Risk Assessment Template: The Complete Guide to Conducting Security Risk Assessments for Compliance
Every compliance framework begins in the same place: understanding what can go wrong. Before you write a single security policy, configure a monitoring tool, or engage an auditor, you must systematically identify the threats facing your organization, evaluate how likely they are to materialize, assess the damage they would cause, and decide what to do about each one. That process is a risk assessment, and it is the foundation on which every SOC 2, ISO 27001, HIPAA, PCI DSS, and NIST-aligned compliance program is built.
Yet the risk assessment is also the control that companies most often get wrong. Some organizations treat it as a check-the-box exercise -- a spreadsheet filled out once, filed away, and never revisited. Others overcomplicate it, importing enterprise risk management frameworks designed for 50,000-person banks into a 40-person SaaS startup. Both approaches fail. The first produces a document that will not survive auditor scrutiny. The second produces a process so burdensome that nobody maintains it.
This guide provides a practical, framework-neutral methodology for conducting security risk assessments that satisfy auditors across SOC 2, ISO 27001, HIPAA, PCI DSS, and NIST CSF simultaneously. It includes step-by-step instructions, a complete risk assessment template, a 5x5 scoring matrix, a risk register with real-world example entries, treatment plan guidance, and specific documentation requirements for every major framework.
Whether you are conducting your first risk assessment or rebuilding a process that has not held up to audit scrutiny, this is the methodology that works.
What Is a Security Risk Assessment?
A security risk assessment is a systematic process for identifying threats to your organization's information assets, evaluating the likelihood and impact of those threats, and determining the appropriate response. It answers three fundamental questions:
- What could go wrong? Identifying the specific threats and vulnerabilities that could compromise the confidentiality, integrity, or availability of your data and systems.
- How bad would it be? Assessing the potential business impact -- financial loss, regulatory penalties, reputational damage, operational disruption -- if a threat materializes.
- What should we do about it? Deciding whether to mitigate, transfer, accept, or avoid each identified risk, and documenting that decision with justification.
Why risk assessment is the first step in any compliance program
Risk assessment is not just one control among many. It is the control that determines which other controls you need, how you prioritize them, and how you allocate resources across your security program. Every major compliance framework treats risk assessment as the starting point for a reason: without it, your security controls are based on assumptions rather than evidence.
Consider a SaaS company that implements full-disk encryption, multi-factor authentication, and a web application firewall -- but has not assessed vendor risk and is sharing production customer data with a sub-processor that stores it unencrypted on a misconfigured S3 bucket. The company invested in real controls but missed the actual risk. A risk assessment would have surfaced the vendor exposure before an auditor -- or an attacker -- found it.
Risk assessment is also how auditors determine whether your security program is proportionate to your environment. An auditor will not fail a 20-person startup for lacking a Security Operations Center. But they will fail a company of any size for having no documented understanding of what risks it faces and how it has chosen to address them.
Risk assessment vs. vulnerability assessment vs. penetration testing
These are distinct activities with different scopes, and auditors treat them as separate controls:
- Risk assessment is a business-level analysis of threats, likelihood, impact, and treatment decisions across your entire organization. It includes technical risks but also covers operational, compliance, vendor, and human risks.
- Vulnerability assessment is a technical scan for known weaknesses in specific systems -- missing patches, misconfigurations, outdated software. It is one input into a risk assessment. For implementation guidance, see our Vulnerability Management Program Guide.
- Penetration testing is a simulated attack by a skilled tester to validate whether your defenses work in practice. It tests assumptions made during the risk assessment.
A risk assessment uses the outputs of vulnerability assessments and penetration tests as inputs, but its scope is far broader. You cannot replace a risk assessment with a vulnerability scan, and no auditor will accept one as a substitute.
Risk Assessment Requirements by Framework
Every major compliance framework mandates risk assessment, but the specificity of those requirements varies. Understanding exactly what each framework expects is essential for building an assessment process that satisfies all of them simultaneously.
SOC 2: Common Criteria CC3.2
SOC 2 addresses risk assessment under CC3.2 (Risk Assessment), which requires the organization to identify risks to the achievement of its objectives and analyze those risks as a basis for determining how they should be managed. Specifically, SOC 2 auditors evaluate whether:
- The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to those objectives
- The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
- The entity considers the potential for fraud in assessing risks
SOC 2 is principles-based, meaning it does not prescribe a specific risk assessment methodology or template. Your auditor determines whether your approach is "suitably designed" and "operating effectively." This gives you flexibility, but it also means you cannot hide behind a checklist. You must demonstrate that your risk assessment reflects your actual environment, that it informed your control selection, and that it is maintained over time.
For a complete overview of SOC 2 requirements, see our SOC 2 Compliance Guide.
ISO 27001: Clause 6.1.2
ISO 27001 contains the most prescriptive risk assessment requirements of any major framework. Clause 6.1.2 requires the organization to:
- Define and apply an information security risk assessment process that establishes and maintains risk criteria (including risk acceptance criteria and criteria for performing risk assessments)
- Ensure that repeated risk assessments produce consistent, valid, and comparable results
- Identify risks associated with the loss of confidentiality, integrity, and availability of information within the scope of the ISMS
- Identify risk owners
- Analyze the likelihood and consequences of each identified risk
- Evaluate the results against risk criteria and prioritize risks for treatment
ISO 27001 auditors will examine your risk assessment methodology document, verify that the methodology was followed consistently, review the risk register, check that risk owners are assigned and aware of their responsibilities, and confirm that the risk assessment informed your Statement of Applicability and risk treatment plan. The assessment must be repeated at planned intervals or when significant changes occur.
