Risk Assessment Template

Property	Value
Document ID	RISK-001
Version	1.0
Status	Draft
Owner	Chief Information Security Officer (CISO)
Last Updated	2026-01-11
Next Review	2027-01-11
Related Controls	SOC 2: CC3.1-CC3.4 / ISO 27001: 6.1.2, 8.2

---

1. Purpose

This template provides a standardized framework for identifying, assessing, and documenting information security risks. Regular risk assessments enable informed decision-making about security investments and control priorities.

---

2. Risk Assessment Information

Field	Value
Assessment Title	[e.g., Annual Security Risk Assessment 2026]
Assessment Date	[date]
Assessor(s)	[names]
Scope	[systems, processes, or areas covered]
Assessment Type	[ ] Annual [ ] Project-based [ ] Triggered
Next Assessment	[date]

---

3. Risk Assessment Methodology

3.1 Risk Calculation

Risk Score = Likelihood × Impact

3.2 Likelihood Scale

Score	Rating	Description	Frequency
5	Almost Certain	Expected to occur	>90% in 12 months
4	Likely	Probably will occur	50-90% in 12 months
3	Possible	Might occur	25-50% in 12 months
2	Unlikely	Could occur but not expected	10-25% in 12 months
1	Rare	Highly unlikely	<10% in 12 months

3.3 Impact Scale

Score	Rating	Financial	Operational	Reputational	Regulatory
5	Critical	>$1M	Complete failure	National media	Major penalty
4	High	$500K-$1M	Severe disruption	Industry media	Significant fine
3	Medium	$100K-$500K	Moderate disruption	Local media	Minor penalty
2	Low	$10K-$100K	Minor disruption	Limited awareness	Warning
1	Negligible	<$10K	Minimal impact	No awareness	None

3.4 Risk Rating Matrix

	Impact 1	Impact 2	Impact 3	Impact 4	Impact 5
Likelihood 5	5 Medium	10 High	15 High	20 Critical	25 Critical
Likelihood 4	4 Medium	8 Medium	12 High	16 Critical	20 Critical
Likelihood 3	3 Low	6 Medium	9 Medium	12 High	15 High
Likelihood 2	2 Low	4 Medium	6 Medium	8 Medium	10 High
Likelihood 1	1 Low	2 Low	3 Low	4 Medium	5 Medium

3.5 Risk Rating Definitions

Score Range	Rating	Response Requirement
16-25	Critical	Immediate action required; executive attention
10-15	High	Action required within 30 days
5-9	Medium	Action required within 90 days
1-4	Low	Monitor; address during normal operations

---

4. Risk Register

4.1 Risk Entry Template

For each identified risk, document:

Field	Description
Risk ID	Unique identifier (e.g., RISK-2026-001)
Risk Title	Brief descriptive name
Category	Threat category (see below)
Description	Detailed description of the risk
Threat Source	Who/what could cause this risk
Vulnerability	Weakness that could be exploited
Asset(s) Affected	What would be impacted
Existing Controls	Current controls in place
Likelihood (1-5)	Probability of occurrence
Impact (1-5)	Consequence if it occurs
Risk Score	Likelihood × Impact
Risk Rating	Critical/High/Medium/Low
Risk Owner	Person accountable
Treatment	Accept/Mitigate/Transfer/Avoid
Treatment Plan	Planned actions
Target Risk Score	Expected score after treatment
Due Date	Target completion date
Status	Open/In Progress/Closed

4.2 Risk Categories

Category	Examples
Access Control	Unauthorized access, privilege abuse
Application Security	Vulnerabilities, injection attacks
Data Protection	Data breach, data loss
Infrastructure	System failure, misconfiguration
Network Security	Network intrusion, DDoS
Third-Party	Vendor breach, supply chain
Human Factors	Phishing, insider threat, error
Physical	Theft, natural disaster
Compliance	Regulatory violation, audit failure
Business Continuity	Service disruption, disaster recovery

