📖 What is Risk Register?
A risk register is a centralized document used to identify, track, and manage risks throughout their lifecycle. It typically includes the risk description, probability, impact, current controls, risk owner, and the chosen risk treatment strategy.
"In the exam, view the risk register as the primary tool for communication between the security manager and senior management."
📚 Certification: Certified Information Security Manager (CISM)
🔑 What are the Key Concepts of Risk Register?
- ▸ Risk Ownership: Assigning a specific individual accountable for each risk ensures that mitigation efforts are tracked and responsibility for residual risk is clearly defined.
- ▸ Treatment Strategies: The register documents the decision to avoid, mitigate, transfer, or accept each risk, providing a formal audit trail for management decisions.
- ▸ Lifecycle Management: It tracks risks from initial identification through analysis and treatment, ensuring no identified threat is overlooked during the risk management process.
- ▸ Dynamic Documentation: As a living document, the register must be updated regularly to reflect changes in the threat landscape or the effectiveness of implemented controls.
- ▸ Management Reporting: It serves as the primary communication vehicle to inform senior management of the organization's current risk posture and required resource allocations.
🎯 How does Risk Register appear on the CISM Exam?
You may be asked to identify the most appropriate document to use when presenting a comprehensive list of identified vulnerabilities and their current mitigation status to the board of directors.
A scenario might describe a change in the business environment or a new threat emergence, asking which document must be updated first to maintain an accurate risk profile.
Expect questions where you must determine the next step after a risk assessment is completed, with updating the risk register often being the correct administrative action.
❓ Frequently Asked Questions
What is the difference between a risk assessment and a risk register?
A risk assessment is the process of identifying and analyzing risks. The risk register is the formal output of that process, acting as the centralized repository where those findings are recorded and tracked.
Who is responsible for the entries in the risk register?
While the CISM or risk manager typically maintains the document, the 'Risk Owner' is the business leader accountable for the specific risk and the implementation of the agreed-upon treatment.
Should every single technical vulnerability be listed in the risk register?
No. Vulnerabilities are technical weaknesses. The risk register focuses on 'Risks'—the potential for loss resulting from a threat exploiting a vulnerability—that meet a certain significance threshold.