richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

removed emoji from filenames, Obsidian changed all relevant links

Browse source
This commit is contained in:
Richard Kranendonk 2026-05-07 15:01:04 +02:00
parent d316285a74
commit 68f1c38681
638 changed files with 710 additions and 3176 deletions
Download patch file Download diff file Expand all files Collapse all files

64
Corpus/Sparks/Risk Register Format.md Normal file
View file

@ -0,0 +1,64 @@
According to ChatGPT on October 8, 2024
*Prompt: what would be the elements in an information security risk register? Make it compliant with ISO 27002*
An information security risk register compliant with ISO/IEC 27002 is a key tool for managing and documenting risks associated with information security within an organization. ISO/IEC 27002 provides guidelines for organizational information security standards and information security management practices. Below are the elements typically found in a risk register aligned with these guidelines:
1. **Risk ID**:
- A unique identifier for each risk to facilitate easy tracking and reference.
2. **Risk Description**:
- A detailed explanation of the risk, including the nature of the risk, affected assets, and potential impacts.
3. **Assets Involved**:
- Identification of the information assets associated with the risk. This can include data, hardware, software, or any resource that could be impacted.
4. **Risk Owner**:
- The individual responsible for managing and monitoring the risk.
5. **Threat Source**:
- Details about the origin or source of the threat that might exploit vulnerabilities in assets (e.g., internal, external, environmental).
6. **Vulnerability**:
- A description of the weaknesses that could be exploited by the identified threats.
7. **Potential Impact**:
- An assessment of the impact on the organization if the risk materializes (e.g., financial, reputational, operational).
8. **Likelihood of Occurrence**:
- An assessment or rating of how likely it is that the risk event will occur.
9. **Risk Level**:
- A calculated risk level, combining impact and likelihood to prioritize risks (e.g., low, medium, high).
10. **Existing Controls**:
- Current controls in place designed to mitigate the risk. This could include technical, administrative, or physical controls.
11. **Effectiveness of Controls**:
- Evaluation of how effective the current controls are in mitigating the risk.
12. **Risk Treatment Plan**:
- A description of actions planned to mitigate, transfer, accept, or avoid the risk. This should follow the risk treatment strategy.
13. **Additional Controls Needed**:
- Recommendations for additional controls or improvements needed to further mitigate or manage the risk.
14. **Residual Risk**:
- The remaining risk after current and planned controls have been considered.
15. **Target Mitigation Date**:
- The planned date by which risk mitigation actions should be implemented.
16. **Review Date**:
- The date when the risk was last reviewed and when it should be reviewed next for any changes in status or control effectiveness.
17. **Status**:
- The current status of the risk management process (e.g., new, in progress, mitigated, up for re-evaluation).
18. **Comments/Notes**:
- Any additional information or notes relevant to the risk and its management.
19. **Approval and Sign-off**:
- Details of who approved and signed off on the risk assessment and treatment plan.
The risk register should be regularly updated and reviewed to reflect changes in the risk landscape and incorporate new threats or vulnerabilities. This aligns with ISO/IEC 27002's emphasis on continuous improvement and adapting to the evolving security environment.