Management Risk Posture — ISMS Confluence Page
Confluence page header
Page title: Management Risk Posture
Parent: ISMS Home
SCM variant: isms-management (primary) · isms-security (full access)
isms-all-staff and isms-it-staff: NOT visible
Page owner: CISO
Last updated: [DATE]
Next review: [DATE + 3 months — updated quarterly; full refresh at annual management review]
How to read this page
For members of the senior management team, board, and risk owners who need to understand the organisation's security risk position without needing to navigate technical documentation.
This page provides four things. First, a plain-English summary of the current risk posture across our compliance obligations — what our overall security position is, whether it is improving or deteriorating, and where the significant exposures sit. Second, the top five risks requiring management-level awareness, each described in business terms with the current treatment status. Third, the formal risk appetite statement — the level of risk the organisation has decided to accept — so that treatment investment decisions can be evaluated against it. Fourth, guidance on how to use the full risk register if you need more detail than this summary provides.
This page is updated quarterly. The most recent CISO commentary at the top of each section will tell you what has changed since the prior quarter. Changes of significance are also flagged at the management review (EV-A01) and in the monthly security metrics report (EV-F02), which you may also have access to.
If anything on this page prompts a question, the CISO is the first point of contact. Contact: [ciso@organisation.com] or [CISO direct line].
Section 1 — Current risk posture summary
Updated quarterly by the CISO. The commentary below reflects the position as of [DATE].
Posture indicator
OVERALL ISMS POSTURE: [Improving / Stable / Requires Attention / Escalation Required]
Colour coding used throughout this page:
Green — within risk appetite; no management action required
Amber — approaching risk appetite threshold; management awareness required
Red — exceeds risk appetite; management decision required on treatment
Dark Red — Very High risk; immediate management escalation; no acceptance permitted
for CUI or OFFICIAL data confidentiality risks
CISO quarterly commentary
[DATE] — Q[N] [YYYY]
[This section is written fresh each quarter by the CISO. The text below is an example of the level of detail and tone expected. Replace with actual current commentary before publishing.]
The organisation's overall security posture has improved this quarter. The primary drivers of improvement are the completion of the PAM deployment across all CUI-scope servers, which closed a long-standing elevated risk around privileged access, and the achievement of 100% MFA coverage following the removal of the last remaining legacy authentication pathway in the email infrastructure.
The two areas where the posture has not improved as anticipated are the outstanding Windows 10 end-of-life migration on the engineering floor, which remains on track for completion by [date] but constitutes an open risk until that point, and the supply chain risk relating to [Supplier Name], which we have elevated from Moderate to High following their disclosed security incident in [month]. Treatment actions for both are described in the Top 5 Risks section below.
Our compliance certifications remain current. Cyber Essentials was renewed in [month] and is valid until [date]. ISO 27001 surveillance audit is scheduled for [date] — preparation is underway and the CISO does not anticipate findings that would affect certification status. The CMMC Level 2 C3PAO assessment is scheduled for [date] in [YYYY].
The key decision I am bringing to management's attention this quarter is the funding request for the endpoint detection and response platform upgrade, described in the Treatment Investment Decisions section below. Without this investment, the time-to-detect for behavioural threats increases materially, and our CMMC Level 2 certification posture weakens.
Posture by domain
Traffic light summary. Each domain is assessed as Green, Amber, or Red based on the highest open risk in that domain, weighted by whether active treatment is in progress.
| Domain | Status | Summary | Trend |
|---|---|---|---|
| Access Control | 🟢 Green | MFA at 100% coverage; privileged access via PAM; quarterly reviews current | ↑ Improved (PAM rollout complete) |
| Patch Management | 🟡 Amber | Windows 10 EOL migration in progress; 97% patch compliance within SLA | → Stable |
| Malware Protection | 🟢 Green | EDR coverage 100%; signatures current; email gateway and DNS filter operational | → Stable |
| Network Boundary | 🟢 Green | Firewalls reviewed H1; no open findings; DMZ separation confirmed | → Stable |
| Physical Security | 🟢 Green | Zone 3 access list current; CCTV operational; quarterly ACS review complete | → Stable |
| Incident Response | 🟡 Amber | IRP current; annual exercise overdue by 6 weeks — scheduled [date] | ↓ Slight regression |
| Supply Chain | 🔴 Red | [Supplier] incident elevated to High; assessment underway | ↓ Deteriorated |
| Personnel Security | 🟢 Green | Screening current for all CUI-scope staff; training completion 94% | → Stable |
| Compliance Posture | 🟡 Amber | CE current; ISO 27001 surveillance upcoming; CMMC C3PAO prep in Q[N] | → Stable |
| Cryptography | 🟢 Green | FIPS-validated encryption confirmed; annual audit complete | → Stable |
Key metrics — at a glance
Drawn from the monthly security metrics report (EV-F02). These are the four metrics most directly relevant to management oversight.
