This project demonstrates the practical application of ISO/IEC 27001:2022 principles through the creation of a comprehensive Information Security Risk Register.
The goal of this project is to showcase an understanding of:
- Governance, Risk, and Compliance (GRC) fundamentals
- ISO 27001 risk assessment and treatment methodology
- Mapping risks to Annex A controls across organizational, people, physical, and technological domains
The Risk Register is designed around a small education / tutoring service scenario, chosen to reflect a realistic, resource-constrained organization.
👉 The completed Risk Register file can be downloaded via my cybersecurity blog, Happy Bytes
- Identify information security risks across key assets and processes
- Assess risks using a qualitative Likelihood × Impact model
- Map risks to appropriate ISO 27001:2022 Annex A controls
- Demonstrate risk treatment by estimating residual risk
- Produce an audit-ready, portfolio-ready artifact
Key assets and processes were identified across five areas:
- Information & data (e.g. student records)
- IT systems & hardware
- Cloud services & applications
- People & human processes
- Physical and environmental assets
Each risk was described using:
Threat + Vulnerability + Business Impact
Risks were evaluated using a qualitative scale:
| Factor | Scale |
|---|---|
| Likelihood | 1 (Very Low) → 5 (Very High) |
| Impact | 1 (Minor) → 5 (Critical) |
| Inherent Risk | Likelihood × Impact |
Each risk was mapped to one or more ISO/IEC 27001:2022 Annex A controls, covering all four control domains:
- Organizational (A.5)
- People (A.6)
- Physical (A.7)
- Technological (A.8)
Residual likelihood and impact were estimated after applying controls.
| Asset / Process | Threat | Annex A Control |
|---|---|---|
| Student records | Data breach / theft | A.8.11 – Data encryption |
| PC / Laptop | Malware introduction | A.8.10 – Use of removable media |
| Printed documents | Unauthorized disclosure | A.7.3 – Securing offices |
| Wi-Fi network | Eavesdropping | A.8.9 – Configuration management |
| Old devices | Data recovery after disposal | A.7.12 – Secure disposal |
👉 The completed Risk Register file can be downloaded via my cybersecurity blog, Happy Bytes
The file can be viewed here on GitHub per below:
- Risk management is not purely technical — people, process, and physical controls matter
- ISO 27001 emphasizes traceability: risks → controls → treatment → improvement
- Even small organizations benefit from structured risk assessment
- This project reflects real-world GRC activities such as documentation, prioritization, and control justification
- ISO/IEC 27001:2022
- ISO/IEC 27005 (risk management guidance)
- Microsoft Excel
- Add a Statement of Applicability (SoA)
- Introduce risk acceptance criteria
- Expand into an internal audit checklist
- Integrate with a SOC-focused detection or incident escalation playbook
This project is a learning and portfolio artifact.
It does not represent a certified ISO 27001 implementation or a real organization.
Feel free to connect on LinkedIn or review my other security projects.
Feedback and discussion are welcome. Thank you for reviewing this project. 🙏