Document ID: ISMS-RISK-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager
Introduction
This register records all identified information security risks for [Organisation Name]βs ISMS scope. Each risk is assessed using the methodology defined in the Risk Assessment Methodology (ISMS-METH-001). The register is a living document β risk owners are responsible for updating treatment status, and the ISM is responsible for reviewing the full register at least quarterly and formally at the annual Management Review.
How to read this register:
- Likelihood and Impact are scored 1β5 per the scales in ISMS-METH-001.
- Risk Score = Likelihood Γ Impact. Scores 1β4 = Low, 5β9 = Medium, 10β14 = High, 15β25 = Critical.
- Residual Score reflects the expected score after treatment controls are fully implemented.
- Status: Planned = not yet started | In Progress = controls being implemented | Complete = controls implemented and verified.
Risk Register
| ID | Asset | Threat | Vulnerability | Likelihood | Impact | Risk Score | Rating | Treatment | Control Owner | Target Date | Residual Score | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Client SIEM data | Ransomware encryption of SOC platform and client log data | Unpatched systems in SOC platform; no offline backup copy | 4 | 5 | 20 | Critical | Mitigate: enforce patching SLA less than 30 days for critical CVEs; implement daily backups with offline/immutable copy; test restore monthly | SOC Manager | 2026-04-30 | 8 | In Progress |
| R-002 | Employee credentials (Microsoft 365) | Phishing attack leading to account takeover and data access | No MFA enforced on Microsoft 365; all accounts use password only | 5 | 4 | 20 | Critical | Mitigate: enforce MFA via Entra ID Conditional Access for all users; block legacy authentication protocols | IT Manager | 2026-03-31 | 4 | Complete |
| R-003 | AWS production environment | Misconfiguration leading to public exposure of client data (e.g., public S3 bucket, open security group) | No automated configuration scanning; manual reviews inconsistent | 3 | 5 | 15 | Critical | Mitigate: deploy AWS Config and Security Hub with managed rule sets; implement automated remediation for critical findings; quarterly manual review | Cloud Lead | 2026-04-15 | 6 | In Progress |
| R-004 | Penetration testing tooling (offensive lab) | Insider misuse of offensive tools for unauthorised activity or data exfiltration | No controls on lab network egress; no logging of tool execution; shared tool accounts | 2 | 5 | 10 | High | Mitigate: implement network segmentation with egress filtering on lab VLAN; deploy tool usage logging to SIEM; individual named accounts for all tools; annual background checks for lab staff | Technical Director | 2026-05-31 | 4 | Planned |
| R-005 | Client report archive (SharePoint) | Unauthorised disclosure of penetration test reports to unauthorised parties | Shared drive with overly broad group permissions; no access review process | 3 | 4 | 12 | High | Mitigate: implement role-based access with named individuals only; remove group-level permissions; conduct quarterly access review | ISM | 2026-03-31 | 3 | Complete |
| R-006 | HR and payroll SaaS system | Data breach of employee PII (names, salaries, bank details, addresses) | Third-party SaaS enforces weak password policy; no SSO integration; no MFA | 3 | 4 | 12 | High | Mitigate: enforce SSO via Entra ID; enable MFA requirement in vendor admin console; conduct annual supplier security review including questionnaire | HR Manager | 2026-04-30 | 4 | In Progress |
| R-007 | Server room (on-premises lab hardware) | Physical theft of servers or storage containing client or operational data | No CCTV coverage of server room door or interior; door access uses standard key lock only | 2 | 4 | 8 | Medium | Mitigate: install CCTV covering server room entrance and interior; upgrade door access to badge + PIN with access log retention; review access list quarterly | Facilities Manager | 2026-06-30 | 3 | Planned |
| R-008 | Corporate email / finance processes | Business Email Compromise (BEC / CEO fraud) leading to fraudulent wire transfers | No DMARC enforcement (policy set to none); no dual-approval procedure for wire transfers | 4 | 4 | 16 | Critical | Mitigate: set DMARC policy to reject for all domains; implement DKIM and SPF; establish dual-approval procedure for all transfers exceeding $5,000; conduct BEC awareness training | CISO | 2026-03-31 | 4 | In Progress |
