Toolkit: Document Your Cyber and IT Risks in a

Risk Register
Refreshed 22 September 2022, Published 6 May 2021 - ID G00738712 - 4 min read
FOUNDATIONAL This research is reviewed periodically for accuracy.

By Analyst(s): Claude Mandy, Khushbu Pratap, Deepti Gopal

Initiatives: Cyber Risk; Demonstrate Value and Collaborate With Business Partners;
Executive Leadership: Strategic Risk Management

Security and risk management leaders need to document, manage

and communicate cyber- and IT-related risks to business leaders
on an ongoing basis. This Toolkit provides a set of tools to
document risk, issues and related plans for remediation of risks
for organizations.

Additional Perspectives

■ Summary Translation: Toolkit: Document Your Cyber and IT Risks in a Risk Register
(10 June 2021)

More on This Topic

This is part of an in-depth collection of research. See the collection:

■ The Cyber-Risk Management Cookbook for Security Leaders

Risk Register and Reporting Samples

The sample risk registers and reporting templates in this Toolkit can be modified to fit the
organization’s definitions, goals and objectives for risk management. The risk registers are
provided as Excel spreadsheets in the download section of this document.

Gartner, Inc. | G00738712 Page 1 of 6

This research note is restricted to the personal use of mochamadal@xl.co.id.

 Table 1: Risk Register and Reporting Samples

Tool Description

Sample Risk Register (Consolidated) Provides an Excel spreadsheet to record and

monitor the current status of cyber and IT
risks within an organization.

Sample Risk Register (Composable) Provides multiple Excel spreadsheet tabs to

separately track technical issues while
providing visibility into the broader cyber and
IT risks. The composable nature provides
more flexibility in recording issues to inform
risks.

Sample Risk and Issue Register Reporting Provides sample templates for reporting on
the current status of the risk register and
tracking remediation of issues.

Source: Gartner (May 2021)

The columns function as the fields containing the relevant information for each row or
tracked. The use of Excel places limitations on linkage to multiple data points, which
restricts functionality such as sorting, filtering and many-to-one relationship mapping
between risks and issues.

Contained within the risk registers are several lookup tables to support the security and
risk management team’s efforts to record the risk rating, impact and likelihood across the
enterprise in a consistent and coherent manner. These particular samples are suitable for
recording most semiquantitative and qualitative risk assessment methodologies but are
not intended to guide the risk assessment approach itself.

The samples should be used as a starting point. The risks, associated impact and
likelihood criteria, risk ratings, mitigating controls and next steps were created as
examples. Organizations may need to customize some fields to match the nomenclature,
risk taxonomy and risk appetite relevant to their own environments.

Gartner, Inc. | G00738712 Page 2 of 6

This research note is restricted to the personal use of mochamadal@xl.co.id.

 Using a strictly technical and granular summary of issues identified to assess and express
these risks is useful for tracking remediation, but does not resonate with business leaders.
The inability to communicate effectively to the business severely limits the usefulness of
risk assessments and the influence of security and IT risk management teams (see
Effective Risk Communication for the Technical Professional).

SRM leaders must use a risk register to provide a high-level overview of IT-related risks
stated from a business perspective. The use of an enterprise risk register is encouraged. A
well-designed risk register can be used to:

1. Guide the risk assessment process and methodology

2. Consistently record, prioritize and organize the outputs of the risk assessments

3. Track treatment of risks and remediation of granular technical issues related to the
risks

4. Report on status of risks

Risk registers can be used to monitor the most significant cyber and IT risks or extend to
tracking the entire catalog of cyber and IT risks.

The sample risk registers in this Toolkit represent two different approaches to risk
registers:

■ Consolidated: All risks and related issues are recorded in a single register.

■ Composable: Risks and issues are linked but recorded in separate registers.

The composable approach, in which risks and issues are linked but recorded in separate
registers, allows organizations to maintain proper oversight of the numerous control
deficiencies identified through assurance activities. These include internal audits,
postincident reviews, application security testing, policy exception, vulnerability scanning
and penetration testing while assessing the overall risk from the complex control
environment as informed by the findings.

