GDPR | DORA | ISO 27001 | SOC 2
Risk Register Template
Use this page to download a ready-to-use Risk Register Template with built-in formulas and examples. If you’re building a complete ISMS, pair it with a documented policy pack too.
Download Risk Register Template (Excel)
Download Information Security Policy Template (Word Format)
Every organization—whether a startup, SME, or enterprise—operates in the presence of risk. Cyber incidents, third-party failures, regulatory fines, outages, and even well-meaning process mistakes can interrupt operations and cost real money. You cannot remove every source of risk, but you can systematically manage risk. The most practical way to start is with a simple, disciplined tool: a Risk Register.
A risk register is a structured log of your organization’s risks, the likelihood and impact of each, and the actions you’ll take to reduce them. It becomes your single source of truth for risk visibility, prioritization, and accountability. In this guide, you’ll learn what a risk register is, why you need one, how to map risks step-by-step, and how to use our downloadable template to keep risks under control throughout the year.
Your register can live in Excel, Google Sheets, or a GRC platform. Many teams start with Excel because it’s fast, portable, and easy to customize. Our downloadable template includes built-in formulas for risk scoring, example entries, and a “how to use” sheet so your team can begin immediately.
Why You Need a Risk Register
Untracked risks are usually overlooked because no one is responsible for addressing them. A risk register fixes that by introducing a repeatable structure. Here’s why it matters:
- Visibility and focus: Put all risks in one place so teams can see what truly threatens objectives.
- Prioritization: Compare risks side-by-side using a likelihood × impact score and focus effort where it matters most.
- Accountability: Assign an owner to each risk—no more “someone should handle this.”
- Momentum and tracking: Use statuses and review dates to keep mitigation moving.
- Compliance and audit readiness: Demonstrate a consistent, evidence-based approach to risk for ISO 27001, SOC 2, GDPR, and DORA.
- Better decision-making: Leadership can balance cost, speed, and risk with data—not guesswork.
Without a register, organizations face recurring surprises, duplicated effort, and poor handoffs. A concise register turns risk into a manageable workload.
How to Map Risks (Step-by-Step)
“Risk mapping” is the process of identifying, categorizing, assessing, and prioritizing risks before they materialize. Below is a simple, dependable workflow your team can repeat each quarter.
Step 1: Identify Risks
Start broad. Gather inputs from operations, IT, finance, legal, HR, vendors, and leadership. Use:
- Workshops and interviews: Ask teams what could stop them from meeting goals.
- Incident and ticket history: Mine past outages, security incidents, and audit findings.
- Change calendars: Migrations, new vendors, and product launches often introduce risk.
- External drivers: Regulatory changes, market shifts, geopolitical events, weather.
- Standards and checklists: ISO 27001 Annex A, SOC 2 criteria, DORA operational resilience requirements.
Write each risk as a single, clear sentence: If X happens, Y impact occurs because Z.
Step 2: Categorize Risks
Grouping risks into categories makes the register clearer and reporting more straightforward. Common buckets include:
- Cybersecurity (e.g., account takeover, ransomware, insecure APIs)
- Operational (e.g., single points of failure, capacity constraints)
- Financial (e.g., currency exposure, credit risk)
- Legal/Compliance (e.g., GDPR fines, audit findings)
- Third-Party/Vendor (e.g., SLA breaches, data processing risks)
- Business/Strategic (e.g., product misalignment, concentration risk)
- Health & Safety, Environmental (as applicable)
Use consistent, organization-wide categories. This makes trend analysis and board reporting far cleaner.
Step 3: Assess Likelihood and Impact
Use a simple 1–5 scale so everyone scores the same way:
- Likelihood: 1 = Rare, 2 = Unlikely, 3 = Possible, 4 = Likely, 5 = Almost certain
- Impact: 1 = Minimal, 2 = Low, 3 = Moderate, 4 = Major, 5 = Severe/Catastrophic
Support scoring with evidence: metrics, incidents, pen test results, audit reports, supplier risk ratings, and DPIA outputs (see how to conduct a DPIA).