---

5. Sample Risk Register

ID	Title	Category	L	I	Score	Rating	Treatment	Owner	Status
RISK-2026-001	Ransomware Attack	Malware	3	5	15	High	Mitigate	CISO	Open
RISK-2026-002	Third-Party Data Breach	Third-Party	3	4	12	High	Mitigate	Security	Open
RISK-2026-003	Credential Phishing	Human Factors	4	3	12	High	Mitigate	Security	Open
RISK-2026-004	Unpatched Vulnerabilities	Infrastructure	3	3	9	Medium	Mitigate	DevOps	Open
RISK-2026-005	Insider Data Theft	Human Factors	2	4	8	Medium	Mitigate	HR/Security	Open
RISK-2026-006	Cloud Misconfiguration	Infrastructure	3	4	12	High	Mitigate	DevOps	Open
RISK-2026-007	DDoS Attack	Network	2	3	6	Medium	Transfer	IT	Open
RISK-2026-008	Physical Intrusion	Physical	1	3	3	Low	Accept	Facilities	Open

---

6. Detailed Risk Entry Example

Risk ID: RISK-2026-001

Field	Value
Risk Title	Ransomware Attack
Category	Malware
Description	An attacker deploys ransomware that encrypts critical business data and systems, disrupting operations and potentially leading to data loss or ransom payment.
Threat Source	External attackers, criminal organizations
Vulnerability	Phishing susceptibility, unpatched systems, weak access controls
Asset(s) Affected	Production servers, databases, file shares
Existing Controls	EDR, email filtering, backups, security awareness training
Likelihood	3 (Possible)
Impact	5 (Critical)
Risk Score	15
Risk Rating	High
Risk Owner	CISO
Treatment	Mitigate
Treatment Plan	1. Implement immutable backups (Q1) 2. Deploy network segmentation (Q2) 3. Enhance phishing training (ongoing) 4. Implement PAM solution (Q2)
Target Risk Score	9 (Medium)
Due Date	2026-06-30
Status	In Progress

---

7. Risk Treatment Options

Treatment	Description	When to Use
Mitigate	Implement controls to reduce likelihood or impact	When cost-effective controls exist
Transfer	Transfer risk to third party (insurance, outsourcing)	When expertise or capacity limited
Accept	Acknowledge and monitor the risk	When risk is within tolerance
Avoid	Eliminate the activity causing the risk	When risk outweighs benefit

---

8. Risk Assessment Checklist

Preparation

• Define assessment scope
• Identify stakeholders
• Gather existing documentation
• Review previous assessments
• Schedule stakeholder interviews

Identification

• Review threat intelligence
• Analyze vulnerability scan results
• Review incident history
• Conduct stakeholder interviews
• Review audit findings

Analysis

• Assess likelihood for each risk
• Assess impact for each risk
• Calculate risk scores
• Consider existing controls
• Prioritize risks

Treatment

• Identify treatment options
• Conduct cost-benefit analysis
• Assign risk owners
• Define treatment plans
• Set target risk levels

Documentation

• Complete risk register
• Prepare summary report
• Present to management
• Obtain approval
• Schedule follow-up

---

9. Risk Assessment Summary Report

9.1 Executive Summary Template

Risk Assessment Summary
Date: [date]
Scope: [scope]

Total Risks Identified: [number]
- Critical: [number]
- High: [number]
- Medium: [number]
- Low: [number]

Top 5 Risks:
1. [Risk title] - Score: [X]
2. [Risk title] - Score: [X]
3. [Risk title] - Score: [X]
4. [Risk title] - Score: [X]
5. [Risk title] - Score: [X]

Key Recommendations:
1. [Recommendation]
2. [Recommendation]
3. [Recommendation]

Resource Requirements: [summary]
Timeline: [summary]

---

10. Evidence Requirements

Evidence Type	Description	Location	Retention
Risk Register	Complete risk register	GRC platform	Current + 3 years
Assessment Reports	Summary reports	Document repository	3 years
Meeting Minutes	Risk review discussions	Document repository	3 years
Treatment Plans	Risk mitigation plans	GRC/ticketing	Duration + 1 year
Sign-off	Management approval	Document repository	3 years

---

11. Related Documents

• Information Security Policy (POL-001)
• Risk Treatment Plan (RISK-002)
• Control Mapping Matrix (RISK-004)

---

12. Version History

Version	Date	Author	Changes
1.0	2026-01-11	Security Team	Initial release

---

This document is classified as INTERNAL. Unauthorized distribution is prohibited.