Do you maintain a cyber risk register reviewed quarterly with senior leadership (Art 21.2.a)?
Demonstrate that the organization maintains a current cyber risk register that is formally reviewed and approved by senior leadership on a quarterly basis, with documented evidence of leadership participation and risk treatment decisions.
Description
What this control does
This control requires organizations to establish and continuously maintain a structured cyber risk register that documents identified cybersecurity threats, vulnerabilities, impacts, likelihoods, and treatment decisions. The register must be reviewed at least quarterly in formal sessions with senior leadership (executive management or board level) to ensure risk awareness, informed decision-making, and alignment of cybersecurity investments with business priorities. This practice fulfills NIS2 Article 21.2.a requirements for risk management measures and governance accountability.
Control objective
What auditing this proves
Demonstrate that the organization maintains a current cyber risk register that is formally reviewed and approved by senior leadership on a quarterly basis, with documented evidence of leadership participation and risk treatment decisions.
Associated risks
Risks this control addresses
- Critical cyber risks remain unidentified or unmitigated due to lack of systematic risk inventory and tracking
- Senior leadership makes strategic business decisions without visibility into current cyber threat exposure and residual risk levels
- Risk treatment plans are not executed or monitored, leaving vulnerabilities unaddressed for extended periods
- Regulatory non-compliance with NIS2 Article 21 governance and risk management obligations resulting in enforcement actions
- Inadequate resource allocation for cybersecurity initiatives due to absence of risk-based prioritization at executive level
- Incident response and business continuity plans fail to address actual risk landscape due to outdated or incomplete risk assessments
- Cyber insurance claims are denied or coverage is inadequate because insurers identify material gaps in documented risk management practices
Testing procedure
How an auditor verifies this control
- Request the current cyber risk register and all versions maintained during the past 12 months to establish inventory completeness and update frequency
- Review the risk register structure to verify it includes mandatory fields: risk ID, description, threat source, affected assets, likelihood, impact, inherent risk rating, existing controls, residual risk rating, risk owner, and treatment plan
- Select a sample of 10-15 risks spanning different categories (infrastructure, application, third-party, operational) and trace each to supporting risk assessment documentation, threat intelligence sources, or vulnerability scan reports
- Obtain meeting minutes, presentation materials, and attendance records from all quarterly senior leadership risk review sessions conducted in the past 12 months
- Verify that attendees at quarterly reviews include C-level executives or board members with documented attendance logs or signature sheets
- Examine meeting minutes to confirm discussion of specific high and critical risks, risk trend analysis, treatment plan status updates, and documented leadership decisions or approvals
- Compare risk register entries across quarterly versions to identify changes in risk ratings, new risks added, risks closed, and validate that changes align with documented security events, control implementations, or environmental changes
- Interview the risk register owner and a sample of risk owners to validate understanding of assigned risks, treatment responsibilities, and frequency of updates between quarterly reviews