The Risk Register tracks information security risks identified through the IA risk assessment process.
Risk Assessment
Each risk is evaluated using likelihood (1-5) and impact (1-5) scales. The risk level is calculated as:
- Low — Score 1-4
- Medium — Score 5-9
- High — Score 10-15
- Critical — Score 16-25
Treatment Options
- Mitigate — Implement controls to reduce likelihood or impact
- Accept — Accept the risk within defined appetite
- Transfer — Transfer risk through insurance or outsourcing
- Avoid — Eliminate the risk by removing the activity
Residual risk is reassessed after treatment controls are implemented.