| R-009 | VPN / remote access portal | Brute force attack on VPN credentials leading to network intrusion | No account lockout policy on VPN; no MFA requirement on remote access | 4 | 3 | 12 | High | Mitigate: enable account lockout after 5 failed attempts with 15-minute lockout; enforce MFA on VPN using hardware token or authenticator app | IT Manager | 2026-03-31 | 3 | Complete |
| R-010 | Backup systems and media | Backup failure resulting in data being unrecoverable following an incident | Backups not tested; no automated monitoring of backup job success or failure | 3 | 4 | 12 | High | Mitigate: implement automated alerting on backup job failure; conduct monthly backup restore test with documented evidence; include backup status in weekly IT review | IT Manager | 2026-04-30 | 4 | In Progress |
| R-011 | Development environment and source code | Credentials or API keys committed to public or private GitHub repository | No secret scanning in CI/CD pipeline; no mandatory pre-commit hooks; developers unaware of risk | 3 | 4 | 12 | High | Mitigate: implement GitGuardian or GitHub Advanced Security secret scanning on all repositories; enforce pre-commit hooks that block secrets; run awareness session for all developers | Technical Director | 2026-04-15 | 3 | Planned |
| R-012 | Key supplier β SIEM platform vendor | Vendor breach exposing client log data stored or processed on vendor platform | No security requirements in vendor contract; no Data Processing Agreement; no right to audit | 2 | 5 | 10 | High | Mitigate: revise supplier contract to include minimum security obligations, DPA, incident notification within 72 hours, and right to audit or receive audit report; conduct annual security review | Legal / CISO | 2026-05-31 | 5 | Planned |
| R-013 | Internal office network | Rogue device connected to internal network by visitor or unauthorised party | No 802.1X network access control; guest and corporate Wi-Fi on same network segment | 2 | 3 | 6 | Medium | Mitigate: implement network segmentation separating guest, corporate, and server VLANs; deploy 802.1X for wired connections; enforce device certificate requirement for corporate Wi-Fi | IT Manager | 2026-06-30 | 2 | Planned |
| R-014 | Penetration test reports in transit | Report intercepted in transit to client, exposing client vulnerability data | Reports delivered via unencrypted email attachments with no password protection | 2 | 4 | 8 | Medium | Mitigate: mandate delivery via encrypted client portal (SharePoint with MFA); prohibit sending Confidential reports via standard email; update report delivery procedure and communicate to all consultants | All Pentesters | 2026-04-30 | 2 | In Progress |
| R-015 | Organisational continuity | Key person dependency β loss of single skilled resource causes inability to deliver critical service | No documented runbooks for critical processes; no cross-training; no succession plan for critical roles | 3 | 3 | 9 | Medium | Mitigate: document all critical operational procedures as formal runbooks; identify and cross-train a second competent resource for each critical function; review and update annually | CISO | 2026-06-30 | 4 | Planned |
Risk Summary Dashboard
Count by Rating
| Rating | Total Risks | Open | In Progress | Complete |
|---|---|---|---|---|
| Critical (15β25) | 3 | 0 | 2 | 1 |
| High (10β14) | 7 | 0 | 4 | 2 |
| Medium (5β9) | 3 | 0 | 1 | 0 |
| Low (1β4) | 0 | 0 | 0 | 0 |
| Planned | 5 | 5 | β | β |
| Total | 15 | 5 | 7 | 3 |
Note: βPlannedβ risks have owners and target dates assigned but treatment has not yet commenced.
Risks Requiring Immediate Attention (Critical β not yet Complete)
| ID | Risk Description | Owner | Target Date | Days Remaining |
|---|---|---|---|---|
| R-001 | Ransomware / unpatched SOC platform | SOC Manager | 2026-04-30 | 47 |
| R-003 | AWS misconfiguration / no config scanning | Cloud Lead | 2026-04-15 | 32 |
| R-008 | BEC / no DMARC enforcement | CISO | 2026-03-31 | 17 |
Review History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [ISM Name] | Initial issue β 15 risks assessed |