The ISMS Risks & Treatments Map is your central tool for recording and managing risks in ISMS.online. It allows you to:

  • Record risks, their likelihood and impact
  • Define proposed treatments and track progress
  • Keep all risk-related information in one accessible location

The ISO 27001 Policies & Controls area comes with a built-in Risk Register and Map, and Risk Registers can also be created as standalone tools or integrated into other work areas, such as project-specific risk management.




Using the ISMS Risks & Treatments Map

Creating a new risk

When creating a risk, you can add the following details:

  • Description: Describe the risk.
  • Risk status: Indicate if the risk is Open or Closed.
  • Potential consequence: Explain the possible impact if the risk is not mitigated.
  • Origin: Identify where the risk arises from.
  • Type of risk: Choose Threat or Opportunity. If your risk does not fit either category, contact our Support Team to customise the dropdown.
  • Owner: Assign a team member responsible for monitoring the risk.
  • Action: Select the Action associated with the risk, which can also be updated when adding a reading.
  • Dates – Review/Reminder: Schedule when the risk should be reviewed and when reminders should be sent.

 

 


Adding a reading

Once a risk is created, click Add Reading on the right-hand side of the page to:

  • Impact: Define the impact score using Confidentiality, Integrity, and Availability. The highest of the three is recorded as the Impact score.
  • Likelihood: Set the Likelihood score (from Very Low to Very High).
  • Action: Assign or update the action for this risk.
  • Target Reading (optional): Indicate your goal for this risk. Target readings appear as a blue dot and cannot be removed.


Note: The first reading added is your Original Reading, which remains permanent (but can be removed by Support if added in error). All subsequent readings are counted as Current Readings, allowing you to track progress over time.



Managing your Risk & Treatment Plan

After populating your plan, each risk is plotted on the map with an alphabet letter. Clicking a letter opens the risk details and the treatment plan below.

You can also view all risks in the table and use toggle buttons to switch between Open and Closed risks.

Within each risk item, you can:

  • Add notes
  • Set tasks
  • Upload documents
  • Start discussions

The History graph shows changes to a risk’s impact and likelihood over time, helping you visualise progress toward your target.



Risk Banks

You can add risks from scratch or select from our Risk Bank, which contains generic risks ready to add to your map. These risks can be customised to suit your organisation, and proposed treatments can be adopted, adapted, or added to.

To use the Risk Bank:

  1. Click View Risk Bank in the top-right corner.

  2. Select a risk and click Add Risk to include it in your map. Added risks are highlighted in green.



Team access

All members of the ISO 27001 Policies & Controls Project have access to the Risk Register and Treatment Plan. To give more users access, simply add them to the project.

Settings

You can rename your Risk Register and Treatment Plan by clicking Settings (next to Team in the top-right corner), entering the new name, and clicking Save.



Creating a new Risk Register & Treatment Plan

  1. Open the desired work area and click the Tools tab. 
  2. Select New Tool Usage and choose Risk Register and Treatment Plan from the dropdown. 
  3. Associate the tool with the entire project or a specific Phase, Deliverable, or Activity, then click Create New Usage.
  4. Give the register a relevant name and click Save.

Note: If your organisation uses a different risk methodology than the default, our Support team can create a Custom Risk Map tailored to your needs.