A centralised cyber security risk register is a document that includes information about an organisation’s threat environment.
It contains information on potential cyber security risks. Usually it acts as evidence that an organisation has implemented an ISMS (information security management system).
Risk registers are essential for organisations implementing ISO 27001, as it’s one of the first things that auditors review when assessing the company’s compliance posture.
But how do you create a cyber security risk register? We explain everything you need to know in this blog.
How do centralised risk registers work?
A centralised risk register often takes the form of a spreadsheet. However, there are dedicated software tools, such as vsRisk, that organisations can use to help complete the process.
However they are produced, they should contain a list of every risk the organisation has identified and their scores according to its risk evaluation process.
The risk register also prioritises risks depending on their scores and documents the status of existing controls to address the risk and plans to review or strengthen those controls.
By completing a risk register, organisations are not only meeting their compliance objectives. There are also significant benefits to their security and operational efficiency.
For example, they provide central visibility over your complete threat landscape and the way security incidents may affect your business.
They also ensure that risks are assigned to an appropriate member of staff or team, and that these are reviewed whenever there are organisational changes or an employee leaves.
Another benefit is that it helps organisations prepare their risk treatment options, enabling them to invest in appropriate controls to reduce the likelihood of an incident occurring or the damage that it will cause if it does occur.
Developing a cyber security risk register
The cyber security risk register is developed in four stages, following the framework outlined in ISO 27005:
1. Risk identification
Your first task is to determine any risks that can affect the confidentiality, integrity and availability of the information you store.
You can learn more about risk identification by reading our blog: The information security risk assessment: identifying threats.
2. Risk analysis
In this part of the process, you must identify the threats and vulnerabilities that apply to each asset.
For instance, the threat could be ‘theft of mobile device’, and the vulnerability could be ‘lack of formal policy for mobile devices’. Assign impact and likelihood values based on your risk criteria.
3. Risk evaluation
Next, you need to evaluate the severity of each risk. Some risks are more severe than others, so you need to determine which ones you need to be most concerned about at this stage.
This is where your risk criteria come in handy. It provides a guide that helps you compare risks by assigning a score to the likelihood of it occurring and the damage it will cause.
4. Risk treatment
Finally, you need to decide how to address each risk. You can avoid the risk by eliminating any activity that causes it, modify the risk by applying security controls, share the risk with a third party or retain the risk if it doesn’t pose a significant danger.
Once you’ve completed that process, you are ready to go. However, you should regularly review the risk register – ideally quarterly – to make sure the information is accurate and up to date.
For example, you should be sure that risks are identified to the correct individual, which may not be the case if an employee changes roles or leaves the organisation.
Likewise, organisational changes may alter the way risks affect your organisation and can create new ones.
You probably won’t have time to conduct a complete risk identification process each quarter (although you should do this annually). However, it’s worth keeping an eye on the way such changes affect you and making adjustments accordingly.
Finally, the review should factor in how effective your controls are at tackling risks. If they aren’t working as intended, you should consider how they can be adjusted or strengthened.
How to get started
A centralised risk register plays a vital role in your risk management process, so it’s essential that you get started on the right foot.
With our risk assessment tool vsRisk, you can be sure of that. It provides a fast and straightforward way to create your risk assessment methodology and deliver repeatable, consistent assessments year after year.
You’ll get support with the entire risk assessment process, from identifying risks and creating relevant documentation to reviewing your practices and making improvements.
Meanwhile, its integrated risk, vulnerability and threat databases simplify the risk identification process, and its built-in control sets help you comply with multiple frameworks.
We’re currently offering a free 30-day trial of vsRisk. Simply add the number of licenses you require to your basket and proceed to the checkout.