How to Build a vCISO Risk Register (Free Template Included)
Step-by-step guide to building a vCISO risk register with a sample template, 5×5 scoring methodology, and update cadence recommendations.
A vCISO risk register is a structured document that catalogs every identified cybersecurity risk across a client engagement, scores each risk by likelihood and impact, assigns an owner, and tracks treatment status over time. It is the single artifact that connects your assessment findings to ongoing governance — and the deliverable most likely to be referenced between quarterly reviews.
Key takeaways
- A risk register turns assessment findings into a living, trackable inventory of cyber risks.
- Use a 5x5 likelihood-by-impact matrix to produce consistent, defensible severity scores.
- Every risk needs a named owner — not a team, not a department, a person.
- Update active treatment items monthly and do a full register review each quarter.
- Tooling eliminates the spreadsheet maintenance tax and keeps registers current across clients.
What goes in a risk register?
A complete risk register entry captures enough context for any stakeholder — the client's CTO, an auditor, or a board member — to understand the risk without additional explanation. At minimum, each row should include:
- Risk ID. A unique identifier (e.g., RSK-001) for referencing in reports and treatment plans.
- Description. A plain-language statement of the risk scenario. Write it as a business outcome, not a technical finding: "Customer data exposure through unpatched web application vulnerabilities" rather than "CVE-2024-XXXX on Apache 2.4."
- Category. Group risks by domain — access control, data protection, network security, third-party, physical, compliance — so you can report on risk concentrations.
- Likelihood and Impact. Numeric scores from your scoring methodology (see below).
- Severity score. Likelihood multiplied by impact. This is the number that drives prioritization.
- Owner. A named individual accountable for treatment decisions and progress.
- Status. Open, in treatment, accepted, or closed.
- Treatment plan. What action is being taken — mitigate, accept, transfer, or avoid — and the target completion date.
Below is a sample risk register with five entries. Use this as a starting point and adapt the categories and scoring to each client's context.
| Risk ID | Description | Category | Likelihood | Impact | Score | Owner | Status |
|---|---|---|---|---|---|---|---|
| RSK-001 | Customer data exposure via unpatched web application vulnerabilities | Data Protection | 4 | 5 | 20 | J. Martinez (CTO) | In Treatment |
| RSK-002 | Ransomware infection due to lack of endpoint detection on remote devices | Network Security | 3 | 5 | 15 | A. Patel (IT Director) | In Treatment |
| RSK-003 | Unauthorized access through accounts without multi-factor authentication | Access Control | 4 | 4 | 16 | S. Lee (IT Manager) | Open |
| RSK-004 | Supply chain compromise through unassessed critical SaaS vendor | Third-Party | 2 | 4 | 8 | R. Chen (Procurement) | Open |
| RSK-005 | GDPR non-compliance due to missing data processing agreements with sub-processors | Compliance | 3 | 3 | 9 | M. Dubois (DPO) | Accepted |
How do you score likelihood and impact?
Use a 5x5 likelihood-by-impact matrix. This is the standard approach referenced by ISO 27005, NIST 800-30, and most enterprise risk frameworks. Each axis runs from 1 (very low) to 5 (very high), producing severity scores from 1 to 25.
Define clear, written criteria for each level so scoring is consistent across assessors and time periods:
- Likelihood 1 (Rare): Less than once per five years. No known threat actors actively targeting this vector.
- Likelihood 2 (Unlikely): Once per two to five years. Theoretical attack path exists but exploitation is non-trivial.
- Likelihood 3 (Possible): Once per year. Active threat intelligence suggests this vector is exploited in the wild.
- Likelihood 4 (Likely): Multiple times per year. The client has experienced near-misses or the industry sees regular incidents.
- Likelihood 5 (Almost Certain): Monthly or more frequently. Exploitation is trivial and actively occurring.
- Impact 1 (Negligible): No measurable business disruption or data exposure.
