Information Security Risk Register

Updated 27.01.2026

A document forming part of the Immercial IMS.

Contact us

10. Information Security Risk Register

Document Name: Information Security Risk Register
Version: 1.0
Approved by: Directors, Immercial Limited
Review Frequency: Annual or upon material change

10.1 Purpose

The Information Security Risk Register records identified information security risks and the controls applied to manage those risks in line with ISO 27001 principles.

The register supports a risk-based, proportionate approach appropriate to a specialist micro-company consultancy.

10.2 Risk Management Approach

Immercial identifies and manages information security risks by:

  • Identifying information assets (refer to the Information Asset Register)

  • Considering credible threats and vulnerabilities

  • Assessing likelihood and impact

  • Applying proportionate controls to reduce risk to acceptable levels

Risk assessment is pragmatic and focused on real operational risks rather than theoretical scenarios.

10.3 Risk Categories

Risks may relate to, but are not limited to:

  • Unauthorised access to information

  • Loss or corruption of data

  • Device loss or compromise

  • Cloud service availability

  • Human error

  • Supplier or third-party failure

  • Intellectual property misuse

10.4 Risk Register Structure (Record Format)

The Information Security Risk Register is maintained as a spreadsheet and includes, as a minimum:

  • Risk ID

  • Information asset reference

  • Risk description

  • Threat / vulnerability

  • Likelihood (low / medium / high)

  • Impact (low / medium / high)

  • Existing controls

  • Residual risk rating

  • Additional actions (if required)

  • Risk owner

  • Review date

10.5 Risk Treatment

  • Risks are treated through the application of appropriate controls, including technical, organisational, or procedural measures.

  • Where risks are considered acceptable, they are formally accepted and recorded.

  • Actions are prioritised based on risk severity and business impact.

10.6 Responsibility

Senior management is responsible for:

  • Approving the risk assessment methodology

  • Reviewing key risks

  • Ensuring appropriate controls are implemented

  • Accepting residual risks where justified

10.7 Review & Maintenance

  • The risk register is reviewed at least annually.

  • Risks are reassessed following significant changes to systems, services, suppliers, or operating environment.

  • New risks are added as they are identified.

10.8 Records & Evidence

The completed Information Security Risk Register constitutes the primary evidence of information security risk management within the Integrated Management System.

Immercial Limited