Clause 6.1.2 of ISO 27001:2022 requires a documented information-security risk assessment, and your auditor will ask for the register itself, not a PDF summary. This 30-row register covers the threats every ISMS must address — pre-scored, pre-mapped to the new 4-theme Annex A controls (Organisational, People, Physical, Technological), and ready to drop into your Statement of Applicability.
Likelihood × Impact on a 1–5 scale (5×5 matrix). Scores 15+ = unacceptable, 8–14 = treat, ≤7 = accept with monitoring. Residual = post-control rating. Auditors reject 1–3 scales as insufficiently granular.
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-01 | Loss of executive support for the ISMS | Top management deprioritises information security in favour of growth targets | 3×5=15 | Quarterly ISMS management review with documented minutes; security KPIs reported to board. | 2×4=8 | Mitigate | CISO | A.5.1 / Clause 5.1 |
| R-02 | Undefined information security responsibilities | Roles & responsibilities not formally documented; gaps in accountability | 4×4=16 | RACI matrix for all Annex A controls; documented in ISMS scope statement. | 2×3=6 | Mitigate | CISO | A.5.2 |
| R-03 | Unauthorised use of intellectual property | No IP register; software licences unmanaged | 3×3=9 | Software asset inventory + annual licence reconciliation; IP clauses in employment contracts. | 2×2=4 | Mitigate | Legal | A.5.32 |
| R-04 | Vendor compromise leading to data breach | Sub-processors not assessed; no contractual security clauses | 4×5=20 | TPRM programme: pre-onboarding security questionnaire, annual review, contract addendum w/ audit right. | 2×4=8 | Mitigate | Vendor Mgmt | A.5.19 / A.5.20 / A.5.22 |
| R-05 | Regulatory non-compliance fines | No legal register; new laws (NIS2, AI Act) not tracked | 3×5=15 | Quarterly legal-register review with external counsel; subscription to regulatory horizon-scanning service. | 2×4=8 | Mitigate | Legal | A.5.31 |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-06 | Insider threat — data theft on resignation | Departing staff retain access to source code & customer data | 3×5=15 | Same-day deprovisioning; exit interview w/ confidentiality reminder; UEBA on critical systems. | 2×3=6 | Mitigate | HR + IT | A.6.5 / A.8.16 |
| R-07 | Phishing leading to credential theft | Staff susceptible to social engineering; MFA bypass via consent phishing | 5×4=20 | FIDO2 phishing-resistant MFA; quarterly simulated phishing; conditional access policies. | 2×3=6 | Mitigate | IT | A.6.3 / A.8.5 |
| R-08 | Inadequate security awareness | New hires not trained before granted access | 4×3=12 | Pre-access mandatory training; annual refresher with comprehension quiz ≥80%. | 2×2=4 | Mitigate | HR | A.6.3 |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-09 | Unauthorised office access | Tailgating into shared workspace; no visitor log | 3×3=9 | Badged entry, visitor sign-in + escort policy, CCTV at entry/exit retained 90 days. | 2×2=4 | Mitigate | Facilities | A.7.2 / A.7.4 |
| R-10 | Equipment theft / loss | Laptops left in vehicles; no asset tracking | 4×3=12 | Full-disk encryption mandatory; asset register w/ MDM enrolment; remote wipe on report. | 2×2=4 | Mitigate | IT | A.7.9 / A.7.10 |
| R-11 | Data centre environmental failure | Cloud provider single-region deployment | 2×5=10 | Multi-region active/passive DR; RPO 1h / RTO 4h tested annually. | 1×3=3 | Mitigate | SRE | A.7.5 / A.7.11 |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-12 | Unauthorised access to production systems | Excessive privileges; shared admin accounts | 5×5=25 | Just-in-time access (PAM), RBAC, named accounts only, quarterly access reviews. | 2×4=8 | Mitigate | IT | A.8.2 / A.8.3 |
| R-13 | Unpatched critical vulnerability exploited | No SLA-driven patch programme; legacy OS in use | 4×5=20 | 30/60/90-day patch SLA by severity; weekly authenticated vuln scans; EOL replacement plan. | 2×4=8 | Mitigate | IT | A.8.8 |
| R-14 | Malware on endpoint | EDR not deployed everywhere; macOS coverage gap | 4×4=16 | EDR mandatory on all endpoints, 24/7 SOC monitoring, isolation playbook. | 2×3=6 | Mitigate | IT | A.8.7 |
| R-15 | Data leakage via unauthorised cloud apps | Shadow IT — staff using personal Dropbox / ChatGPT for work data | 4×4=16 | CASB + DLP on managed endpoints; sanctioned-app catalogue; AI usage policy. | 2×3=6 | Mitigate | IT | A.5.10 / A.8.12 |
| R-16 | Backup failure / ransomware on backups | Backups on same network; never test-restored | 3×5=15 | Immutable / air-gapped backups; quarterly test-restore w/ documented results. | 1×3=3 | Mitigate | SRE | A.8.13 |