For ISO 27001 implementation guidance, see our ISO 27001 Certification Guide.
HIPAA: Section 164.308(a)(1)(ii)(A)
HIPAA takes a direct and non-negotiable approach. The Security Rule requires every Covered Entity and Business Associate to:
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."
The Office for Civil Rights (OCR) has issued tens of millions of dollars in penalties to healthcare organizations whose violations stemmed from failure to conduct or maintain a proper risk assessment. OCR guidance specifies that a compliant risk assessment must include: scoping of all ePHI, identification of where ePHI is stored, received, maintained, or transmitted, threat identification, vulnerability identification, assessment of current security measures, determination of likelihood and impact, risk level determination, documentation, and periodic review.
HIPAA risk assessments must be updated annually and whenever material changes occur to operations, systems, or the threat environment. For HIPAA-specific risk assessment guidance, see our HIPAA Risk Assessment Template.
PCI DSS: Requirement 12.2
PCI DSS v4.0 Requirement 12.2 requires organizations to perform a risk assessment at least once every 12 months and upon significant changes to the environment. The risk assessment must:
- Identify critical assets, threats, and vulnerabilities
- Result in a formal, documented analysis of risk
- Be performed by qualified personnel
PCI DSS assessors (QSAs) will request documentation of the methodology, the completed assessment, evidence of annual review, and proof that the assessment influenced security control decisions. For PCI DSS implementation guidance, see our PCI DSS Compliance Guide.
NIST CSF: ID.RA (Identify - Risk Assessment)
The NIST Cybersecurity Framework 2.0 dedicates an entire subcategory to risk assessment under the Identify function:
- ID.RA-01: Asset vulnerabilities are identified, validated, and recorded
- ID.RA-02: Cyber threat intelligence is received from information sharing forums and sources
- ID.RA-03: Internal and external threats are identified and recorded
- ID.RA-04: Potential business impacts and likelihoods are identified
- ID.RA-05: Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization
- ID.RA-06: Risk responses are chosen, prioritized, planned, tracked, and communicated
While NIST CSF is not a certification, it is increasingly referenced in government contracts, enterprise procurement requirements, and as a mapping framework for multi-framework compliance programs. For a complete NIST CSF implementation guide, see our NIST Cybersecurity Framework Guide.
The bottom line for multi-framework compliance
If you build your risk assessment process to satisfy ISO 27001 Clause 6.1.2 -- which is the most demanding of the group -- you will automatically satisfy the risk assessment requirements of SOC 2, HIPAA, PCI DSS, and NIST CSF. Start with ISO 27001's rigor and add framework-specific scope requirements (ePHI for HIPAA, cardholder data for PCI DSS) as overlays.
The Risk Assessment Process: 8 Steps
The following methodology works across all major compliance frameworks. Each step produces documented output that auditors can examine as evidence.
Step 1: Asset Inventory
You cannot assess risk to assets you do not know about. The first step is building a comprehensive inventory of information assets within scope.
What to inventory:
- Customer data stores (databases, data warehouses, file storage, backups)
- Production infrastructure (servers, containers, serverless functions, network devices)
- SaaS applications that store or process sensitive data
- Employee endpoints (laptops, mobile devices)
- Source code repositories
- API integrations and data flows between systems
- Physical assets (office locations, on-premises equipment)
- Intellectual property and proprietary algorithms
For each asset, document:
- Asset name and description
- Data classification (public, internal, confidential, restricted)
- Asset owner (a named individual, not a department)
- Location (cloud region, data center, SaaS vendor)
- Upstream and downstream data flows
The asset inventory is a living document. Update it whenever systems are added, decommissioned, or significantly modified.
Step 2: Threat Identification
For each asset or asset group, identify the threats that could compromise its confidentiality, integrity, or availability. Threats are external or internal events or actions that could cause harm.
Common threat categories:
- External attackers: Ransomware, phishing, credential stuffing, supply chain attacks, DDoS
- Insider threats: Malicious employees, accidental data exposure, privilege misuse
- Natural events: Power outages, natural disasters affecting data center availability
- Technical failures: Hardware failure, software bugs, configuration drift, data corruption
- Vendor failures: Third-party breaches, vendor service outages, sub-processor incidents
- Regulatory changes: New compliance requirements, enforcement actions, cross-border data transfer restrictions
Use threat intelligence feeds, industry-specific threat reports (such as the Verizon DBIR), and your own incident history as inputs. Do not limit your analysis to threats you have experienced. Assess threats that are plausible for your industry, size, and technology stack.
Step 3: Vulnerability Analysis
For each identified threat, determine what vulnerabilities in your environment could allow that threat to succeed. A vulnerability is a weakness in a system, process, or control that a threat could exploit.
Sources of vulnerability data:
- Automated vulnerability scans (infrastructure and application)
- Penetration test reports
- Cloud security posture management (CSPM) findings
- Configuration audits
- Access control reviews
- Policy gap analysis
- Previous audit findings
The combination of a threat and an exploitable vulnerability creates a risk scenario. For example: "Threat: credential stuffing attack. Vulnerability: customer-facing application lacks rate limiting and MFA. Risk scenario: unauthorized access to customer accounts."