- Impact 2 (Minor): Limited operational impact, resolved within hours, no regulatory notification required.
- Impact 3 (Moderate): Significant operational disruption lasting days, potential minor regulatory exposure.
- Impact 4 (Major): Severe financial loss or reputational damage, regulatory notification required.
- Impact 5 (Critical): Existential threat — major data breach, large regulatory fine, or business continuity failure.
Calibrate these definitions to each client. A "major" financial impact for a 30-person fintech is different from a multinational. Document the calibration in the risk register methodology section so auditors and future assessors can apply the same lens.
How often should a vCISO update the risk register?
The right cadence depends on what you are updating:
- Monthly: Review all risks with an "in treatment" status. Update progress notes, check whether target dates are on track, and escalate stalled items. This takes 15 to 30 minutes per client if your tooling is good.
- Quarterly: Full register review. Re-score all risks based on the current threat landscape and control environment. Add new risks identified through assessments, incidents, or regulatory changes. Close risks that have been fully remediated. This review feeds directly into your quarterly board report.
- Immediately: When a material incident occurs, a new critical vulnerability is disclosed, or the client undergoes a significant change (acquisition, new product launch, cloud migration). Do not wait for the next cycle.
For solo vCISOs managing five or more clients, manual quarterly reviews are already a significant time commitment. A dedicated risk register tool reduces the per-client review time from hours to minutes by surfacing what changed since the last review and flagging overdue treatment items automatically.
What tools make risk registers easier?
Most vCISOs start with spreadsheets, and spreadsheets work — until they do not. The pain points appear as you scale: version control breaks down, formulas get corrupted, scoring is inconsistent between clients, and producing board-ready views requires manual formatting every quarter.
Purpose-built risk register tools solve these problems by providing:
- Assessment-to-register flow. Risks identified during an assessment automatically populate the register with scores, categories, and suggested owners. No re-keying data.
- Consistent scoring. The scoring methodology is baked into the tool, so every assessor uses the same criteria. This is especially important if you bring on subcontractors.
- Automated heatmaps. Visual risk heatmaps that update in real time as you modify scores. These slot directly into board reports.
- White-label output. Deliver registers and reports under your client's branding — not yours, not the tool vendor's. This matters for client perception and professionalism.
- Multi-client management. See all clients' risk postures from a single dashboard without opening separate files or folders.
CisoDeck is built specifically for solo and boutique vCISO consultants. It connects assessments to risk registers to board reports in a single workflow, includes white-labelling at every tier, and does not charge per seat — so you can bring clients into the platform without inflating your costs.
Build your first risk register in minutes
Start your free trial — no credit card required. Import existing risks or generate them from an assessment.
Frequently asked questions
- What is the difference between a risk register and a risk assessment?
- A risk assessment is the process of identifying and evaluating risks at a point in time. A risk register is the living document that records the output of assessments and tracks risk status over time. The assessment populates the register; the register persists between assessments.
- Can I use a spreadsheet as a risk register?
- Yes, spreadsheets work for small engagements with one or two clients. The limitations appear at scale: version control, formula integrity, consistent scoring across assessors, and the time cost of manually formatting board-ready outputs each quarter. Most vCISOs outgrow spreadsheets within six months.
- How many risks should a typical register contain?
- There is no fixed number, but a typical small-to-medium business risk register contains 20 to 50 risks after an initial assessment. Fewer than 15 usually means the assessment was too shallow. More than 100 usually means risks are too granular and should be consolidated.
- Should I show the full risk register to the board?
- No. Board members need a summary view: a heatmap, the top 5 to 10 risks by severity, and trend data. Provide the full register as an appendix for those who want detail. See our guide on writing board-ready cyber reports for the recommended structure.
- How do I handle risks that a client refuses to remediate?
- Document them as formally accepted risks. Use a risk acceptance form with management sign-off that records who accepted the risk, the rationale, the residual severity, and the review date. This protects both the client and you as the advisor if the risk materialises.