We have received this Question :
"Im preparing the risk register.Let take asset as "firewall"
Threat as Hackers and there would be lot of vulnerabilities associated with this threat (Improper access rights, Misconfiguration, lack of rule base audit...etc)
But i have seen risk registers with one threat and they write only one vulnerability.
Please provide your inputs regarding this query."
Risks are better expressed in terms of scenarios « this happens to that element under these circumstances and causes this level of damage ».
Each asset can have several threats that in their turn have several vulnerabilities. So we recommand, for a comprehensive risk registry to have one line per vulnerability and one group of vulnerabilities per threat.
If a register only shows one threat or vulnerability for each asset, its probably because the risk manager has, after analysis, only kept the worst case.
An auditor should accept all what you included in your risk registry, but you will have to explain what you did to come to this registry and how you di dit. It s your security that counts, not the way how the auditor thinks it is.
Note : The Asset-Threat-Vulnerability method is only one possible approach for risk analysis.