Step 4: Likelihood Assessment
For each risk scenario, assess the probability that the threat will materialize and exploit the vulnerability within a defined time period (typically 12 months). Use a consistent scale:
| Score | Likelihood Level | Description |
|---|---|---|
| 1 | Rare | Less than 5% chance in 12 months; no history of occurrence; requires highly unlikely conditions |
| 2 | Unlikely | 5-20% chance; has occurred in the industry but not in this organization; requires specific conditions |
| 3 | Possible | 20-50% chance; has occurred at similar organizations or has near-miss history internally |
| 4 | Likely | 50-80% chance; has occurred at this organization or occurs regularly in the industry |
| 5 | Almost Certain | Greater than 80% chance; has occurred multiple times; active threat campaigns targeting this attack vector |
Factors that increase likelihood: Internet-facing systems, high-value data targets, known unpatched vulnerabilities, lack of compensating controls, active threat campaigns in the industry, previous incidents.
Factors that decrease likelihood: Defense-in-depth controls, low public exposure, effective monitoring and detection, regular patching cadence, security awareness training.
Step 5: Impact Analysis
For each risk scenario, assess the potential business impact if the threat materializes. Impact should be evaluated across multiple dimensions:
| Score | Impact Level | Description |
|---|---|---|
| 1 | Negligible | Minimal disruption; no data loss; no regulatory notification required; less than $10,000 in direct costs |
| 2 | Minor | Limited disruption; small number of records affected; minor regulatory implications; $10,000-$100,000 in costs |
| 3 | Moderate | Significant disruption to operations; material data exposure; regulatory notification may be required; $100,000-$500,000 in costs |
| 4 | Major | Severe disruption; large-scale data breach; regulatory penalties likely; customer attrition; $500,000-$5,000,000 in costs |
| 5 | Critical | Existential threat; massive data breach; regulatory enforcement action; loss of major customers; greater than $5,000,000 in costs |
Impact dimensions to evaluate:
- Financial: Direct costs (remediation, notification, legal fees), indirect costs (lost revenue, increased insurance premiums)
- Regulatory: Notification obligations, potential fines, enforcement actions, loss of certifications
- Operational: Service downtime, recovery time, resource diversion from planned work
- Reputational: Customer trust erosion, media coverage, impact on sales pipeline
- Legal: Breach of contractual obligations, litigation exposure, regulatory consent orders
Step 6: Risk Scoring
Combine likelihood and impact scores to produce a risk score for each scenario. The standard approach is multiplication:
Risk Score = Likelihood x Impact
This produces a score between 1 and 25, which maps to risk levels that determine treatment priority. See the full Risk Assessment Matrix in the next section.
Step 7: Treatment Planning
For each identified risk, select a treatment strategy:
- Mitigate: Implement controls to reduce the likelihood or impact of the risk. This is the most common treatment. Example: deploy MFA to mitigate credential compromise risk.
- Transfer: Shift the financial impact to a third party. Example: purchase cyber insurance, use a payment processor to remove cardholder data from your environment.
- Accept: Acknowledge the risk and take no further action, with documented justification and management approval. Acceptable only for risks that fall within your defined risk appetite.
- Avoid: Eliminate the risk entirely by removing the activity or asset. Example: stop collecting a category of sensitive data you do not need.
Every treatment decision must be documented, justified, and approved by the designated risk owner. Acceptance of high or critical risks requires explicit sign-off from senior management or the board, depending on your risk governance structure.
Step 8: Documentation
Document the entire process and its outputs in a format that auditors can review. Required documentation includes:
- Risk assessment methodology document: Defines how assessments are conducted, including scoring criteria, risk appetite statements, roles, and review cadence
- Asset inventory: The scoped list of assets assessed
- Risk register: The complete list of identified risks with scores, owners, and treatment decisions (see the Risk Register template below)
- Risk treatment plan: Specific actions, timelines, responsible parties, and target risk levels for each risk being mitigated
- Management sign-off: Evidence that leadership reviewed and approved the risk assessment results and treatment decisions
- Review history: Dates and outcomes of periodic reviews and updates
Risk Assessment Methodologies: Qualitative, Quantitative, and Hybrid
There are three broad approaches to risk assessment. The right choice depends on your organization's maturity, data availability, and the expectations of your target compliance framework.
Qualitative risk assessment
Qualitative assessments use descriptive categories (Low, Medium, High, Critical) and ordinal scales rather than precise numerical values. The 5x5 likelihood/impact matrix described in this guide is a qualitative methodology.
Advantages:
- Faster to conduct and easier to maintain
- Requires less data -- useful for organizations with limited incident history
- Accessible to non-technical stakeholders
- Sufficient for SOC 2, ISO 27001, HIPAA, and PCI DSS compliance
- Produces clear, prioritized outputs that drive action
Limitations:
- Subjective -- different assessors may score the same risk differently
- Does not produce dollar-denominated risk values for ROI calculations
- Can be difficult to compare risks across different business units or contexts
When to use: For most SaaS companies pursuing their first or second compliance certification. Qualitative is the standard approach for organizations with fewer than 500 employees and is what the majority of auditors expect to see.
Quantitative risk assessment
Quantitative assessments assign monetary values to risk using probabilistic models. The most established quantitative methodology is FAIR (Factor Analysis of Information Risk), which calculates risk as the probable frequency and probable magnitude of future loss events.
