An ISO risk register that works (and doesn't look like a consultant export)

A risk register doesn't have to be a 300-row spreadsheet. For an SMB, 30–60 risks is realistic. Here's a format that survives an audit and is actually useful day to day.

The risk register is the master list of "what could go wrong". Consultants sometimes deliver 300-row sheets full of theoretical risks. For an SMB, 30–60 is realistic. Every risk should be explainable in plain terms to a non-technical CFO.

What to record per risk

• Short description ("loss of laptop containing client data")
• Which asset or process is affected
• Threat (theft) and vulnerability (no disk encryption)
• Likelihood (1–5) × impact (1–5) = score
• Current controls
• Owner (name)
• Residual risk score
• Further action (optional) + deadline

Realistic scoring

Likelihood: 1 = extremely rare, 3 = could happen once a year, 5 = everyday reality. Impact: 1 = minor inconvenience, 3 = one day's work lost, 5 = business at risk. A score of 15 or above requires action.

Review cadence

• Every quarter: run through the current list, add any new risks.
• Annually: full review as part of the management review.
• After every incident: update the risk register with the lesson learned.

Realistic SMB risk examples

1. Ransomware on an employee laptop via a phishing email
2. A former employee still has access to client data (offboarding gap)
3. Accounting admin access goes unreviewed for months (review lag)
4. Cloud provider goes down during peak season
5. Employee clicks a phishing email and an MFA fatigue attack succeeds
6. A shared password leaks via a Slack paste

For incident logging, see: setting up an incident log.