PATCH COMPLIANCE (from vendor release date — not detection date)
Critical patches within 7-day SLA: [%] Target: 100% Trend: ↑/↓/→
High patches within 14-day SLA: [%] Target: 95% Trend: ↑/↓/→
Open Critical vulnerabilities: [N] Target: 0 [Amber if N>0]
CISA KEV entries: all closed on time [%] Target: 100% Trend: ↑/↓/→
MALWARE PROTECTION COVERAGE
EDR agent deployed: [%] Target: 100% Trend: ↑/↓/→
Signatures current (<24h): [%] Target: 100% Trend: ↑/↓/→
MFA COVERAGE
All CUI-scope users enrolled in MFA: [%] Target: 100% Trend: ↑/↓/→
OPEN RISK POSTURE
Very High risks (must treat): [N] Target: 0 [Red if N>0]
High risks open >90 days: [N] Target: 0 [Amber if N>0]
Risks exceeding appetite: [N] Target: 0 [Red if N>0]
POA&M items past target date: [N] Target: 0 [Amber if N>0]
Section 2 — Top 5 risks requiring management awareness
These are the five risks in the register that represent the highest combination of residual risk level, management decision required, or compliance consequence. The CISO selects and updates this list quarterly. The full risk register is at 05 · Risk Register for those who need complete detail.
Each risk is presented in business terms. Technical implementation detail is available in the risk register and, for the treatment actions, in the linked ITSM tickets.
Risk 1
RISK-[YYYY]-[NNN] — [Risk Title]
In plain terms:
[One paragraph, plain English, no acronyms. Describe what could happen,
to what, and what the consequence would be for the organisation.
Example: "A targeted email attack could deceive a member of staff into
providing their login credentials or opening malicious software. If this
happened, an attacker could access our defence contract files and customer
data under that person's account. This would trigger mandatory reporting
to the US Department of Defense within 72 hours, mandatory reporting to
the ICO if personal data was involved, and notification to our MOD
contracting authority within 24 hours. Beyond the regulatory obligations,
it would create a reputational risk with our defence customers and could
affect our ability to bid on future contracts."]
Current risk rating:
Before controls are considered: [e.g. High — 16/25]
After current controls: [e.g. Moderate — 6/25]
Risk appetite for this risk type: [e.g. Moderate — within appetite]
Status: [Within appetite / Approaching threshold /
Exceeds appetite — management decision required]
What we are currently doing about it:
[Bullet points in plain English — not technical procedure references.
Example:
• All staff must use a second authentication factor (a code from their phone)
in addition to their password — this prevents credential theft alone from
being sufficient for an attacker to access our systems
• Our email system scans every attachment in a controlled environment before
it reaches staff inboxes
• We run phishing simulation exercises every six weeks — staff who click the
test links receive immediate targeted training
• Click rate on phishing simulations has fallen from 18% (Q1) to 9% (Q3) —
the training programme is measurably working]
What more we are doing (in progress):
[Actions currently underway — linked to treatment plan RT-YYYY-NNN]
Treatment action: [plain English description]
Expected completion: [date]
Responsible: [name or role]
Expected risk reduction: [e.g. This will reduce the residual rating from
Moderate to Low because it closes the one remaining authentication gap
where FIDO2 is not yet enforced for contractor accounts]
What management attention is required:
[None — within appetite, treatment on track]
OR
[Decision required: [describe the specific decision] — see Treatment
Investment Decisions section below]
OR
[Awareness only — no decision required but management should know]
Risk owner: [Name, Role]
Last reviewed by CISO: [Date]
Risk 2
RISK-[YYYY]-[NNN] — [Risk Title]
[Same format as Risk 1]
Risk 3
RISK-[YYYY]-[NNN] — [Risk Title]
[Same format as Risk 1]
Risk 4
RISK-[YYYY]-[NNN] — [Risk Title]
[Same format as Risk 1]
Risk 5
RISK-[YYYY]-[NNN] — [Risk Title]
[Same format as Risk 1]
Section 3 — Worked example: how the top 5 risks look populated
This section shows one fully worked example of a Top 5 risk entry, so the format is clear when the CISO populates real risks. Remove this section before publishing the live page.