Advantages:
- Produces dollar-denominated risk values that translate directly into business decisions
- Enables cost-benefit analysis of security investments
- Reduces subjectivity by forcing explicit assumptions about frequency and magnitude
- Supports communication with CFOs, boards, and investors in financial terms
Limitations:
- Requires substantially more data, time, and expertise
- Data on breach frequency and cost is often unreliable or unavailable for specific scenarios
- Model outputs can create false precision -- a "$2.3 million annual loss expectancy" implies accuracy that the underlying data does not support
- Overkill for most compliance-driven risk assessments
When to use: When you need to justify specific security investments to a board or CFO, or when your risk management program has matured beyond the qualitative stage and you have sufficient internal data to support quantitative modeling.
Hybrid approach
Most mature organizations use a hybrid approach: qualitative risk assessment as the foundation for compliance and operational risk management, supplemented by quantitative analysis for the highest-priority risks where investment decisions require financial justification.
Example: A SaaS company conducts a qualitative risk assessment covering all 80 identified risk scenarios for SOC 2 and ISO 27001 compliance. For the five critical-rated risks, the security team performs a FAIR analysis to build a business case for the investments required to mitigate them -- a $400,000 data loss prevention implementation, a $150,000 security operations center engagement, and a $200,000 infrastructure redesign to isolate production environments.
The qualitative assessment satisfies the auditors. The quantitative analysis satisfies the CFO. Both serve different stakeholders with the right level of detail.
The Risk Assessment Matrix: How to Score and Prioritize Risks
The risk assessment matrix (also called a risk heat map) is the visual tool that maps likelihood and impact scores to risk levels. It is the single most referenced artifact in any risk assessment and the first thing most auditors ask to see.
The 5x5 Likelihood/Impact Matrix
| Negligible (1) | Minor (2) | Moderate (3) | Major (4) | Critical (5) | |
|---|---|---|---|---|---|
| Almost Certain (5) | Medium (5) | High (10) | High (15) | Critical (20) | Critical (25) |
| Likely (4) | Low (4) | Medium (8) | High (12) | High (16) | Critical (20) |
| Possible (3) | Low (3) | Medium (6) | Medium (9) | High (12) | High (15) |
| Unlikely (2) | Low (2) | Low (4) | Medium (6) | Medium (8) | High (10) |
| Rare (1) | Low (1) | Low (2) | Low (3) | Low (4) | Medium (5) |
Risk Level Definitions
| Risk Level | Score Range | Treatment Requirement | Timeline |
|---|---|---|---|
| Critical | 20-25 | Immediate mitigation required. Senior management notification. Treatment plan within 48 hours. | Remediate within 30 days |
| High | 10-16 | Active mitigation required. Risk owner must develop and execute treatment plan. | Remediate within 90 days |
| Medium | 5-9 | Mitigation planned. Risk owner monitors and addresses within normal planning cycles. | Remediate within 180 days |
| Low | 1-4 | Accept or monitor. Document acceptance decision with justification. | Review annually |
How to use the matrix
- For each risk scenario, plot the likelihood score (vertical axis) against the impact score (horizontal axis).
- The intersection gives you the risk level and numerical score.
- Sort all risks by score from highest to lowest.
- Apply the treatment requirements and timelines for each risk level.
- Present the results to management for review and approval.
The matrix should be calibrated to your organization's risk appetite. Some organizations define Critical as anything scoring 15 or above rather than 20. Others collapse the 5x5 matrix into a 3x3 for simplicity. What matters is that the matrix is documented, consistently applied, and approved by management before use.
Building a Risk Register: Template with Examples
The risk register is the central artifact of your risk assessment program. It is a structured record of every identified risk, its score, its owner, and its treatment status. Auditors across every major framework will ask for the risk register, and many will use it as the starting point for their entire assessment of your security program.
Risk Register Template
The following table provides a template populated with example entries relevant to SaaS companies pursuing SOC 2, ISO 27001, HIPAA, or PCI DSS compliance.
