Initial commit
This commit is contained in:
Paul Jenkins
65
04-registers/risk-register-template.md
Normal file
65
04-registers/risk-register-template.md
Normal file
@@ -0,0 +1,65 @@
|
||||
Title: Risk Register Template
|
||||
Document ID: [REG-RISK-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CISO (Paul Jenkins)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Risk Register Template
|
||||
|
||||
## Purpose
|
||||
|
||||
This template provides the structure for recording and tracking information security risks identified within the ISMS scope.
|
||||
|
||||
## Scope
|
||||
|
||||
This register applies to strategic, operational, project, supplier, exception, and incident-related information security risks.
|
||||
|
||||
## Data Fields / Expected Columns
|
||||
|
||||
The risk register should record at least:
|
||||
|
||||
- risk ID
|
||||
- date identified
|
||||
- risk title
|
||||
- affected asset, service, process, or supplier
|
||||
- risk description
|
||||
- threat and vulnerability summary
|
||||
- impact rating
|
||||
- likelihood rating
|
||||
- overall risk rating
|
||||
- treatment decision
|
||||
- treatment actions
|
||||
- risk owner
|
||||
- target date
|
||||
- status
|
||||
- review date
|
||||
- linked records or evidence
|
||||
|
||||
## Ownership
|
||||
|
||||
This register should be owned by [Role]. Individual risk entries should have assigned risk owners responsible for treatment and review.
|
||||
|
||||
## Update Frequency
|
||||
|
||||
The register should be updated when new risks are identified, risk status changes, treatment actions are completed, or review dates are reached. It should be reviewed at least as part of formal management review.
|
||||
|
||||
## Retention
|
||||
|
||||
Current and superseded versions should be retained in line with document and records retention requirements.
|
||||
|
||||
## Template Table
|
||||
|
||||
| Risk ID | Date Identified | Risk Title | Affected Asset / Service | Risk Description | Impact | Likelihood | Overall Rating | Treatment Decision | Risk Owner | Target Date | Status | Review Date | Linked Records / Evidence |
|
||||
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
|
||||
| [R-001] | [DD Month YYYY] | [Short title] | [System / service / supplier] | [Description] | [Low/Medium/High] | [Low/Medium/High] | [Low/Medium/High] | [Mitigate / Accept / Avoid / Transfer] | [Role] | [DD Month YYYY] | [Open / In Progress / Accepted / Closed] | [DD Month YYYY] | [Risk assessment / exception / incident] |
|
||||
|
||||
## Related Documents
|
||||
|
||||
- Risk Assessment and Treatment Methodology
|
||||
- Risk Assessment Procedure
|
||||
- Exception Management Procedure
|
||||
- Corrective Action Procedure
|
||||
Reference in New Issue
Block a user