Risk 1 — [WORKED EXAMPLE: do not publish]
RISK-2024-001 — Unpatched critical vulnerability exploited against CUI systems
In plain terms:
Security researchers and attackers continuously discover vulnerabilities —
flaws in software that allow unauthorised access. Software vendors release
patches (fixes) for these vulnerabilities on a regular cycle. Between the
date a vendor releases a patch and the date we apply it, our systems are
exposed to attackers who know about the vulnerability and are actively
exploiting it. The US government's own catalogue of vulnerabilities being
actively exploited in real attacks (the CISA Known Exploited Vulnerabilities
list) is updated several times per week, and the average time between a
vulnerability being disclosed and its first exploitation is now measured
in days, not weeks.
If a critical vulnerability on systems holding our defence contract data
were exploited before we applied the patch, an attacker could potentially
access, copy, or corrupt that data. We would have mandatory reporting
obligations to the US Department of Defense (within 72 hours), the ICO
if personal data was involved, and our MOD contracting authority within
24 hours. The contractual and reputational consequences would be significant.
Current risk rating:
Before controls are considered: High — 16/25
(Likelihood 4: high-severity vulnerabilities are reliably discovered and
exploited; Impact 4: CUI breach triggers regulatory and contractual obligations)
After current controls: Moderate — 8/25
(Likelihood 2: 7-day patching SLA with ring deployment substantially narrows
the exploitation window; Impact 4: unchanged — if exploitation occurs,
the consequences are the same regardless of how we were exposed)
Risk appetite for this type: Moderate (score ≤9) — within appetite
Status: Within appetite — treatment on track
What we are currently doing about it:
• All security patches for our defence-related systems are applied within
7 days of the vendor releasing them for critical vulnerabilities, and
within 14 days for high-severity vulnerabilities. This is measured
from the date the vendor released the patch — not the date we noticed it.
• Our IT security team monitors the US government's live catalogue of
vulnerabilities being actively exploited in real attacks every day. When
a vulnerability in our software appears on that list, we treat it as
Critical regardless of how it is technically classified — and aim to
patch within 7 days of the listing appearing.
• We scan all of our systems monthly with an authenticated vulnerability
scanner. Internet-facing systems are scanned weekly.
• Our current patch compliance rate: [N]% of Critical vulnerabilities
are remediated within the 7-day window from vendor release.
What more we are doing (in progress):
Treatment action: Implement weekly authenticated scanning of all
CUI-scope systems (currently monthly for internal systems)
Expected completion: [date]
Responsible: IT Manager
Expected risk reduction: Will reduce the time between a vulnerability
appearing and us detecting it from up to 30 days to up to 7 days.
This does not change the residual risk rating but reduces the detection
gap, making the 7-day patching SLA more achievable in practice.
What management attention is required:
Awareness only — this risk is within appetite and treatment is on track.
The IT Manager will escalate to the CISO if any Critical vulnerability
SLA is breached. The CISO will bring material breaches to management
through the monthly security metrics report.
Risk owner: IT Manager — [Name]
Last reviewed by CISO: [Date]
Section 4 — Risk appetite statement
This statement is approved annually at the management review (EV-A01). The current version was approved on [date] and is valid until the next management review. Any proposed change to the risk appetite requires management approval before it takes effect.
What risk appetite means
The risk appetite is the organisation's formal statement of how much security risk we are willing to accept in pursuit of our business objectives. It is not a target — we do not aim to operate at the edge of the appetite. It is a ceiling: the level above which we must take action regardless of cost or inconvenience, and the level at which senior management must be involved in the decision.
The appetite is expressed using the same 5×5 scoring scale as the risk register. A risk rating of likelihood × impact is compared against the appetite thresholds. A risk that falls within appetite can be managed by the CISO and IT Manager without escalation. A risk that exceeds appetite requires a management decision — either to fund treatment that brings it within appetite, or to formally accept the elevated risk with documented rationale.
