crisc-d2-risk-assessment-risk-register

Risk Register

isaca-crisc · framework · Gold standard

Drawn fromCRISC Review Manual · ISACA peer-reviewed case sets·Reviewed May 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runcourse-factory-pipeline-v1

1

Face 1 of 6 · WHAT

What is Risk Register

A Risk Register is the authoritative, structured repository — document or digital record — that serves as an organization's single source of truth for identified IT risks. Each entry captures: risk description, category, ownership, inherent risk rating (pre-control), controls in place, control effectiveness, residual risk rating (post-control), treatment disposition, treatment plan, and review schedule. As the primary output of the risk identification and assessment process, the Risk Register converts unstructured risk knowledge into a governed, trackable, and actionable inventory that drives risk response decisions and executive reporting.

Where it stops · what it isn't

—IS: A living repository that documents, categorizes, rates, and tracks risks through their full lifecycle — from identification through resolution or formal acceptance.
—IS: The operational artifact that links risk identification inputs to risk treatment and monitoring outputs within the IT risk management lifecycle.
—IS NOT: A risk heatmap or dashboard — those visualization tools are derived FROM the Risk Register, not the register itself.
—IS NOT: A vulnerability list, audit finding log, or incident report — those sources feed the register, but the register synthesizes them into governed records with ownership and treatment context.
—IS NOT: A static compliance checklist — a register not regularly reviewed and updated loses governance value and may create false assurance.
—IS NOT: A substitute for Risk Scenario Development — the register records identified risks at summary level; detailed scenario narratives are a downstream artifact.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

REQUIRES

Risk Analysis MethodologiesRisk Identification Techniques

ENABLES

Risk Scenario DevelopmentRisk Treatment and Response PlanningBoard-Level IT Risk Reporting

PART OF

IT Risk Assessment Domain (CRISC Domain 2)

RELATED TO

Business Impact AnalysisVulnerability Analysis

CONSTRAINS

Risk Appetite and Tolerance Thresholds

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.