Risk Register Guide
Living risk register with scoring, treatment, and links to SOC-019 minutes.
Risk Register and Treatment Plan
Living risk register with scoring, treatment, and links to SOC-019 minutes.
How to Fill Out This Risk Register and Treatment Plan
SOC 2 risk register template — Operational risk register — COR-003 describes program; this file is the data.
Recommended Owner: Security Lead | Risk owners per row
What this file is for
Document purpose
Living risk register with inherent/residual scoring and treatment (CC3).
In your program: COR-003 defines process; SOC-019 minutes document quarterly review of this file.
Before you start
Getting Started
- Enable Editing; read the Instructions sheet first for tab order and version metadata.
- Use dropdowns in validated columns; delete gray sample rows before auditor samples.
- Check Dashboard after updates — formulas flag gaps and acceptance rates.
Document tour
Fill out the file section by section
Work through the sections below in order. Each block matches a heading or tab in the downloaded SOC-030 file.
Instructions
- Use Rating Key sheet scales consistently with SOC-019 section 2.
- After editing Instructions, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Risk Register
- Risk ID stable quarter to quarter; Status Open/Closed with Last Review date.
- Inherent Impact/Likelihood and Residual Rating use dropdowns — do not type free text.
- Controls/Mitigation column = specific controls (SOC-009 MFA), not vague “good security”.
- Policy Ref usually COR-003; link COR-014 when Treatment = Accept.
Risk ID
- Assign stable Risk ID values — never reuse an ID for a different record in the audit period.
- Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).
Risk Description
- Assign stable Risk Description values — never reuse an ID for a different record in the audit period.
- Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).
TSC Ref
- Fill TSC Ref for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Threat / Cause
- Fill Threat / Cause for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Inherent Impact
- Use dropdown values for Inherent Impact — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Inherent Likelihood
- Use dropdown values for Inherent Likelihood — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Residual Rating
- Use dropdown values for Residual Rating — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Treatment
- Fill Treatment for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Controls / Mitigation
- Fill Controls / Mitigation for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Owner
- Name a person (not a team inbox) in Owner — auditors interview control owners.
- Must match COR-005 org chart or SOC-024 control owner assignments where applicable.
Target Date
- Use consistent Target Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
- Dates must match supporting evidence — auditors compare log timestamps to HR records.
Status
- Select Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
- Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.
Last Review
- Use consistent Last Review format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
- Dates must match supporting evidence — auditors compare log timestamps to HR records.
Policy Ref
- Fill Policy Ref for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Notes
- Fill Notes for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Rating
- Use dropdown values for Rating — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Rating Key
- Customize likelihood/impact definitions once per year; document changes in SOC-019 minutes.
- After editing Rating Key, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Rating
- Use dropdown values for Rating — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Definition
- Fill Definition for every in-scope row on Rating Key — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Quality check
Before You Finalize
- Residual ratings updated after controls; Treatment Accept rows have COR-014 in Policy Ref or Notes.
- Dashboard shows no risks with blank Owner or Target Date.
Evidence
Where to Store It
- Store the completed file in your compliance evidence folder (signed PDF for policies).
- Register the document in COR-013 with version, owner, and next review date.
- Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.