Approved risk appetite thresholds
RISK APPETITE — APPROVED [DATE] — VALID UNTIL MANAGEMENT REVIEW [DATE]
INFORMATION CONFIDENTIALITY RISKS
(risks where the consequence involves unauthorised access to or
disclosure of CUI, OFFICIAL information, or personal data)
Maximum residual risk accepted without management decision:
Moderate — score of 9 or below (likelihood × impact ≤9)
Rationale: Our contractual obligations under DFARS, DEFSTAN, and our
ISO 27001 certification all require us to protect the confidentiality
of the information we handle. A breach triggering mandatory regulatory
reporting, potential contract loss, and reputational damage is not a
risk we accept readily. We maintain a Moderate appetite rather than
Low because absolute elimination of information confidentiality risk
is not achievable — we trade it; we handle it on external systems;
our staff work remotely. What we require is that the risk is actively
managed and that the residual exposure is meaningful rather than severe.
Appetite DOES NOT APPLY: we will not accept any residual Very High risk
(score 20–25) to CUI or OFFICIAL information confidentiality under any
circumstances without explicit board-level sign-off.
SYSTEM AVAILABILITY RISKS
(risks where the consequence is disruption to operational systems
and services, including contract delivery capability)
Maximum residual risk accepted without management decision:
Moderate — score of 9 or below
Rationale: Extended outages affect contract delivery obligations and
incur direct and indirect costs. However, we maintain BCM and DR
capabilities (OP-05) that reduce the impact of most availability events
to recoverable levels. A Moderate appetite reflects the realistic
trade-off between investment in redundancy and the organisation's
operational model.
DATA INTEGRITY RISKS
(risks where the consequence is corruption, unauthorised modification,
or loss of the accuracy of CUI, contract data, or operational records)
Maximum residual risk accepted without management decision:
Moderate — score of 9 or below
Rationale: The integrity of our defence contract deliverables and
the accuracy of our compliance records are both critical. A data
integrity failure could produce incorrect engineering outputs,
corrupt audit evidence, or allow fraudulent record modification.
Moderate appetite reflects that complete elimination of integrity
risk is not achievable in a connected, multi-user environment.
COMPLIANCE AND REGULATORY RISKS
(risks where the consequence is failure to meet a regulatory,
contractual, or certification obligation — DFARS, DEFSTAN, GDPR,
ISO 27001, Cyber Essentials, CMMC)
Maximum residual risk accepted without management decision:
Low — score of 4 or below
Rationale: Regulatory and contractual failures carry consequences
that go beyond the immediate incident — loss of certification,
contract termination, financial penalties, and reputational damage
that affects future contract opportunities. We set a Low appetite
for compliance risk because the cost of non-compliance consistently
exceeds the cost of prevention. Any compliance risk above Low requires
a management decision on treatment investment.
REPUTATIONAL RISKS
(risks where the consequence is damage to the organisation's standing
with customers, the MOD contracting authority, or the public)
Maximum residual risk accepted without management decision:
Low — score of 4 or below
Rationale: Our business depends on trust — particularly from defence
customers and the MOD contracting authority. Reputational damage from
a security incident is among the most difficult to recover from in a
sector where security is a procurement criterion. We set a Low appetite
to reflect that reputational risk has business development consequences
beyond the immediate event.
EXCEPTIONS TO APPETITE (require board-level approval, not just management):
The following situations require explicit board or equivalent approval,
regardless of the calculated risk score:
• Any risk where realisation would trigger mandatory regulatory reporting
to US DoD (DFARS breach) where the SPRS score impact has not been assessed
• Any situation where CUI data is confirmed to have been accessed by an
unauthorised person, regardless of whether the risk was previously registered
• Any risk where a DEFSTAN contracting authority has specifically highlighted
a concern and we are choosing not to remediate within their timescale
What the appetite means for spending decisions
The appetite is not a budget line. It is the criterion by which spending decisions are evaluated. When the CISO brings a treatment investment proposal to management, it will be framed against the appetite: "without this investment, this risk sits at [level], which [is within / exceeds] our stated appetite." That framing is designed to make investment decisions evaluable rather than subjective.
It also means that risks which genuinely sit within appetite do not automatically require additional investment. The organisation does not need to eliminate all risk — it needs to manage risk within the appetite it has set. A request for additional security spending that would move a risk from Moderate-within-appetite to Low does not have the same urgency as a request that would move a risk from High-exceeds-appetite to Moderate-within-appetite.
