February 11, 2026
Do we need an AI policy for ISO 27001?
Do you need an AI policy for ISO 27001? Not necessarily. Learn why ISO 27001 is about risk management, not documents, and how to assess AI within your ISMS properly.
Read MoreAugust 6, 2025
Risk management is a common expectation of most governance and compliance systems, and I am a firm believer that it is the fundamental process in security management. If you understand the potential threats and vulnerabilities that can affect your business, you can be proactive in your defence.
A great example of this is a General Data Protection Regulation (GDPR) Data Privacy Impact Assessment, a risk assessment by any other name—a review of potential risks that could impact the privacy of future data processing operations.
So officially, although there will be some companies that don’t, the vast majority of companies would need a risk register of some kind for compliance. I recommend you have one regardless; the complexity of said register is up to you.
A risk register can be used in several places, most commonly a general risk register and independent project registers.
As part of documenting your risks, you also document your remediation activities and long-term monitoring; risks rarely stop being risks, so having good monitoring to validate that your controls are working and knowing how you previously remediated them means if they do re-occur, you have a good record of your approach to remedying it last time.
Risk metrics are also good indicators of your overall security posture, as you should document them regardless of whether you think you have mitigated them or not when you start the process; most businesses will have common risks, such as virus infection, that form a great starting point.
The biggest problem with not implementing a risk register and overall risk management process is that it removes the ability to truly focus on your key vulnerabilities. I have witnessed numerous organisations spending significant sums on the wrong things in a vendor's sales pitch.
Along with your risk register, you will need a robust risk assessment process to ensure consistency in your approach to managing risk; learn more about risk management and assessments from our other articles about risk - What is Risk Management? and What is the difference between a risk assessment and a Risk Register?
Need a risk register?
Download a simple useable example here.
February 11, 2026
Do you need an AI policy for ISO 27001? Not necessarily. Learn why ISO 27001 is about risk management, not documents, and how to assess AI within your ISMS properly.
Read More
August 14, 2025
Penetration testing simulates real-world cyberattacks to uncover vulnerabilities before malicious hackers can exploit them. This article explains the types of pen testing, the process, and why it’s essential for strengthening your organisation’s cyber defences.
Read More
August 6, 2025
ISO 27001 certification is a recognised security standard—but does it guarantee better protection? This article explores whether certification truly enhances security or if a risk-based approach without the badge can be just as effective.
Read More
