← Back to blog
Plain Compliance

How to make an ISO 27001 risk register manageable

Risk registers sprawl into hundreds of unread rows. Here’s how to keep yours small, honest, and genuinely useful.

  • iso-27001
  • risk

The risk register is where good intentions go to die. It starts as a sensible list and within a few months it’s a 300-row spreadsheet nobody opens. A register that long isn’t thorough — it’s unusable.

Why registers sprawl

Two habits cause most of the bloat:

  1. Listing assets instead of risks. “Laptop”, “server”, “website” aren’t risks. The risk is what could happen to them, and what that would cost you.
  2. Copying a template. Generic registers include risks that don’t apply to your business, and you feel obliged to keep them.

Keep it small and honest

A useful SME register usually has tens of entries, not hundreds. To keep it that way:

  • Describe real scenarios. “A developer laptop is stolen and contains client source code” beats “endpoint security.”
  • Score impact and likelihood simply. A 1–3 scale for each is plenty to sort what matters from what doesn’t.
  • Tie each risk to a decision. Treat it, tolerate it, transfer it, or terminate the activity. A risk with no decision is just a worry.

If you wouldn’t change anything based on a row, it probably doesn’t belong in the register.

Review it on a rhythm

A register is a living document. Pick a cadence you’ll actually keep — quarterly is realistic for most SMEs — and review the top risks first. The long tail rarely changes.

Plain Compliance generates a starter risk register from your answers, so you begin with the handful of risks that genuinely matter to your business. Start your free gap analysis.

Compliance starts with a conversation.

Answer around 20 plain-English questions and get a first-pass ISO 27001 gap analysis built around your business.

Start your free gap analysis