Risk assessment approach

Threat - Vulnerabilities (mapping)
Vulnerabilities - Threat (Mapping)
I've seen both types of Risk Register

Answer: Both approaches are good, but personally speaking, I like to use the Vulnerability-Threat approach. Generally it is more easier to identify and take action over vulnerabilities (that are linked to the assets you own or have control over) than identify and handle threats, that are mostly linked to a factor you have little or no control over at all, so the approach of mapping first vulnerabilities and then possible threats that can be associate do them is more efficient.

These articles will provide you further explanation about Risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/
- ISO 27001 risk assessment: How to match as sets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

These materials will also help you regarding Risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/