| R-17 | Insecure software development | No SAST/DAST; secrets committed to repos | 4×4=16 | SAST + secret-scan in CI; SCA for dependencies; threat-modelling for major features. | 2×3=6 | Mitigate | Engineering | A.8.25 / A.8.28 |
| R-18 | Web application attack (OWASP Top 10) | No WAF; injection vulnerabilities in legacy endpoints | 4×5=20 | WAF in blocking mode, annual third-party pen test, bug-bounty programme. | 2×4=8 | Mitigate | Engineering | A.8.29 |
| R-19 | Network intrusion via flat architecture | Production and corporate networks not segmented | 3×5=15 | VPC segmentation, zero-trust network access, default-deny egress. | 2×4=8 | Mitigate | SRE | A.8.22 / A.8.23 |
| R-20 | Cryptographic weakness | TLS 1.0 still enabled; weak ciphers in use | 3×4=12 | Modern TLS-only (1.2+ inbound, 1.3 preferred), quarterly cipher scan. | 1×3=3 | Mitigate | SRE | A.8.24 |
| R-21 | Logging & monitoring gaps | Auth events not centralised; no alerting on privileged actions | 4×4=16 | Centralised SIEM, 24/7 alerting on privileged-action use cases, 1y log retention. | 2×3=6 | Mitigate | SecOps | A.8.15 / A.8.16 |
| R-22 | Loss of clock synchronisation | Hosts drift; forensics unreliable | 3×2=6 | NTP from hardened source, alert on >5s drift. | 1×1=1 | Mitigate | SRE | A.8.17 |
| R-23 | Information transfer interception | Email & file-share encryption inconsistent | 3×4=12 | TLS-required outbound, encrypted file-share for external sharing, DLP rules. | 2×3=6 | Mitigate | IT | A.5.14 |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-24 | Incident-response failure | No tested IR plan; unclear escalation | 4×5=20 | Documented IR plan, annual tabletop, 24/7 on-call rota, post-mortem template. | 2×4=8 | Mitigate | CISO | A.5.24 / A.5.25 / A.5.26 |
| R-25 | Business-continuity disruption | No BCP; staff don't know fallback procedures | 3×5=15 | Documented BCP per critical service, annual exercise, stakeholder comms tree. | 2×3=6 | Mitigate | COO | A.5.29 / A.5.30 |
| R-26 | Misclassified data exposure | No classification scheme; sensitive data treated as public | 4×4=16 | 4-tier classification (Public/Internal/Confidential/Restricted), automated tagging in M365/Google Workspace. | 2×3=6 | Mitigate | Data Protection | A.5.12 / A.5.13 |
| R-27 | Personal data breach (GDPR Art. 33/34) | Notification deadlines missed; lack of evidence | 3×5=15 | GDPR breach playbook w/ 72h notification workflow, evidence-collection checklist. | 2×4=8 | Mitigate | DPO | A.5.34 / GDPR Art. 33 |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-28 | Account takeover via session hijack | No session-binding; long-lived tokens | 3×4=12 | Short-lived sessions, IP/UA binding, anomalous-login alerting. | 2×3=6 | Mitigate | Engineering | A.8.5 |
| R-29 | Data deletion / non-erasure on request | DSR pipeline doesn't reach analytics warehouse | 3×4=12 | Centralised PII inventory, automated deletion job across all stores, audit log. | 2×3=6 | Mitigate | Engineering | A.5.34 / A.8.10 |
| ID | Threat | Vulnerability | Inherent | Control | Residual | Treatment | Owner | Reference |
|---|---|---|---|---|---|---|---|---|
| R-30 | Non-conformity from internal audit | Internal audit not performed annually | 3×3=9 | Annual internal-audit programme covering all clauses + Annex A controls; CAR tracker. | 1×2=2 | Mitigate | ISMS Mgr | Clause 9.2 |
It's a strong starting point that covers every Annex A theme, but your certification body will expect risks specific to your context — your applications, your data flows, your people. Use this as a baseline and add 5-15 organisation-specific entries.
The risk register identifies what could go wrong and how you treat it. The SoA is the master list of all 93 Annex A controls with applicability + justification. The register feeds the SoA — every Annex A control you mark 'applicable' should map to at least one risk that justifies its inclusion.
No. ISO 27701 extends 27001 with privacy-specific controls; you add privacy risks (data subject rights, lawful basis, cross-border transfer) to the same register, marking them with 27701 references.
At minimum annually as part of management review (Clause 9.3), but realistically after every material change — new product, new vendor, new region, new regulation, post-incident.
Drop your current policy or describe your environment — ComplianceIQ scores every clause against the framework and tells you which register rows are actually mitigated.
Start free ISO 27001:2022 audit