Is there a formal cyber risk register reviewed by management at least quarterly?
Demonstrate that the organization maintains a current cyber risk register that undergoes formal management review at least quarterly, with documented evidence of risk assessment updates, mitigation tracking, and management decisions.
Description
What this control does
A formal cyber risk register is a centralized, documented inventory of identified cybersecurity threats, vulnerabilities, and risks, each assessed for likelihood and impact, with assigned ownership and mitigation strategies. Management reviews this register at least quarterly to track changes in the risk landscape, validate mitigation progress, and make informed resource allocation decisions. This control ensures that cyber risk management is continuous, transparent, and aligned with organizational risk appetite, enabling proactive rather than reactive security posture adjustments.
Control objective
What auditing this proves
Demonstrate that the organization maintains a current cyber risk register that undergoes formal management review at least quarterly, with documented evidence of risk assessment updates, mitigation tracking, and management decisions.
Associated risks
Risks this control addresses
- Unidentified or untracked cybersecurity risks materialize without mitigation plans, causing business disruption or data breaches
- Management allocates security resources without understanding the organization's highest-priority cyber threats, leading to inefficient spending
- Critical vulnerabilities remain unaddressed because no formal tracking mechanism ensures timely remediation and accountability
- Risk ownership ambiguity results in no party taking responsibility for implementing controls or monitoring threat evolution
- Stale risk assessments fail to reflect new attack vectors (e.g., emerging ransomware families, supply chain exploits) introduced since last evaluation
- Compliance failures occur when regulatory risks are not documented, tracked, or escalated to appropriate decision-makers
- Lack of historical risk trending prevents the organization from learning whether past mitigation efforts effectively reduced exposure
Testing procedure
How an auditor verifies this control
- Request the current cyber risk register and verify it contains at minimum: risk descriptions, likelihood and impact ratings, risk owners, current mitigation status, and target closure dates.
- Obtain management review meeting minutes, presentations, or sign-off documents for the most recent four quarters to confirm quarterly review frequency.
- Select a sample of 10-15 risks from the register and verify each includes documented assessment criteria (e.g., likelihood scoring methodology, impact categories such as financial, reputational, operational).
- Trace three high-priority risks from the register to corresponding mitigation projects, remediation tickets, or control implementation records to validate that identified risks drive action.
- Interview risk owners for a sample of risks to confirm they are aware of their accountability and can describe current mitigation status and outstanding challenges.
- Compare the risk register from two consecutive quarters to identify new risks added, risks closed, and changes in risk ratings, then verify management meeting records discuss these changes.
- Review the risk register update process documentation to confirm roles, responsibilities, frequency of updates between management reviews, and escalation criteria for emerging threats.
- Cross-reference a recent significant security event (e.g., vulnerability disclosure, threat intelligence alert, audit finding) to verify it was added to the risk register and reviewed by management in a timely manner.