Step 4: Calculate the Risk Score
The simplest, most transparent method is Risk Score = Likelihood × Impact. Our template calculates this automatically. Scores range from 1 to 25:
- 1–5 = Low
- 6–10 = Moderate
- 12–15 = High
- 16–25 = Critical
You can adjust thresholds to your risk appetite. For example, regulated industries may treat scores ≥ 12 as requiring immediate action.
Step 5: Prioritize and Plan Mitigation
Sort by score and start at the top. For each high/critical risk, define proportionate, actionable mitigations:
- Preventive: MFA, network segmentation, hardening, training, vendor due diligence.
- Detective: Logging, alerting, anomaly detection, reconciliations.
- Corrective/Recovery: Backups, failover procedures, incident runbooks.
- Transference: Contracts, cyber insurance, escrow arrangements.
- Acceptance: When mitigation costs exceed realistic impact (document rationale).
Link mitigations to your policies and controls. If you’re formalizing an ISMS, map them to ISO 27001 Annex A controls and record the rationale in your Statement of Applicability.
How to Use This Risk Register Template
The template includes these columns: Risk ID, Risk Description, Category, Likelihood (1–5), Impact (1–5), Risk Score (L×I), Mitigation Measures, Owner, Status, and Review Date. Below is exactly how to complete each field with tips and examples.
1) Risk ID
Assign a unique, readable code such as R001, R002. Consider prefixes per department or program (e.g., CYB- for cybersecurity, OPS- for operations). Example: CYB-014.
2) Risk Description
Write the risk in plain language with cause and consequence. Example: Credential stuffing against public login could lead to account takeover and sensitive data exposure.
3) Category
Pick one primary category for reporting simplicity. If a risk spans multiple areas, choose the dominant theme and capture secondary elements in the mitigation notes.
4) Likelihood (1–5)
Rate how probable the event is over your planning horizon (e.g., 12 months). Use recent incidents, threat intel, and business change to avoid “gut feel.”
5) Impact (1–5)
Consider financial loss, downtime, data confidentiality/integrity/availability, safety, legal exposure, and reputation. In cases of doubt, lean on the safe side and refine during ongoing assessments.
6) Risk Score (L×I)
The template auto-calculates this value with the formula in the “Risk Score” column. Highlight high-priority risks by applying filters or conditional formatting.
7) Mitigation Measures
List concrete steps, not aspirations. Good mitigations are specific, time-bound, and mapped to controls. Examples:
- Enforce MFA for all remote access by Q3.
- Implement vendor risk assessments and DPAs for all new processors (see GDPR basics).
- Deploy database encryption at rest and in transit.
- Introduce RTO/RPO targets and quarterly restore tests.
8) Owner
Assign a single accountable person (not a committee). For cross-functional risks, name a lead who coordinates across teams.
9) Status
Keep statuses simple: Open, In Progress, Closed. Optionally add Accepted with documented justification when the residual risk is within appetite.
10) Review Date
Set a realistic re-evaluation date. High/critical risks might be reviewed monthly; moderate risks quarterly; low risks semi-annually. Tie reviews to governance routines like your surveillance audit rhythm or quarterly business reviews.
