What is a risk register, and how is it used within ISSAP projects?

A risk register is a structured tool used to capture and manage security-related risks within a project. It records identified risks, the owner responsible for each risk, estimated impact, likelihood, and planned mitigations or controls. It’s used to track risk status over time, prioritize actions, allocate resources, and inform decision-making about which controls to implement and how to respond to evolving threats. This keeps security risks visible to stakeholders and supports evidence-based risk treatment and monitoring of residual risk. The other options miss the core purpose: logging incidents to assign blame isn’t risk management, a vendor rating sheet serves procurement decisions, and restricting focus to financial risks ignores many security threats that matter in ISSAP projects.