Record of Processing Activities
Transfer Impact Assessment
Privacy Impact Assessment
Cybersecurity Controls
Cybersecurity Risk Management
Interactive Awareness ProgramPlatform Modules
Cybersecurity Risk Management (RM) — Docs
Structured risk register for identifying, assessing, and mitigating information security risks, aligned with ISO/IEC 27001 and ISO/IEC 27005.
The Cybersecurity Risk Management module provides organizations with a structured and effective way to identify, assess, and mitigate information security risks. It is built on ISO/IEC 27001 and aligned with ISO/IEC 27005:2022, and serves as a risk register that helps businesses evaluate and manage risks in a systematic manner.
The module also incorporates ISO/IEC 27554:2024, which applies ISO 31000 risk management principles to identity-related risks, helping organizations assess threats related to identity management and access control.
This module can be used standalone or as an integrated part of a broader security management program.
Dashboard
The dashboard consists of two sections.
Risk Rating Charts
- Current Risk Rating Chart — displays the current level of risk based on implemented risk treatments
- Target Risk Rating Matrix — represents the expected risk levels after full implementation of controls
Risk Register Table
| Column | Description |
|---|---|
| ID | Unique identifier for each risk, corresponding to a Task ID |
| Risk Description | Brief summary of the identified risk |
| Asset Owner | Person responsible for managing the risk |
| Impact | Potential business impact if the risk occurs |
| Raw Probability | Likelihood of the risk occurring without treatment (%) |
| Raw Impact | Estimated business impact without treatment (%) |
| Raw Risk Rating | Raw Probability × Raw Impact |
| Risk Treatment | Mitigation strategy (Avoid / Transfer / Accept / Control) |
| Treatment Cost | Estimated cost for mitigating the risk |
| Treatment Status | Implementation progress of the planned treatment (0–100%) |
| Treated Probability | Expected likelihood after treatment (shown in bold if different from raw) |
| Treated Impact | Expected impact after treatment (shown in bold if different from raw) |
| Target Risk Rating | Expected risk level after full control implementation |
| Current Risk Rating | Present risk rating based on treatment progress |
| Notes | Additional context; can be added to task description or comments |
Risk Assessment Methodology
The risk register provides a systematic approach to identifying, assessing, and managing information security risks. This methodology is aligned with ISO/IEC 27001 and ISO/IEC 27005:2022, ensuring a consistent and transparent risk management process.
Risk Calculation
Both values are expressed as percentages. While not mathematically rigorous, this approach is effective in ranking and prioritizing risks for management decision-making.
An alternative formula can be used when historical data is available:
This approach is particularly useful for frequently occurring incidents such as data entry errors, malware, or spam, where quantitative values can be reliably assigned.
Risk Treatment Options
| Option | Description |
|---|---|
| Avoid | Eliminate the risk by discontinuing the activity that gives rise to it |
| Transfer | Share the risk with another party (e.g., via insurance or outsourcing) |
| Accept | Acknowledge and monitor the risk without active mitigation |
| Control Implementation | Apply security measures to reduce probability and/or impact |
Import / Export
Risk Management records can be imported and exported.
Import formats: Excel (.xlsx), OpenDocument (.ods), CSV (.csv)
Export formats: Excel (.xlsx), OpenDocument (.ods), CSV (.csv), HTML (.html), PDF (.pdf)
Use import/export to migrate risk registers between environments or share risk assessments with external auditors and risk managers.
Activity Logs
Access audit logs by opening the associated task and navigating to Audit Logs → Risk Audit Logs.
Logged events:
- Created
- Updated
- Deleted