Add each risk by asset, threat, likelihood, and impact. We compute the rating on a standard 5×5 matrix, sort by severity, and build a register you can copy straight into your docs. Everything stays in your browser.
Rating = likelihood × impact (1–25). Bands: , the standard qualitative approach in ISO 27005 / NIST-style assessments.
| # | Asset | Threat / Risk | Likelihood | Impact | Score | Rating | |
|---|---|---|---|---|---|---|---|
| No risks yet. Add your first risk above to start building the register. | |||||||
Not ready for a call yet?
A few short notes from Jacob on turning a risk register into an actual security program. No fluff, unsubscribe in one click. Reply anytime; it reaches him directly.
From Jacob Masse, founder of traztech. No spam, unsubscribe in one click.
Want it done for you?
Fractional security leadership
A retained security leader to own your risk register, controls, and treatment plan end to end.
Explore Fractional security leadership →A register lists risks. A fractional security leader owns them, assigns treatment, and closes them, mapped to SOC 2 or ISO 27001. Led by a published CVE researcher.
Explore fractional security leadershipEach risk is scored on a standard 5x5 matrix: likelihood (1 to 5) multiplied by impact (1 to 5) gives a score from 1 to 25. Scores map to bands: 1 to 4 Low, 5 to 9 Medium, 10 to 15 High, and 16 to 25 Critical. This is the common qualitative approach used in ISO 27005 and NIST-style risk assessments.
No. The register is built entirely in your browser. Nothing you type is sent to a server or stored by this tool. Use the copy button to save your register into your own documents.
It is a starting structure, not a complete assessment. A real risk assessment also considers existing controls, residual risk, risk ownership, and treatment decisions, and validates likelihood and impact against your actual environment. This tool gives you a clean, prioritized register to build from.
Yes, the risk register builder is free with no signup required. Add as many risks as you like and copy the result into your own compliance or security documentation.