A cyber risk register is only useful if it stays current. A spreadsheet drifts out of date the moment it is saved; a living register keeps risk, treatment and evidence in one place and ties them to your compliance gaps.
The fields that matter
Each risk in the register captures a full picture:
| Field | What it records |
|---|---|
| Risk title | A clear description of the risk. |
| Likelihood & consequence | The two axes that drive the rating. |
| Inherent risk | The rating before controls are applied. |
| Existing controls | What is already in place to reduce the risk. |
| Treatment plan | What you will do to treat it further. |
| Owner & due date | Who is accountable, and by when. |
| Residual risk | The rating after controls and treatment. |
| Status & evidence | Where the treatment stands, with supporting evidence. |
Tied to your compliance work
The register connects directly to your Essential Eight, APPs and ISO 27001 gaps, so a gap becomes a tracked risk with an owner and a treatment plan - not a line item that gets forgotten. When a board or client asks about cyber risk, you export a clear report instead of screenshotting a spreadsheet.
Frequently asked questions
What is the difference between inherent and residual risk?
Inherent risk is the rating before controls are applied; residual risk is the rating that remains after your existing controls and planned treatment. The register tracks both.
Can I export the risk register for a board?
Yes. You can export a review-ready report of your risks, treatments and status for a board, client or auditor.