| Risk ID | Risk Description | Asset/Process | Threat Category | Likelihood (1-5) | Impact (1-5) | Risk Score | Risk Level | Risk Owner | Treatment Strategy | Treatment Description | Status | Target Date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Unauthorized access to production database via compromised employee credentials | Production Database | External Attack | 4 | 5 | 20 | Critical | VP Engineering | Mitigate | Implement MFA on all database access, enforce least-privilege access policies, deploy database activity monitoring | In Progress | 2026-04-15 |
| R-002 | Ransomware encrypts production systems, causing extended service outage | Production Infrastructure | External Attack | 3 | 5 | 15 | High | VP Engineering | Mitigate | Implement endpoint detection and response (EDR), segment network, maintain offline backups with tested restoration procedures | In Progress | 2026-05-01 |
| R-003 | Third-party vendor breach exposes customer data shared via API integration | Vendor Integrations | Vendor Risk | 3 | 4 | 12 | High | Head of Security | Mitigate | Implement vendor risk assessment program, minimize data shared with vendors, require SOC 2 reports or equivalent assurance, add breach notification clauses to contracts | In Progress | 2026-06-01 |
| R-004 | Employee accidentally exposes customer PII by misconfiguring cloud storage bucket | Cloud Storage (S3/GCS) | Insider Threat | 3 | 4 | 12 | High | Cloud Architect | Mitigate | Enforce bucket-level encryption and private-by-default policies, deploy CSPM tool to detect misconfigurations, implement infrastructure-as-code reviews | Complete | -- |
| R-005 | Phishing attack compromises employee credentials, granting attacker access to internal systems | Employee Accounts | External Attack | 4 | 3 | 12 | High | IT Manager | Mitigate | Deploy phishing-resistant MFA (FIDO2), conduct quarterly phishing simulations, implement email filtering and link scanning | In Progress | 2026-04-30 |
| R-006 | Unpatched critical vulnerability in web application exploited before remediation | Web Application | External Attack | 3 | 4 | 12 | High | Engineering Lead | Mitigate | Implement automated dependency scanning in CI/CD, define SLAs for vulnerability remediation (critical: 7 days), conduct quarterly penetration testing | In Progress | 2026-05-15 |
| R-007 | Loss of key personnel with sole knowledge of critical system architecture | Business Operations | Operational | 3 | 3 | 9 | Medium | CTO | Mitigate | Document system architecture and runbooks, cross-train team members on critical systems, implement knowledge management practices | In Progress | 2026-07-01 |
| R-008 | Power outage or natural disaster renders primary data center unavailable | Production Infrastructure | Natural Event | 2 | 4 | 8 | Medium | VP Engineering | Mitigate | Deploy multi-region architecture, maintain automated failover, test disaster recovery procedures quarterly | Complete | -- |
| R-009 | Regulatory changes impose new compliance requirements that the organization is not prepared for | Compliance Program | Compliance | 3 | 3 | 9 | Medium | Head of Compliance | Mitigate | Subscribe to regulatory monitoring services, participate in industry associations, conduct quarterly regulatory change reviews, maintain a framework-agnostic control library | In Progress | 2026-06-15 |
| R-010 | Insider maliciously exfiltrates customer data | Customer Data Stores | Insider Threat | 2 | 5 | 10 | High | Head of Security | Mitigate | Implement data loss prevention (DLP), enforce least-privilege access, enable audit logging on all data stores, conduct background checks | In Progress | 2026-05-30 |
| R-011 | Denial-of-service attack renders customer-facing application unavailable | Web Application | External Attack | 3 | 3 | 9 | Medium | VP Engineering | Mitigate | Deploy DDoS protection service, implement rate limiting, configure auto-scaling, establish incident response playbook for availability events | Complete | -- |
| R-012 | Backup failure results in inability to recover data after an incident | Backup Systems | Technical Failure | 2 | 5 | 10 | High | Infrastructure Lead | Mitigate | Implement automated backup verification, test restoration procedures monthly, maintain backups in separate cloud account, alert on backup job failures | In Progress | 2026-04-30 |
| R-013 | Shadow IT -- employees use unapproved SaaS tools to process customer data | Employee Devices/SaaS | Operational | 3 | 3 | 9 | Medium | IT Manager | Mitigate | Implement SaaS discovery and monitoring, enforce acceptable use policy, conduct annual software audit, provide approved alternatives for common needs | In Progress | 2026-06-30 |
| R-014 | API key or secret leaked in source code repository | Source Code Repository | Insider Threat | 3 | 4 | 12 | High | Engineering Lead | Mitigate | Implement pre-commit secret scanning hooks, deploy automated secret detection in CI/CD, rotate all secrets on regular cadence, use secrets management vault | Complete | -- |
| R-015 | Inadequate logging results in inability to investigate a security incident | Monitoring Systems | Operational | 2 | 4 | 8 | Medium | Head of Security | Mitigate | Implement centralized log management, define minimum log retention periods (1 year), configure alerting for security-relevant events, test log integrity regularly | In Progress | 2026-05-15 |
How to maintain the risk register
The risk register is a living document, not a point-in-time artifact. Maintain it by:
- Reviewing the full register quarterly at a minimum, with the security team and risk owners
- Updating risk scores when new threat intelligence, vulnerability data, or incident data changes your assessment of likelihood or impact
- Adding new risks as new assets, vendors, or business activities are introduced
- Closing risks when they are fully mitigated, transferred, or the underlying asset is decommissioned -- with documentation of the closure rationale
- Tracking treatment progress to ensure that mitigation actions are completed within defined timelines
- Versioning the register so auditors can see the history of changes over time
Auditors will compare the current risk register against the previous version to verify that the organization is actively managing risk rather than producing a static document.
Common Risk Categories for SaaS Companies
Organizing risks into categories ensures comprehensive coverage during the assessment. SaaS companies typically face risks across five major domains.
Technical risks
Technical risks arise from the technology stack, infrastructure, and software that the organization builds and operates.
- Unpatched vulnerabilities in application dependencies
- Misconfigured cloud infrastructure (security groups, IAM policies, storage permissions)
- Insecure API design and implementation
- Insufficient encryption for data at rest and in transit
- Single points of failure in architecture
- Inadequate logging, monitoring, and alerting
- Container and Kubernetes security misconfigurations
- Secrets management failures (hardcoded credentials, exposed API keys)
Operational risks
Operational risks arise from the people, processes, and procedures that run the organization day-to-day.
- Key person dependency for critical systems or knowledge
- Inadequate change management processes leading to production incidents
- Insufficient business continuity and disaster recovery planning
- Shadow IT and unapproved tool usage
- Inadequate incident response capabilities
- Lack of security awareness training
For guidance on change management, see our Change Management Process Guide. For incident response planning, see our Incident Response Plan Guide.
