I have implemented ISMS and have a risk register with all the risk( High, Medium and Low). It's being a year now that I have not updated the Risk Register and also new risk is there to be added.
My question is how should I update and add/remove risks in the register?
1)Should I update the sheet with the revision number?
2) Should I remove the risks which already mitigate and are in the residual risk category?
3) Should I keep on adding new risks and keep all the old risks intact?
My concern is since the risk assessment in a PDCA cycle and new risks will emerge every day, how should I maintain my risk register?
Here are the answers:
1) ISO 27001 does not prescribe how to version your risk register - therefore, you can use a new version number and/or you can simply use a date to define the latest version.
2) You should keep all your risks in the risk register, even though they are mitigated - of course, this means that the risk level for such risks will be lower.
3) You should definitely add new risks; you should retain “old” risks if they still exist however you need to assess again their likelihood and impact.
4) You should update your risk register at least once a year, but also more often if there is some big change - e.g. new product, new technology, new process, change in the environment, etc.