Section 5 — Treatment investment decisions
This section presents the security investment proposals currently requiring management decision. Each proposal is framed as: what is the current risk, where does it sit against appetite, what would the investment achieve, and what happens if we do not invest.
Proposals are added here when the CISO determines that a risk cannot be treated through operational means alone and requires a budget or resourcing decision. Each proposal is linked to a specific open risk in the register.
Proposals resolved (investment approved or formally declined) are moved to the Treatment Investment History section below.
Investment proposal template
PROPOSAL [REF] — [Brief title]
Linked risk: RISK-[YYYY]-[NNN]
Date presented: [DATE]
Decision required by: [DATE — or "at next management review"]
CISO contact: [name]
CURRENT SITUATION
Risk [RISK-YYYY-NNN] sits at [rating] — [exceeds / approaches] our
[compliance / confidentiality / availability] risk appetite threshold of [level].
In plain terms: [One paragraph describing the current exposure in business terms.
What is currently at risk, who is affected, what the consequence would be.]
What we have already done: [What existing controls are in place — so management
can see this is not a case of doing nothing; it is a case of needing more.]
PROPOSED INVESTMENT
What: [Plain description of what the investment would involve — technology,
people, process, or combination]
Cost: [Estimated cost range — one-time, annual, or both]
Timeline: [How long to implement and when the risk reduction would be realised]
Resource requirement: [Internal time in addition to any cost — who is needed]
WHAT THE INVESTMENT ACHIEVES
Risk reduction: [Current rating] → [Projected rating after investment]
In plain terms: [What specifically becomes harder for an attacker or what
specific consequence is prevented. Not "improves security" — be specific.]
Compliance benefit: [Which certification obligation this helps with, if any]
WHAT HAPPENS WITHOUT THE INVESTMENT
The risk remains at [rating].
[Plain description of what continues to be exposed and what the organisation
continues to be relying on to manage the risk without this investment.
Include any compliance implications — e.g. "This risk contributes to a
CMMC POA&M item. Without remediation by [date], the C3PAO assessment
will find this gap and it will reduce our SPRS score."]
OPTIONS FOR MANAGEMENT
Option A: Approve investment at [cost] — risk moves to within appetite
Option B: Partial investment at [lower cost] — risk moves to [rating] —
[still within / still outside] appetite
Option C: Decline investment — risk remains at [current rating] —
[within / outside] appetite; if outside, requires formal risk
acceptance at [management / board] level with documented rationale
CISO RECOMMENDATION: [Option A / Option B / other — with brief rationale]
[Example] Proposal 1 — Endpoint Detection and Response Platform Upgrade
PROPOSAL REF-2024-01 — Upgrade EDR platform to next-generation behavioural detection
Linked risk: RISK-2024-001 (Unpatched vulnerability exploitation) and
RISK-2024-002 (Credential compromise via phishing)
Date presented: [DATE]
Decision required by: [date — ahead of CMMC C3PAO assessment in Q[N] [YYYY]]
CURRENT SITUATION
Our current antivirus and EDR deployment detects known malware reliably —
it catches threats that match patterns already seen and recorded by the
security community. It is less effective at detecting attackers who use
custom tools, or who use legitimate system features in unusual ways to
avoid triggering standard antivirus signatures. This class of attack is
now the dominant technique used by the threat actors who target defence
supply chains — they have moved away from standard malware precisely
because standard AV catches it.
In plain terms: if an attacker gains access to one of our systems using a
compromised staff account and then uses standard Windows tools to move
through our network, our current platform may not detect this activity
in time to prevent them accessing our CUI file store. Our existing EDR
does log this behaviour, but the volume of log data means it is only
reviewed monthly — detection could therefore be delayed up to 30 days.
What we have already done: AV is deployed on 100% of our CUI-scope
devices with current signatures. Staff MFA is at 100% coverage. These
controls prevent the most common attack paths. The gap is in detecting
the attacker who has already succeeded in getting past these controls.
PROPOSED INVESTMENT
What: Upgrade from [current product] to [next-generation product] which
provides behavioural detection (detects how software behaves, not just
what it is) and reduces detection time from hours to minutes for the
attack patterns most likely to target defence contractors.