Compliance risks
Compliance risks arise from the regulatory and contractual obligations the organization must meet.
- Failure to meet new or evolving regulatory requirements
- Gaps in audit evidence collection and documentation
- Non-compliance with data residency or data sovereignty requirements
- Inadequate privacy controls for GDPR, CCPA, or other data protection regulations
- Failure to maintain certifications due to control degradation
Vendor and third-party risks
Vendor risks arise from the organization's dependence on external service providers and business partners.
- Third-party data breaches affecting shared data
- Vendor service outages disrupting business operations
- Sub-processor risks (your vendors' vendors)
- Inadequate vendor security controls
- Vendor lock-in creating operational and migration risk
- Failure to maintain Business Associate Agreements (for HIPAA) or Data Processing Agreements (for GDPR)
For a comprehensive guide to managing vendor risk, see our Vendor Risk Management Guide. For vendor assessment methodology, see our Third-Party Risk Assessment Guide.
Human risks
Human risks arise from the actions -- intentional or accidental -- of employees, contractors, and other individuals with access to organizational systems and data.
- Phishing and social engineering susceptibility
- Accidental data exposure or deletion
- Privilege misuse by authorized users
- Insider threat from disgruntled employees or contractors
- Insufficient background checks during hiring
- Weak password practices and credential reuse
Risk Treatment Plans: From Assessment to Action
Identifying risks without treating them is the most common failure mode in compliance risk management. Auditors do not give credit for a comprehensive risk register if there is no evidence that the organization acted on its findings. The risk treatment plan bridges the gap between assessment and action.
Structure of a risk treatment plan
For each risk that requires treatment (anything rated Medium or above), document:
- Risk ID: Reference to the risk register entry
- Current risk score: The score before treatment
- Target risk score: The score you expect after treatment is complete
- Treatment actions: Specific, measurable actions with clear deliverables
- Responsible party: A named individual (not a team or department)
- Timeline: Start date, milestone dates, and completion deadline
- Resource requirements: Budget, personnel, tools, or vendor engagements needed
- Acceptance criteria: How you will verify that the treatment was effective
- Residual risk: The risk that remains after treatment, with justification for why it is acceptable
Example treatment plan entry
Risk ID: R-001 -- Unauthorized access to production database via compromised employee credentials
| Element | Detail |
|---|---|
| Current Risk Score | 20 (Critical) |
| Target Risk Score | 6 (Medium) |
| Treatment Action 1 | Enforce MFA on all database access paths (direct, VPN, bastion host) |
| Treatment Action 2 | Implement role-based access control with quarterly access reviews |
| Treatment Action 3 | Deploy database activity monitoring with alerting for anomalous queries |
| Treatment Action 4 | Reduce standing privileged access; implement just-in-time access provisioning |
| Responsible Party | VP Engineering (Actions 1-2), Head of Security (Actions 3-4) |
| Timeline | Complete by April 15, 2026 |
| Budget | $45,000 (DAM tool licensing) + 120 engineering hours |
| Acceptance Criteria | Zero direct database access without MFA; all privileged access time-limited; DAM alerts tested with simulated anomalous activity |
| Residual Risk | Risk of MFA bypass via sophisticated attack (e.g., MFA fatigue, SIM swap). Residual likelihood reduced to 2; residual impact remains 3. Residual score: 6 (Medium). Accepted. |
Treatment plan governance
- Treatment plans must be reviewed and approved by the risk owner before implementation begins
- Progress against treatment plans should be reported to management monthly
- Overdue treatment actions must be escalated with documented justification for the delay
- When treatment is complete, the risk owner must verify effectiveness and update the risk register with the new (residual) risk score
- Treatment plans that change scope, timeline, or budget require re-approval
How Often Should You Conduct Risk Assessments?
The short answer is at least annually, plus whenever something significant changes. The longer answer depends on your compliance requirements and operational context.
Annual assessment (required by all frameworks)
Every major compliance framework requires at least annual risk assessments:
- SOC 2: Assessed annually as part of the audit period; the auditor verifies that the risk assessment reflects the current environment
- ISO 27001: Clause 6.1.2 requires risk assessments "at planned intervals" -- annual is the minimum expectation for certification audits
- HIPAA: OCR guidance calls for periodic review; annual is the accepted minimum
- PCI DSS: Requirement 12.2 explicitly requires annual risk assessment
- NIST CSF: The Identify function implies ongoing risk assessment; annual full assessment with continuous monitoring is the recommended practice
Trigger-based assessments
Beyond the annual cycle, risk assessments should be updated when specific events occur:
- Major infrastructure changes: Migration to a new cloud provider, adoption of a new architecture pattern, deployment of a new production system
- Significant business changes: Expansion into new markets, acquisition of another company, launch of a new product line, changes in data types processed
- Security incidents: Any incident that exposes a previously unidentified risk or changes the likelihood or impact assessment of a known risk
- New regulatory requirements: When new laws, regulations, or framework versions introduce requirements that affect your risk landscape
- Vendor changes: Onboarding a new critical vendor, terminating a vendor relationship, learning of a vendor breach
- Audit findings: When an external audit identifies gaps that indicate the risk assessment is incomplete or outdated
- Organizational changes: Significant headcount changes, leadership transitions, restructuring of the security or engineering team
Continuous risk monitoring
Annual assessments supplemented by trigger-based reviews are the compliance minimum. Mature organizations also implement continuous risk monitoring -- automated processes that detect changes to the risk landscape between formal assessments. This includes:
- Automated vulnerability scanning feeding into risk scores
- Cloud security posture management (CSPM) alerting on configuration drift
- Vendor monitoring services that track changes in vendor security posture
- Threat intelligence feeds that update likelihood assessments based on active threat campaigns
Continuous monitoring does not replace the formal annual assessment. It ensures that the risk register stays current between assessments and that emerging risks are identified before the next scheduled review.
