A risk register is a centralised document or system that records all identified risks, along with key attributes such as the risk owner, likelihood, impact, current controls, residual risk level and treatment status. It serves as the single source of truth for an organisation's risk landscape and is a mandatory artefact in frameworks like ISO 27001.
Maintaining an up-to-date risk register enables management to prioritise resources effectively and provides auditors with clear evidence of ongoing risk governance. Regular reviews—typically quarterly or after significant changes—ensure that new risks are captured promptly and that existing risk assessments reflect current conditions.