Risk Register
27
Total risks7
High residual risk11
Avg residual score27
Open (unmitigated)View:
Risk heat map — Residual scores
Likelihood →
5
1
4
2
3
1
3
7
3
2
2
3
4
1
1
1
2
3
4
5
Impact →
Access Control
3 risks3 HIGH
3 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Weak or Shared Passwords | 16 (L4×I4) | Accept | 16 (L4×I4) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Excessive Privilege | 15 (L3×I5) | Accept | 15 (L3×I5) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Multi-Factor Authentication Not Enforced | 16 (L4×I4) | Accept | 16 (L4×I4) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
Malware & Ransomware
3 risks1 HIGH
3 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Ransomware Attack | 20 (L4×I5) | Accept | 20 (L4×I5) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Malware via Email or Malicious Link | 12 (L4×I3) | Accept | 12 (L4×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Supply Chain Software Compromise | 10 (L2×I5) | Accept | 10 (L2×I5) | Open | — |
— |
IASME Cyber Assurance |
|
Patching & Updates
2 risks1 HIGH
2 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Unpatched Operating Systems | 16 (L4×I4) | Accept | 16 (L4×I4) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Unpatched Third-Party Applications | 12 (L4×I3) | Accept | 12 (L4×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
Network Security
3 risks3 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Insecure Remote Access | 12 (L3×I4) | Accept | 12 (L3×I4) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Misconfigured Firewall or Network Boundary | 8 (L2×I4) | Accept | 8 (L2×I4) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Insecure Wireless Networks | 9 (L3×I3) | Accept | 9 (L3×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
Data & Privacy
3 risks1 HIGH
3 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Data Breach or Exfiltration | 15 (L3×I5) | Accept | 15 (L3×I5) | Open | — |
— |
IASME Cyber Assurance GDPR / UK DPA |
|
| GDPR / Data Protection Non-Compliance | 8 (L2×I4) | Accept | 8 (L2×I4) | Open | — |
— |
IASME Cyber Assurance GDPR / UK DPA |
|
| Accidental Internal Data Disclosure | 9 (L3×I3) | Accept | 9 (L3×I3) | Open | — |
— |
IASME Cyber Assurance GDPR / UK DPA |
|
Physical Security
3 risks3 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Unauthorised Physical Access to IT Systems | 6 (L2×I3) | Accept | 6 (L2×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Loss or Theft of Device | 9 (L3×I3) | Accept | 9 (L3×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Insecure Disposal of Hardware or Media | 6 (L2×I3) | Accept | 6 (L2×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
Third Party
3 risks3 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Third-Party Supplier Security Breach | 12 (L3×I4) | Accept | 12 (L3×I4) | Open | — |
— |
IASME Cyber Assurance |
|
| Insecure Third-Party Integration or API | 6 (L2×I3) | Accept | 6 (L2×I3) | Open | — |
— |
IASME Cyber Assurance |
|
| Inadequate Supplier Security Contractual Controls | 9 (L3×I3) | Accept | 9 (L3×I3) | Open | — |
— |
IASME Cyber Assurance |
|
People & Awareness
4 risks1 HIGH
4 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Phishing and Social Engineering | 15 (L5×I3) | Accept | 15 (L5×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Insider Threat | 8 (L2×I4) | Accept | 8 (L2×I4) | Open | — |
— |
IASME Cyber Assurance |
|
| Inadequate Security Awareness Training | 9 (L3×I3) | Accept | 9 (L3×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
| Unmanaged Personal Devices (BYOD) | 9 (L3×I3) | Accept | 9 (L3×I3) | Open | — |
— |
Cyber Essentials IASME Cyber Assurance |
|
Business Continuity
3 risks3 open
|
Risk0 | Inherent | Treatment | Residual | Status | Owner | Last reviewed | Framework | |
|---|---|---|---|---|---|---|---|---|
| Inadequate Backup and Recovery | 12 (L3×I4) | Accept | 12 (L3×I4) | Open | — |
— |
IASME Cyber Assurance |
|
| No Tested Disaster Recovery Plan | 8 (L2×I4) | Accept | 8 (L2×I4) | Open | — |
— |
IASME Cyber Assurance |
|
| Absence of Incident Response Plan | 9 (L3×I3) | Accept | 9 (L3×I3) | Open | — |
— |
IASME Cyber Assurance |
|