Risk Assessment Documentation for Audit Evidence
The risk assessment itself is only half the work. The other half is ensuring that your documentation meets the evidence standards that auditors require. A thorough risk assessment with poor documentation will generate audit findings just as readily as a weak assessment with excellent documentation.
What auditors examine
Across SOC 2, ISO 27001, HIPAA, and PCI DSS, auditors evaluate the following evidence categories:
Process evidence:
- Documented risk assessment methodology (approved by management)
- Defined roles and responsibilities for the risk assessment process
- Evidence that the methodology was actually followed (not just documented)
- Training records for personnel who conduct risk assessments
Output evidence:
- Complete risk register with all required fields populated
- Risk scoring that is consistent with the documented methodology
- Risk treatment plans for all risks above the acceptance threshold
- Management sign-off on risk assessment results and treatment decisions
Maintenance evidence:
- Version history of the risk register showing updates over time
- Meeting minutes from risk review sessions
- Evidence of trigger-based reassessments when significant changes occurred
- Trend data showing how the risk profile has changed between assessment periods
Effectiveness evidence:
- Metrics demonstrating that treatment plans are being executed on schedule
- Evidence that completed treatments achieved the target risk reduction
- Correlation between the risk assessment and actual security control implementation (i.e., the controls you implemented map to the risks you identified)
Documentation best practices
-
Version everything. Maintain version history for the risk register, methodology document, and treatment plans. Auditors want to see the progression over time, not just the current state.
-
Date-stamp and attribute all entries. Every risk register entry should include the date it was identified, the date it was last reviewed, and the name of the person who assessed it.
-
Link risks to controls. For each risk in the register, reference the specific controls that mitigate it. This demonstrates that your security program is risk-driven rather than arbitrary.
-
Document risk acceptance explicitly. When you accept a risk (do not mitigate, transfer, or avoid it), the acceptance must be documented with the rationale, the authorized approver, the approval date, and the conditions under which the acceptance will be re-evaluated.
-
Maintain an audit trail of changes. When risk scores change, treatment plans are modified, or new risks are added, the change history should be preserved. A risk register with no change history suggests it is either new or not being maintained.
-
Store evidence centrally. Keep all risk assessment documentation in a central repository that is access-controlled and backed up. Auditors should not need to chase artifacts across email threads, shared drives, and chat messages.
Tools for Conducting Risk Assessments
The choice of tooling depends on your organization's size, compliance requirements, and budget. Here is how the options break down, from simplest to most sophisticated.
Spreadsheets
For early-stage companies conducting their first risk assessment, a well-structured spreadsheet is a legitimate starting point. Use the risk register template provided earlier in this guide as a foundation.
Pros: Zero cost, fully customizable, no learning curve, portable.
Cons: No workflow automation, no audit trail without manual discipline, version control is fragile, does not scale past approximately 100 risk entries without becoming unwieldy.
When to use: First risk assessment, organizations with fewer than 50 employees, budget constraints that preclude dedicated tooling.
GRC platforms
Governance, Risk, and Compliance (GRC) platforms provide purpose-built functionality for risk assessment, risk registers, treatment tracking, and audit evidence management. They automate workflows, maintain audit trails, and map risks to specific compliance framework controls.
What to look for in a GRC platform:
- Built-in risk assessment templates aligned to SOC 2, ISO 27001, HIPAA, and PCI DSS
- Automated risk scoring with configurable matrices
- Risk register with treatment tracking and owner assignments
- Integration with vulnerability scanners, cloud environments, and ticketing systems to feed real-time data into risk assessments
- Audit evidence collection that links risk assessment artifacts to specific controls
- Reporting dashboards for management review and board-level reporting
When to use: Organizations pursuing formal compliance certifications, multi-framework programs, companies with more than 50 risk entries to manage.
Compliance automation platforms
Compliance automation platforms like QuickTrust go beyond traditional GRC by integrating directly with your cloud infrastructure, SaaS tools, and development pipelines. They continuously monitor your environment, automatically detect changes that affect your risk posture, and maintain audit-ready evidence without manual effort.
For risk assessment specifically, compliance automation platforms:
- Auto-discover assets from connected cloud environments, reducing the manual effort of building an asset inventory
- Map identified risks to specific framework controls, showing which risks your existing controls address and where gaps remain
- Track treatment plan progress alongside broader compliance readiness
- Generate auditor-ready risk assessment packages with all required documentation
- Alert on changes that may require reassessment -- new assets, configuration drift, vendor changes, failed controls
Specialized risk analysis tools
For organizations that need quantitative risk analysis, specialized tools built on the FAIR methodology (such as RiskLens or SAFE One) provide probabilistic risk modeling, Monte Carlo simulations, and financial loss projections. These tools are typically used by larger organizations with dedicated risk management teams and are not necessary for compliance-driven risk assessments at most SaaS companies.