Gartner, Inc. | G00738712 Page 3 of 6

This research note is restricted to the personal use of mochamadal@xl.co.id.

 Difference Between Issues and Risks

When to Use
Security and risk management (SRM) leaders are adept at identifying the numerous
technical causes of cyber and IT risk (see Note 1), but can be overwhelmed by the volume
of technical issues identified. SRM leaders need a structured approach for documenting
and managing the identified issues to facilitate business decision making. Analysis of
survey results 1 from 275 SRM functions shows that almost 50% of organizations
surveyed had a maturity score below 3. This indicates that they did not have a
standardized approach to monitoring risk exposure, let alone providing a consistent,
enterprisewide view of risk to facilitate business decision making.

Evidence
In preparing this research, Gartner used a combination of information from interactions
with clients, real-life case studies and open access and academic publications to create
these sample risk registers and reports.

1
Gartner IT Score for Security and Risk Management assessment data from 275
organizations from October 2020 to February 2021.

Gartner, Inc. | G00738712 Page 4 of 6

This research note is restricted to the personal use of mochamadal@xl.co.id.

 Note 1: Definition of Cyber and IT Risk
Cyber and IT risk refers to internal and external exposures impacting the goals and values
of the organization due to operating in interconnected digital environments. Such
exposures are linked to digitization, technology adoption and adoption patterns, and the
pace of modernization. IT risk exposures are generally associated with core IT systems
ranging from endpoints, networks, applications and platforms to data and information
flow. Cyber risk extends IT risk to include the external risks that an organization exposes
itself to when connecting to the outside digital world. These risks are normally associated
with third parties, supply chains, customers and prospects.

Disclaimer: Unless otherwise marked for external use, the items in this Gartner Tool are for
internal noncommercial use by the licensed Gartner client. The materials contained in this
Tool may not be repackaged or resold. Gartner makes no representations or warranties as
to the suitability of this Tool for any particular purpose, and disclaims all liabilities for any
damages, whether direct, consequential, incidental or special, arising out of the use of or
inability to use this material or the information provided herein.

Recommended by the Authors

7 Critical Elements of a Security Risk Management Framework

Magic Quadrant for IT Risk Management

Critical Capabilities for IT Risk Management

6 Risk Management Principles to Drive Digital Business Success

Document Revision History

Toolkit: Sample IT Risk Register - 30 July 2014

Toolkit: Sample IT Risk Register - 22 February 2013

Toolkit: Sample IT Risk Register - 27 June 2012

Toolkit: Sample IT Risk Register - 20 November 2009

Gartner, Inc. | G00738712 Page 5 of 6

This research note is restricted to the personal use of mochamadal@xl.co.id.

 © 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of
Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form
without Gartner's prior written permission. It consists of the opinions of Gartner's research
organization, which should not be construed as statements of fact. While the information contained in
this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties
as to the accuracy, completeness or adequacy of such information. Although Gartner research may
address legal and financial issues, Gartner does not provide legal or investment advice and its research
should not be construed or used as such. Your access and use of this publication are governed by
Gartner's Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its
research is produced independently by its research organization without input or influence from any
third party. For further information, see "Guiding Principles on Independence and Objectivity." Gartner
research may not be used as input into or for the training or development of generative artificial
intelligence, machine learning, algorithms, software, or related technologies.

Gartner, Inc. | G00738712 Page 6 of 6

This research note is restricted to the personal use of mochamadal@xl.co.id.

Table 1: Risk Register and Reporting Samples

Tool Description

Sample Risk Register (Consolidated) Provides an Excel spreadsheet to record and monitor the current status of
cyber and IT risks within an organization.

Sample Risk Register (Composable) Provides multiple Excel spreadsheet tabs to separately track technical issues
while providing visibility into the broader cyber and IT risks. The composable
nature provides more flexibility in recording issues to inform risks.

Sample Risk and Issue Register Reporting Provides sample templates for reporting on the current status of the risk
register and tracking remediation of issues.

Source: Gartner (May 2021)

Gartner, Inc. | G00738712 Page 1A of 1A

This research note is restricted to the personal use of mochamadal@xl.co.id.