Professional Documents
Culture Documents
Toolkit Document Yo 738712 NDX
Toolkit Document Yo 738712 NDX
Risk Register
Refreshed 22 September 2022, Published 6 May 2021 - ID G00738712 - 4 min read
FOUNDATIONAL This research is reviewed periodically for accuracy.
Additional Perspectives
■ Summary Translation: Toolkit: Document Your Cyber and IT Risks in a Risk Register
(10 June 2021)
Tool Description
Sample Risk and Issue Register Reporting Provides sample templates for reporting on
the current status of the risk register and
tracking remediation of issues.
The columns function as the fields containing the relevant information for each row or
tracked. The use of Excel places limitations on linkage to multiple data points, which
restricts functionality such as sorting, filtering and many-to-one relationship mapping
between risks and issues.
Contained within the risk registers are several lookup tables to support the security and
risk management team’s efforts to record the risk rating, impact and likelihood across the
enterprise in a consistent and coherent manner. These particular samples are suitable for
recording most semiquantitative and qualitative risk assessment methodologies but are
not intended to guide the risk assessment approach itself.
The samples should be used as a starting point. The risks, associated impact and
likelihood criteria, risk ratings, mitigating controls and next steps were created as
examples. Organizations may need to customize some fields to match the nomenclature,
risk taxonomy and risk appetite relevant to their own environments.
SRM leaders must use a risk register to provide a high-level overview of IT-related risks
stated from a business perspective. The use of an enterprise risk register is encouraged. A
well-designed risk register can be used to:
2. Consistently record, prioritize and organize the outputs of the risk assessments
3. Track treatment of risks and remediation of granular technical issues related to the
risks
Risk registers can be used to monitor the most significant cyber and IT risks or extend to
tracking the entire catalog of cyber and IT risks.
The sample risk registers in this Toolkit represent two different approaches to risk
registers:
■ Consolidated: All risks and related issues are recorded in a single register.
■ Composable: Risks and issues are linked but recorded in separate registers.
The composable approach, in which risks and issues are linked but recorded in separate
registers, allows organizations to maintain proper oversight of the numerous control
deficiencies identified through assurance activities. These include internal audits,
postincident reviews, application security testing, policy exception, vulnerability scanning
and penetration testing while assessing the overall risk from the complex control
environment as informed by the findings.
When to Use
Security and risk management (SRM) leaders are adept at identifying the numerous
technical causes of cyber and IT risk (see Note 1), but can be overwhelmed by the volume
of technical issues identified. SRM leaders need a structured approach for documenting
and managing the identified issues to facilitate business decision making. Analysis of
survey results 1 from 275 SRM functions shows that almost 50% of organizations
surveyed had a maturity score below 3. This indicates that they did not have a
standardized approach to monitoring risk exposure, let alone providing a consistent,
enterprisewide view of risk to facilitate business decision making.
Evidence
In preparing this research, Gartner used a combination of information from interactions
with clients, real-life case studies and open access and academic publications to create
these sample risk registers and reports.
1
Gartner IT Score for Security and Risk Management assessment data from 275
organizations from October 2020 to February 2021.
Disclaimer: Unless otherwise marked for external use, the items in this Gartner Tool are for
internal noncommercial use by the licensed Gartner client. The materials contained in this
Tool may not be repackaged or resold. Gartner makes no representations or warranties as
to the suitability of this Tool for any particular purpose, and disclaims all liabilities for any
damages, whether direct, consequential, incidental or special, arising out of the use of or
inability to use this material or the information provided herein.
Tool Description
Sample Risk Register (Consolidated) Provides an Excel spreadsheet to record and monitor the current status of
cyber and IT risks within an organization.
Sample Risk Register (Composable) Provides multiple Excel spreadsheet tabs to separately track technical issues
while providing visibility into the broader cyber and IT risks. The composable
nature provides more flexibility in recording issues to inform risks.
Sample Risk and Issue Register Reporting Provides sample templates for reporting on the current status of the risk
register and tracking remediation of issues.