Frequently Asked Questions
What is the difference between a risk assessment and a risk analysis?
The terms are often used interchangeably, but they refer to different stages of the same process. A risk assessment is the complete end-to-end process: identifying risks, analyzing them, evaluating them against criteria, and determining treatment. Risk analysis is the step within the assessment where you determine the likelihood and impact of each identified risk. In ISO 27001 terminology, risk analysis (Clause 6.1.2 d) is a subset of the broader risk assessment process.
Can I use one risk assessment for multiple compliance frameworks?
Yes, and you should. The risk assessment requirements across SOC 2, ISO 27001, HIPAA, PCI DSS, and NIST CSF are compatible. Build your assessment process around the most demanding framework (ISO 27001 Clause 6.1.2), scope it to include all relevant data types and environments (ePHI for HIPAA, cardholder data for PCI DSS), and use it as the single source of truth across all your compliance programs. One assessment, maintained consistently, satisfies them all.
How long does a risk assessment take?
For a SaaS company with 20-100 employees and a standard cloud-native architecture, expect the initial risk assessment to take 2-4 weeks of focused effort. This includes asset inventory, threat and vulnerability identification, scoring, treatment planning, and documentation. Subsequent annual reviews typically take 1-2 weeks because you are updating an existing assessment rather than building one from scratch. The timeline shortens significantly with automation tools that pre-populate asset inventories and map risks to framework controls.
What qualifications do I need to conduct a risk assessment?
No specific certification is required by SOC 2, ISO 27001, or HIPAA to conduct a risk assessment, though PCI DSS Requirement 12.2 requires "qualified personnel." In practice, the person leading the assessment should have a working knowledge of your technology environment, an understanding of common threats in your industry, and familiarity with the risk assessment methodology being used. Certifications like CISSP, CISM, CRISC, or ISO 27001 Lead Implementer demonstrate competence but are not mandatory. For organizations without internal expertise, engaging a qualified consultant or vCISO to lead the first assessment is a common and accepted approach.
What happens if an auditor finds a gap in my risk assessment?
The consequences depend on the severity and the framework. For SOC 2, a material gap in the risk assessment could result in a qualified opinion or a described exception in the auditor's report. For ISO 27001, a major nonconformity related to Clause 6.1.2 would prevent certification until the gap is remediated and verified. For HIPAA, absence of a risk assessment is one of the most heavily penalized findings in OCR enforcement actions -- the Premera Blue Cross settlement ($6.85 million) and Anthem settlement ($16 million) both cited inadequate risk assessments as central findings. For PCI DSS, a missing or inadequate risk assessment would result in a finding of non-compliance with Requirement 12.2.
Should I include risks I have already fully mitigated?
Yes. The risk register should include all identified risks, including those that have been fully mitigated. For mitigated risks, show the inherent risk score (before controls), the current residual risk score (after controls), and the controls that reduced the risk. This demonstrates to auditors that you identified the risk, took action, and can verify the effectiveness of your treatment. Removing fully mitigated risks from the register creates a misleading picture of your risk landscape.
How do I determine my organization's risk appetite?
Risk appetite is the level of risk your organization is willing to accept in pursuit of its objectives. It should be defined by senior management or the board and documented in your risk management policy. A practical approach is to define risk appetite by risk level: for example, "The organization accepts Low-rated risks without further treatment. Medium-rated risks require a documented treatment plan. High and Critical risks must be actively mitigated to reduce the residual score below the acceptance threshold." The key is to make risk appetite explicit and documented, rather than implicit and assumed.
Can I automate the risk assessment process?
You can automate significant portions of it. Asset discovery, vulnerability data collection, vendor monitoring, and evidence gathering can all be automated through integrations with your cloud infrastructure and security tools. Risk scoring can be partially automated when connected to real-time data feeds. However, the core analytical work -- identifying threats, assessing business impact, determining treatment strategies, and making risk acceptance decisions -- requires human judgment. Automation reduces the manual effort by 60-80% and ensures the assessment stays current between formal reviews, but it does not replace the need for a qualified human to analyze the results and make decisions.
Take the Manual Work Out of Risk Assessment
Risk assessment is the foundation of every compliance program, but it should not consume your security team's entire quarter. QuickTrust automates the most time-intensive parts of the process -- asset discovery, control mapping, evidence collection, and continuous monitoring -- so your team can focus on the analytical work that actually reduces risk.
QuickTrust's risk assessment capabilities include:
- Automated asset discovery from connected AWS, GCP, and Azure environments
- Pre-built risk assessment templates aligned to SOC 2, ISO 27001, HIPAA, PCI DSS, and NIST CSF
- Dynamic risk registers that update automatically as your environment changes
- Treatment plan tracking with owner assignments, deadlines, and progress reporting
- Continuous monitoring that detects changes affecting your risk posture and triggers reassessment workflows
- Audit-ready documentation packages that consolidate your risk assessment, risk register, treatment plans, and management sign-off into the format auditors expect
Whether you are conducting your first risk assessment or rebuilding a process that has not kept pace with your growth, QuickTrust gives you the tools and framework to get it done right -- without the spreadsheet chaos.
Start your free risk assessment with QuickTrust | Book a demo