Cost: £[X] initial setup + £[Y] per year (replaces existing £[Z] per year)
Net additional annual cost: £[X-Z] per year
Timeline: 4–6 weeks to deploy; behavioural baselines established in 8 weeks
Resource: IT Operations estimated at [N] days of engineer time to deploy
WHAT THE INVESTMENT ACHIEVES
Risk reduction: RISK-2024-002 (credential compromise) moves from
Moderate (6/25) to Low (4/25)
Risk reduction: RISK-2024-001 (unpatched vulnerability) — no change to
score but the detection-to-response time for exploitation falls from up
to 30 days to under 2 hours, significantly reducing the impact window.
In plain terms: if an attacker successfully compromises a staff account,
we would detect the unusual behaviour pattern within [N] minutes rather
than potentially finding it in the next monthly log review. This gives
us the ability to contain the incident before CUI is accessed in most
plausible scenarios.
Compliance benefit: Strengthens NIST 3.14.6 (monitor for attacks and
indicators of attack) and 3.14.7 (identify unauthorised use). Both are
assessed by the C3PAO in [date] — our current implementation is rated
Partially Implemented for 3.14.7, which creates a POA&M item that reduces
our SPRS score. This investment would close that gap before assessment.
WHAT HAPPENS WITHOUT THE INVESTMENT
The risk remains at Moderate — within appetite, but at the upper end.
Our detection capability for behavioural attacks remains review-based
rather than real-time, meaning incident response will typically begin
at the monthly log review rather than at the point of the event.
Compliance implication: the 3.14.7 POA&M item remains open at the
C3PAO assessment, contributing to a SPRS score below 110. This does not
prevent CMMC Level 2 certification if we have an approved POA&M, but it
weakens our competitive position for contracts where customers check the
SPRS score.
OPTIONS FOR MANAGEMENT
Option A: Approve full upgrade at £[total annual cost] — closes POA&M
item; moves RISK-2024-002 to Low; materially reduces detection gap
Option B: Decline investment this year — risk remains within Moderate
appetite; POA&M item remains open at C3PAO assessment
Option C: Deferred approval — approve in principle for Q[N] budget cycle,
targeting completion before the C3PAO assessment in [date]
CISO RECOMMENDATION: Option A or Option C
Either achieves the compliance and security outcome. Option C is
acceptable if the timeline is confirmed before the C3PAO assessment
date, with a commitment in the POA&M that remediation will be complete
before the assessment commences.
Treatment investment history
Record of proposals previously presented and the decisions made. Retained for the management review and for ISO 27001 audit evidence.
| Ref | Proposal title | Presented | Decision | Decision date | Outcome |
|---|---|---|---|---|---|
| [Ref] | [Title] | [Date] | [Approved / Declined / Deferred] | [Date] | [Risk impact of decision] |
Section 6 — How to read the risk register as a management consumer
This section is for managers, directors, and risk owners who need to access the full risk register but have not used it before, or who want a refresher on what the fields mean and how to navigate it.
The relationship between this page and the risk register
This management posture page is a curated summary. It presents the risks the CISO judges to be most significant for management attention at this point in time. The full risk register at 05 · Risk Register contains all identified risks — including those that have been treated to within appetite and no longer require active management attention, and those in lower-priority categories.
Think of it this way: this page is what the CISO has prepared for the board meeting. The risk register is the full working document behind it. Both are authoritative — the risk register is not a more "real" document than this page. This page draws from the register rather than replacing it.
What each column in the risk register means
| Column | What it means in plain terms | Why it matters to you |
|---|---|---|
| Risk ID | A unique reference number (format: RISK-YYYY-NNN) | Use this when discussing a specific risk with the CISO — it avoids ambiguity |
| Risk Title | A brief label for the risk | For navigation — read the description for the full picture |
| Risk Description | A structured sentence: "[who/what] could [do what] to [which asset] causing [what consequence]" | This is the substance of the risk — the title alone is not sufficient to understand it |
| Category | The type of risk: Technical / Operational / Personnel / Supply Chain / Compliance / Physical / Strategic | Useful for filtering to your area of responsibility |
| Inherent Risk Rating | The score before any of our security controls are in place — what the risk would be if we did nothing | Rarely the number that matters for decisions; it shows the underlying severity of the threat |
| Residual Risk Rating | The score after all current controls are applied — this is the actual current exposure | This is the number that matters for management decisions. Compare this to the risk appetite. |
| Within Risk Appetite | Yes or No | A "No" in this column requires management awareness or decision |
| Treatment Option | What we have decided to do: Mitigate (add/improve controls), Accept (tolerate within appetite), Transfer (insurance/contract), Avoid (stop doing the thing) | For most risks managed by the security team, this will be Mitigate. Accept means the CISO has formally confirmed the risk is within appetite. |
| Treatment Actions | Links to specific things being done to reduce the risk | If you are a risk owner, this is your accountability — you own the completion of these actions |
| Risk Owner | The named individual accountable for the risk and its treatment | If your name is here, you are responsible for confirming that treatment actions are progressing and that the risk description remains accurate |
| Status | Open / In Treatment / Accepted / Closed | Closed means the risk is resolved or no longer applicable, not just that we have stopped worrying about it |
How to read a risk entry correctly
When you find a risk in the register, read it in this sequence:
Step 1 — Read the description, not just the title. The title is a navigation aid. The description tells you what actually could happen.
