Page layout
The page is split into two panels:Risk assessment form
A form for registering new risks. Select the asset, choose the compromised CIA pillars, set probability and impact, then define a treatment strategy with one or more Annex A controls.
Risk heat map
A 5×5 matrix plotting all registered risks by their residual probability and impact. Color zones indicate severity. Updates in real time as you fill the form.
Registering a risk
Open the Risk page
Navigate to Risk in the sidebar. The risk assessment form is on the left and the heat map on the right.
Select the asset
Choose the affected asset from the Activo Afectado dropdown. The list is populated from your Asset Inventory. If the asset does not exist yet, add it there first.
Select the compromised pillar(s)
Toggle one or more CIA pillars to indicate which security dimension the risk affects:
At least one pillar must remain selected at all times. Multiple pillars can be active simultaneously (multi-pillar risk).
| Pillar | Description |
|---|---|
| C — Confidencialidad | The risk compromises data secrecy |
| I — Integridad | The risk compromises data accuracy or completeness |
| D — Disponibilidad | The risk compromises system or data availability |
Score inherent risk
Set Probabilidad (1–5) and Impacto (1–5) for the risk before any controls are applied.Risks with an inherent score ≥ 5 are classified as Alto (Inaceptable) and require formal treatment.
Choose a treatment strategy
For risks with inherent score ≥ 5, treatment is mandatory. Select from four ISO 31000-aligned options:
For Aceptar, Transferir, and Evitar, you must provide a written justification explaining the management decision.
| Treatment | Description |
|---|---|
| Mitigar | Apply Annex A controls to reduce likelihood and impact |
| Aceptar | Formally accept the risk with justification |
| Transferir | Shift risk to a third party (e.g. cyber insurance, outsourcing) |
| Evitar | Stop the activity that gives rise to the risk |
Add Annex A mitigation controls (if Mitigar)
If the treatment is Mitigar, you must add at least one control from the Annex A library:The form shows the resulting Residual Risk score in real time.
- Select a control from the Buscar un Control Anexo A dropdown.
- Set the Eficacia del Control (10–100%) using the slider.
- Click + Añadir Control to add it to the mitigation stack.
- Repeat to add multiple controls (defense-in-depth).
Risk heat map
The heat map plots every registered risk on a 5×5 grid with Probability on the y-axis and Impact on the x-axis. Risks are positioned using their residual likelihood and impact scores.Color zones
| Score range | Color | Severity |
|---|---|---|
| 1–4 | Green | Low |
| 5–9 | Yellow | Medium |
| 10–14 | Orange | High |
| 15–25 | Red | Critical |
Risks positioned in the red zone (score ≥ 15) require immediate attention. Review the treatment strategy for any critical risk and consider whether the residual score can be reduced through additional controls.
Risk data reference
Each risk entry stored in the register contains the following fields:| Field | Type | Description |
|---|---|---|
id | string | Auto-generated identifier (e.g. R001) |
assetId | string | Linked asset identifier |
pillars | string[] | Compromised CIA pillars, e.g. ['C', 'I'] |
probability | 1–5 | Inherent probability score |
impact | 1–5 | Inherent impact score (auto-set from asset CIA) |
treatmentOption | enum | Mitigar | Aceptar | Transferir | Evitar |
treatmentJustification | string | Required justification for non-Mitigar treatments |
controls | {id, efficacy}[] | null | Applied Annex A controls with efficacy % (Mitigar only) |
residualRisk | 1–25 | Residual score after applying controls |
date | ISO date | Date the risk was registered |
The
controls field stores an array of objects — one per Annex A control — rather than a single text description. Each entry has an id (Annex A control ID, e.g. A.8.13) and an efficacy value (10–100).Clause 6 integration
The risk assessment form and heat map are also embedded directly inside Clause 6 of the Clauses 4–10 module. Any risks you add from either location are shared — the register is the same data source regardless of where you enter risks.Frequently asked questions
Can I edit or delete a risk after saving it?
Can I edit or delete a risk after saving it?
Yes. Click any risk entry in the register table to open its edit form. To delete a risk, use the delete action on the risk row. Note that deleting an asset also removes all risks associated with that asset.
What does a residual risk score of 1 mean?
What does a residual risk score of 1 mean?
A residual risk score of 1 means both residual likelihood and residual impact are set to 1, the minimum values. This indicates the risk is considered negligible after treatment. Verify that the stated control actually achieves this level of reduction before accepting the score.
How do I link a risk to an Annex A control?
How do I link a risk to an Annex A control?
When treatment is Mitigar, select controls directly from the Annex A dropdown in the risk form. Each selected control is stored by its Annex A ID (e.g.
A.8.13) with its assigned efficacy percentage. The combined efficacy of all selected controls determines the residual risk score.Is there a limit to the number of risks I can register?
Is there a limit to the number of risks I can register?
No hard limit is enforced. However,
localStorage has a browser-imposed storage cap (typically 5–10 MB). For most organisations, this limit is well above what a realistic risk register requires.