Example Rows
| Risk ID | Risk Description | Category | Likelihood (1–5) | Impact (1–5) | Risk Score (L×I) | Mitigation Measures | Owner | Status | Review Date |
|---|---|---|---|---|---|---|---|---|---|
| CYB-001 | Data breach due to weak passwords on customer portal | Cybersecurity | 4 | 5 | 20 | Enforce MFA, disable legacy auth, password policy, credential stuffing detection | IT Manager | In Progress | 2025-09-30 |
| OPS-003 | Single point of failure in order processing service | Operational | 3 | 4 | 12 | Add active-active nodes, autoscaling, health checks, runbook for failover | Platform Lead | Open | 2025-10-15 |
| VND-005 | Critical vendor may miss SLA during peak season | Third-Party | 3 | 5 | 15 | Implement capacity tests, penalty clauses, secondary vendor on framework agreement | Procurement Head | Open | 2025-11-01 |
| FIN-007 | Unexpected FX movement affecting margin | Financial | 2 | 4 | 8 | Introduce hedging threshold policy, monthly variance review, board reporting | CFO | Open | 2025-12-01 |
| COM-010 | Non-compliance with data retention schedule | Legal/Compliance | 3 | 4 | 12 | Automated retention rules, legal hold process, quarterly audits (see GDPR guide) | Compliance Manager | In Progress | 2025-09-20 |
Operationalizing Your Register: Reviews, Reporting, and Evidence
A useful register is a living document. Build a calendar that keeps it moving:
- Monthly: Review high and critical risks, update statuses and mitigations.
- Quarterly: Re-score all risks, close completed items, add new risks from change initiatives.
- Before audits: Confirm evidence links (policies, change tickets, test results) and ensure owners are prepared to discuss mitigations. For ISO work, align with your ISO 27001 audit process.
- After incidents: Log post-incident risks and residual issues; trace corrective actions to closure.
Keep a short narrative for high-profile risks: context, last actions, next steps. This makes board and exec reporting effortless.
Common Pitfalls and How to Avoid Them
- Vague descriptions: Write risks clearly with cause and consequence.
- Too many categories: Limit to 6–8 so reporting stays meaningful.
- “Set and forget”: Use review dates and governance to force updates.
- No owner: Every risk needs a single accountable person.
- Unbounded mitigations: Convert ideas into measurable tasks with deadlines.
- Over-engineering: Start with Excel; move to GRC tools later if you outgrow the sheet.
Linking the Register to Your ISMS and Compliance Roadmap
Treat the register as the backbone of your ISMS. Each risk should point to the policy or control that addresses it. If you are new to policy writing, grab our Information Security Policy Template and adapt it to your context. Then, map each control to risks in the register and declare the rationale in the Statement of Applicability.
For teams targeting SOC 2, align risks with Trust Services Criteria and ensure mitigating controls are tested and evidenced (change tickets, screenshots, logs). See How to Get SOC 2 Certification and SOC 2 Compliance Requirements for specifics.
If you operate in the EU financial sector or provide critical services, incorporate operational resilience scenarios per DORA. Our What is DORA Compliance? primer and the DORA Compliance Checklist help structure those exercises.
Advanced Tips: Making the Register Work Harder
- Conditional formatting: Color-code Risk Score bands (e.g., ≥16 red; 12–15 amber; ≤10 green).
- Views per audience: Create filters: “High/Critical only,” “By Owner,” “By Category,” “Due this month.”
- Link evidence: Paste URLs to tickets, diagrams, test results, or DPIA outputs inside the mitigation cell or a notes column.
- Rationale log: Add a short “Why this score?” note for transparency and continuity across staff changes.
- Residual scoring: Add optional columns for “Residual Likelihood/Impact/Score” after mitigations.
- Roadmaps: Create a pivot of mitigations by quarter; this becomes your risk reduction plan.
Putting It All Together
Here’s a simple rollout you can complete in a week:
- Download the template below.
- Hold a 60–90 minute risk identification workshop with key functions.
- Score and prioritize the top 20 risks together using the 1–5 scale.
- Assign owners and agree first mitigations with dates.
- Book a 30-minute monthly review and a deeper quarterly refresh.
- Map each risk to a policy/control and update your SoA and audit evidence.
Conclusion
A risk register helps transform uncertainty into structured, trackable actions. It centralizes your risks, makes prioritization objective, assigns clear ownership, and keeps mitigation moving. Whether your goal is tighter operational discipline or certification under ISO 27001 or SOC 2, this single document brings visibility and accountability to the entire risk lifecycle.
Keep the register lean at first, focus on simplicity, and refine it over time. As your program matures, your register will become the heartbeat of your governance meetings, audit preparation, and strategic decisions.