Step 2 — Look at the residual rating, not the inherent rating. The inherent rating tells you how bad the underlying threat is in the abstract. The residual rating tells you your actual current exposure after controls. A Very High inherent risk that has been treated to Low residual is not something requiring your attention today.
Step 3 — Check "Within Risk Appetite." If it says Yes, the CISO is managing it within the authority delegated by management. If it says No, it is on this management posture page (or should be) and requires your attention.
Step 4 — If you are the risk owner, check the treatment actions. Treatment actions are the specific steps being taken to reduce the risk. If you own a risk, you own the treatment actions. If the actions are not progressing, the residual rating will not fall, and the risk will sit at the same level at the next quarterly review.
Step 5 — Note the date last reviewed. A risk not reviewed in the past 12 months may have a description that is no longer accurate. If you notice this, contact the CISO.
What the risk scores actually mean
The 5×5 scale can feel abstract. Here is what each level means in operational terms for this organisation:
Likelihood scores: - Score 1 (Very Unlikely): We know this threat exists in the world but have no reason to believe we are specifically targeted or that our controls would fail. Think: nation-state cyber espionage against our specific systems. - Score 2 (Unlikely): The threat is real and the attack type is common, but our controls make exploitation difficult. Think: credential theft from an MFA-enabled account. - Score 3 (Possible): This could plausibly happen within a year given the current threat landscape. Think: a supplier with access to our systems suffering a breach. - Score 4 (Likely): Based on sector threat intelligence and our own experience, something like this is likely to be attempted against us within the year. Think: a phishing campaign targeting defence contractors. - Score 5 (Almost Certain): This is happening to organisations like us routinely. Think: attempted credential stuffing against any internet-facing authentication endpoint.
Impact scores: - Score 1 (Negligible): No CUI is at risk; the incident is contained; recovery takes hours; no external reporting required. - Score 2 (Minor): Limited data affected; contained to one system; no regulatory reporting; recoverable within a day. - Score 3 (Moderate): Significant but manageable. Some CUI or personal data at risk; recovery takes days; regulatory notification possible; reputational impact to our immediate customer base. - Score 4 (Significant): Mandatory regulatory reporting to US DoD (DFARS), ICO, and DEFSTAN authority within strict timeframes; contract impact likely; material financial or reputational consequence; recovery takes weeks. - Score 5 (Severe): Large-scale breach; extended service disruption; contract loss; regulatory investigation; potential criminal liability for named individuals.
Common misreadings to avoid
"The risk is amber, so we need to act." Not necessarily. Amber means Moderate — which is within our stated risk appetite. Amber risks are being actively managed by the CISO and do not automatically require management decision or additional investment. They appear on your radar because the score warrants management awareness, not because management needs to decide something.
"This risk has been open for a year — that must mean we're failing." A risk can remain open for years if it is within appetite and being actively managed. Closing a risk means the underlying threat or vulnerability no longer exists. Most risks cannot be closed — they can only be treated to within appetite and maintained there. A one-year-old Moderate risk being actively managed is not a failure; it is a normal part of a functioning risk programme.
"The residual rating went from 6 to 8 — we're getting worse." A rating change of 2 points within the same risk category (Moderate) may mean the threat landscape has shifted rather than our controls having failed. The CISO's quarterly commentary explains what changed and why. Ask the CISO before concluding a trend.
"There are no Very High risks, so we're fine." The absence of Very High risks means the most severe exposures are being managed. It does not mean the organisation has no risk — it means the risk programme is functioning as intended. An ISMS with no risks in the register is not a safe organisation; it is an organisation that has stopped looking for risks.
