives stored on a single workstation are lost when its disk fails | Marketing workstation MW-07 | Hardware failure | No automated backup of local creative folder | Marketing Lead | 2 | 2 | 1 | 2 | 1 | 1 | 2 | 4 | Low | Files older than 12 months are not business-critical and can be re-created or are available from agency partners | 2 | 2 | 4 | Low | Accept | Accepted |
| R-007 | Storage of cardholder data in own ERP | Storing full PAN in the ERP would bring the company into PCI DSS scope and create high regulatory and reputational exposure | ERP (AST-007) | Unauthorised disclosure of cardholder data | No tokenisation; no PCI-compliant segmentation | CFO | 3 | 5 | 2 | 5 | 5 | 1 | 5 | 15 | High | N/A — risk eliminated by design | 1 | 1 | 1 | Low | Avoid | Avoided — payments outsourced to PCI-DSS Level 1 provider (Stripe), no PAN ever touches own systems |
Sources
- ISO/IEC 27001:2022, Clause 6.1 — actions to address risks and opportunities
- ISO/IEC 27001:2022, Clause 8.2 — information security risk assessment
- ISO/IEC 27005:2022 — guidance on managing information security risks