Sample Risk Register (Example Only)
Fictional Acme Corp risk rows — shows formatting auditors expect from SOC-030.
Sample Completed Risk Register
Fictional Acme Corp risk rows — shows formatting auditors expect from SOC-030.
How to Fill Out This Sample Completed Risk Register
Sample SOC 2 risk register example — Reference example only. Copy structure into your live SOC-030 workbook; do not submit this file as audit evidence.
Recommended Owner: Security Lead | Delete sample rows before sharing internally
What this file is for
Document purpose
Illustrates a completed risk register with heat map and rating key — reference for SOC-030 formatting.
In your program: Not evidence; shows likelihood × impact scoring and rollup auditors expect from SOC-030.
Before you start
Getting Started
- Example only — sanitized fictional data (Acme Corp). Do not submit to auditors or regulators.
- Copy structure and column usage into your live template (SOC-030, SOC-010, AI-014b, etc.).
- Delete or overwrite every sample row before internal circulation.
Document tour
Fill out the file section by section
Work through the sections below in order. Each block matches a heading or tab in the downloaded SOC-SAMP-01 file.
About
- Read the sanitized-data warning before copying any row.
- After editing About, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Risk ID
- Assign stable Risk ID values — never reuse an ID for a different record in the audit period.
- Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).
Risk Description
- Assign stable Risk Description values — never reuse an ID for a different record in the audit period.
- Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).
TSC Ref
- Fill TSC Ref for every in-scope row on About — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Threat / Cause
- Fill Threat / Cause for every in-scope row on About — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Inherent Impact
- Use dropdown values for Inherent Impact — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Inherent Likelihood
- Use dropdown values for Inherent Likelihood — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Residual Rating
- Use dropdown values for Residual Rating — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Treatment
- Fill Treatment for every in-scope row on About — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Controls / Mitigation
- Fill Controls / Mitigation for every in-scope row on About — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Owner
- Name a person (not a team inbox) in Owner — auditors interview control owners.
- Must match COR-005 org chart or SOC-024 control owner assignments where applicable.
Target Date
- Use consistent Target Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
- Dates must match supporting evidence — auditors compare log timestamps to HR records.
Status
- Select Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
- Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.
Last Review
- Use consistent Last Review format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
- Dates must match supporting evidence — auditors compare log timestamps to HR records.
Policy Ref
- Fill Policy Ref for every in-scope row on About — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Notes
- Fill Notes for every in-scope row on About — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Metric
- Fill Metric for every in-scope row on About — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Risk Register
- Note column layout (Risk ID, description, TSC Ref, inherent impact/likelihood, residual rating, treatment, owner) for your SOC-030.
- Gray rows show realistic SaaS risks — replace with your asset inventory and SOC-019 outcomes.
Risk ID
- Assign stable Risk ID values — never reuse an ID for a different record in the audit period.
- Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).
Risk Description
- Assign stable Risk Description values — never reuse an ID for a different record in the audit period.
- Cross-reference IDs in related toolkit docs (SOC-021, COR-014, HR-001, etc.).
TSC Ref
- Fill TSC Ref for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Threat / Cause
- Fill Threat / Cause for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Inherent Impact
- Use dropdown values for Inherent Impact — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Inherent Likelihood
- Use dropdown values for Inherent Likelihood — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Residual Rating
- Use dropdown values for Residual Rating — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Treatment
- Fill Treatment for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Controls / Mitigation
- Fill Controls / Mitigation for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Owner
- Name a person (not a team inbox) in Owner — auditors interview control owners.
- Must match COR-005 org chart or SOC-024 control owner assignments where applicable.
Target Date
- Use consistent Target Date format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
- Dates must match supporting evidence — auditors compare log timestamps to HR records.
Status
- Select Status from the dropdown — free text breaks Dashboard formulas and heatmaps.
- Update through the lifecycle (Not Started → In Progress → Complete/Closed) before sign-off.
Last Review
- Use consistent Last Review format (YYYY-MM-DD) aligned with HRIS, IdP, or LMS exports.
- Dates must match supporting evidence — auditors compare log timestamps to HR records.
Policy Ref
- Fill Policy Ref for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Notes
- Fill Notes for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Metric
- Fill Metric for every in-scope row on Risk Register — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Risk Summary
- Dashboard-style rollup — your SOC-030 should expose similar counts for leadership.
- After editing Risk Summary, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Metric
- Fill Metric for every in-scope row on Risk Summary — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Value
- Fill Value for every in-scope row on Risk Summary — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Rating
- Use dropdown values for Rating — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Definition (example)
- Fill Definition (example) for every in-scope row on Risk Summary — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Rating Key
- Align definitions with COR-003 risk appetite before scoring production risks.
- After editing Rating Key, search for `[` placeholders and gray sample names — auditors flag incomplete templates.
Rating
- Use dropdown values for Rating — align definitions with COR-003, COR-008, or COR-009.
- Inconsistent scoring between this file and meeting minutes (SOC-017/SOC-019) triggers auditor questions.
Definition (example)
- Fill Definition (example) for every in-scope row on Rating Key — use dropdowns where provided.
- Do not leave cells blank for active records; use N/A with a short reason if truly not applicable.
Quality check
Before You Finalize
- You are viewing an example — your SOC-030 must use your real risks and owners.
- Remove this file from PBC packages unless your auditor explicitly requests a format sample.
Evidence
Where to Store It
- Store the completed file in your compliance evidence folder (signed PDF for policies).
- Register the document in COR-013 with version, owner, and next review date.
- Link the file from your evidence index or SOC-005 project plan when you use Phase 3 trackers.