Section 7 — Compliance posture summary for management
A single view of where we stand against each certification and contractual obligation. This section answers the question a director or contract manager might ask before a bid submission or a contracting authority meeting.
| Certification / Obligation | Current status | Valid until | Next event | Risk to status |
|---|---|---|---|---|
| ISO 27001:2022 | [Certified / Surveillance due / Recertification due] | [Date] | Surveillance audit [date] | [None / Amber — one observation from prior audit outstanding] |
| Cyber Essentials | [Certified] | [Date] | Renewal questionnaire by [date] | [None — all five technical controls confirmed in current configuration] |
| Cyber Essentials Plus | [Certified / Not held] | [Date] | Technical assessment [date] | [None / Amber — patch compliance requires confirmation before assessment] |
| CMMC Level 2 self-assessment | SPRS score: [N] / 110. Last assessed [date] | Annual affirmation due [date] | Annual self-assessment [date] | [None / Amber — [N] controls in POA&M] |
| CMMC Level 2 C3PAO | [Not yet assessed / Conditionally certified / Certified] | [Date if applicable] | C3PAO assessment [date] | [None / see POA&M for open items] |
| DEFSTAN [contract ref] | Compliant with Profile [N] | Contract end [date] | [Annual review / site visit] | [None / Amber — [specific issue]] |
| DFARS §252.204-7012 | Annual affirmation current | [Date] | Annual renewal [date] | [None] |
| UK GDPR | DPO registered; ROPA current | Ongoing | Annual review [date] | [None] |
Section 8 — Management actions and decisions log
This section records management decisions made in response to risk posture information — including investment approvals, formal risk acceptances, and direction given to the CISO. It is the evidence that management is engaged in the ISMS, which is tested by ISO 27001 clause 5.1 (leadership and commitment) at every surveillance audit.
The CISO maintains this log. Entries are added following each management review, each investment decision, and each formal risk acceptance.
Format per entry:
[DATE] — [Decision type: Investment approval / Risk acceptance / Direction to CISO]
Topic: [brief description]
Decision: [what was decided]
Rationale: [brief justification]
Authority: [who made the decision — name and role]
Action required: [what happens next, who owns it]
Review date: [when the outcome of this decision will be reported back]
| Date | Decision type | Topic | Decision | Authority | Review date |
|---|---|---|---|---|---|
| [Date] | Investment approval | [Proposal REF-YYYY-NN] | Approved £[X] — [brief description] | [Name, Role] | [Date] |
| [Date] | Risk acceptance | RISK-[YYYY]-[NNN] — [title] | Formally accepted at [rating] — [rationale in one sentence] | [Name, Role] | [Next quarterly review] |
| [Date] | Direction to CISO | [Topic] | [What management directed] | [Name, Role] | [Date] |
Section 9 — Escalation contacts and governance
For any risk or security matter requiring urgent management attention outside the quarterly review cycle.
CISO (primary contact for all security risk matters):
[Name] — [email] — [direct line]
Available: business hours; out-of-hours for confirmed significant incidents
IT Manager (operational security and system availability):
[Name] — [email] — [direct line]
For a confirmed or suspected security incident:
Call the CISO directly — do not email
The Incident Response Plan defines the notification chain from there
For a DEFSTAN contracting authority enquiry:
Contact the CISO first — DEFSTAN has a 24-hour notification obligation
that the CISO manages; routing enquiries through the CISO ensures nothing
is missed
For a DFARS or DoD reporting obligation:
Contact the CISO immediately — 72-hour reporting window starts from
the moment of discovery, regardless of weekend or holiday
ANNUAL MANAGEMENT REVIEW (EV-A01):
Date: [scheduled date]
Attendees required: [Directors / senior management list]
Inputs provided by CISO by: [date — typically 1 week before the review]
ISO 27001 REQUIREMENT:
This page and the management actions log (Section 8) are part of the
documented evidence for ISO 27001 clause 9.3 (management review) and
clause 5.1 (leadership and commitment). They are reviewed at surveillance
audits and at recertification.
Version and review
| Version | Date | Prepared by | Reviewed by | Key changes |
|---|---|---|---|---|
| 1.0 | [DATE] | CISO | [Senior Management Name] | Initial publication |
Page owner: CISO · Review cycle: Quarterly (content) + Annual (full review at management review) · SCM: isms-management · Questions: [ciso@organisation.com]