How to work with risks

Table of Contents

Overview #

Where to find it in ISOPlanner:

Risks are important to acknowledge and register in some ISO standards like ISO 27001.

If they are not relevant for your ISO standards, you may disable the menu option altogether [Learn more].

Risks are the possibility of future events which may have negative effects on the goals your organization has on the topic of the ISO standards you are implementing.

For instructions on how to manage the list of risks, including on how to search, filter and report, see list actions.


For each risk, you have the following properties:

  • Code
  • Owner
  • Group
  • State
  • Tags


The state can be any of:

  • New
  • Analysis
  • In progress
  • Review
  • Accepted
  • Rejected


Apart from these properties, there are also the following:


A text field where the type of assets the risks relates to can be described.

[Business] Apart from the text field describing the asset type, it’s also possible to link to risk to one or more assets as entered into the Asset module.


The description of the risk event that may occur.

Risk analysis

The risk analysis consists of scores, classifications and the description of the consequence of the risk.

Scores are given on the aspects of Change and Impact.

Those two are multiplied to give a total score for the risk.

There are three columns for scoring the risk:

  • Initial: the change and impact if no measures were taken,
  • Current: the score that will be updated with each risk evaluation,
  • Goal: the maximum score you are willing to accept for this risk.


By default, the range for both change and impact are on a 1 to 3 scale. This scale can be changed in the settings – risks.

Where to find it in ISOPlanner:

There are two ways to change a score;

  1. Directly change either the Chance or the Impact value;
  2. Click on the column header to open a popup, where a cell in a matrix can be selected. Each cell is a combination of a certain chance and impact value.


This popup also shows contextual information for the chosen score:

  • Priority
  • Treatment term
  • Financial impact


This information can be changed in the risks settings.

Where to find it in ISOPlanner:

The popup also shows other risks with a similar score as the currently chosen score.

Classifications are checkboxes that indicate whether the risk is classified as such.

Examples of classifications are: Confidentiality, Integrity, Availability, Quality.

[Business] In the Assets module, tab Classifications, you may change the classification groups.

Consequence is a text field where you can describe the consequence (impact) if the threat occurs.

Risk treatment strategy

For the risk treatment strategy, select between the options:

Mitigate: implement controls to reduce the risk score.

Avoid: stop using the related assets in a way that exposes them to the treat.

Transfer: for example, take out an insurance to transfer the risk to another party.

Accept: accept the risk without taking additional action.

A text field is available for describing the risk treatment strategy in more detail. You may refer to linked documents with a ‘badge’ [read more] and to a selection of controls which may be chosen in the ‘Related information’ panel.

Related information

The pane which can be opened on the left contains more information related to the risk. Specifically for risks, there is a tab called ‘Controls’. Add an existing control to the risk by typing in the search box and clicking one of the found suggested items to link the control to the risk.

Click the ‘Add new control’ button if you want to create a brand-new control instead of selecting an existing control from the list.

The meaning of this relationship is that the set of selected controls will mitigate the risk, when they are implemented.

If you are working with an ISO standard that includes the identification of risks but doesn’t contain a set of controls, then you have two options:

  1. Create your own controls and link them to the appropriate risks as described.
  2. Don’t use controls and instead use the ‘Risk treatment strategy’ text field with each risk to describe how the risk will be treated.


In this case you may disable the ‘Controls’ menu option altogether in settings – modules. Read more about related information.


The ‘Analysis’ button allows you to manage analysis tasks related to this risk.

  • Open current analysis task


If an analysis task is already created for this risk, then open it.

  • Create new analysis task


Create a new task for risk analysis.

Use this type of task when you want someone, for example the risk owner, the analyze the risk.

The risk analysis task will also appear in the ‘Risk tasks’ tab [read more].


The ‘View’ button allows you to change the view on your risk.

  • Sections expanded


Shows all information for the risk by default, where sections can be collapsed.

  • Sections collapsed


Shows a collapsed summary of the risk by default, where sections can be expanded.

Risk tasks

When a risk is opened, by default it shows a ‘Details’ tab. There is also a ‘Risk tasks’ tab where you can see tasks related to the risk and create new tasks for it.

If you work with controls for mitigating risks then don’t create tasks for implementing controls or measures in the ‘Risk tasks’ tab. Instead, navigate to the related controls and create implementation tasks there. Use the ‘Risk tasks’ tab to create tasks for management of the risk – for example, for analysis or review of the risk.

If you don’t work with controls for mitigating risks, then the ‘Risk tasks’ tab is the appropriate place to create tasks for implementing measures that will mitigate the risk.

Control tasks

When a risk is opened, by default it shows a ‘Details’ tab. There is also a ‘Control tasks’ tab where you can see controls related to the risk and the status of tasks created for each of those controls.

For each control, the number of completed tasks and total number of tasks is shown. Each control box can be expanded and then also shows details of each open task related to that control.

For example, of a control shows “Tasks: 7/11” this means that out of the total of 11 tasks, 7 are completed. When expanded the control shows the 4 remaining open tasks.

Board #

The overview of risks has a tab called ‘Board. This will show you lanes for each possible risk state filled with the risks that are in that state. You can drag and drop risks to another lane to change its state.

Analytics #

The overview of risks has a tab called ‘Analytics’. This will show you three matrices, called ‘Start’, ‘Current’ and ‘Goal’.

Each cell in each matrix shows the number of risks that have that specific combination of chance and impact.

For example, in the ‘Current’ matrix, if the cell which corresponds to a chance of 1 and an impact of 2 has the number 8 in it, that means that there are 8 risks where the current chance is set to 1 and the current impact is set to 2.

Click a cell to see a list of all those risks.