The Most Underrated Deliverable in Cybersecurity
Every UAE business going through ISO 27001 certification, NESA assessment, or a serious compliance program will be asked the same question by an auditor:
"Show me your risk register."
Most organisations produce something that looks like a risk register: a spreadsheet with 15 – 40 rows, colour-coded cells, vague descriptions. Competent auditors can tell within 60 seconds whether it's a real risk register or theatre. Real ones pass audit. Theatre doesn't.
Here's how to build a real one — the ISO 27005-aligned method we use with UAE clients.
What a Risk Register Actually Is
A risk register is a living document that identifies, assesses, treats, and tracks cybersecurity risks to your organisation. ISO 27005 (the risk management standard underpinning ISO 27001 Clause 6) defines the process; the register is the output.
A proper risk register has six core fields per risk:
- Risk description — what could happen, affecting what asset
- Threat × vulnerability — how the risk could materialise
- Likelihood score — on a defined rubric
- Impact score — on a defined rubric
- Treatment decision — avoid, transfer, mitigate, accept
- Owner + target date — who, by when
Plus the metadata auditors expect: date identified, last reviewed, residual risk after treatment, and evidence references.
The Scoring Rubric You Actually Need
Vague rubrics ("Low/Medium/High") don't survive audit scrutiny. Here's a defensible 5-point scale that works for UAE mid-market organisations:
Likelihood (5 = most likely)
| Score | Label | Description |
|---|---|---|
| 1 | Rare | Never happened; no known precedent in sector |
| 2 | Unlikely | Known to happen in sector, not in similar orgs |
| 3 | Possible | Known to happen in similar orgs annually |
| 4 | Likely | Happens in similar orgs quarterly |
| 5 | Almost certain | Happens in similar orgs monthly or has happened to us |
Impact (5 = most severe)
| Score | Label | Description |
|---|---|---|
| 1 | Negligible | < AED 10k or < 4 hours downtime |
| 2 | Minor | AED 10k – 100k or 1 day downtime |
| 3 | Moderate | AED 100k – 500k or 1 week downtime |
| 4 | Major | AED 500k – 5M or 1 month downtime |
| 5 | Severe | > AED 5M or > 1 month downtime or regulatory penalty |
Multiply for the risk score (1 – 25). Define acceptance thresholds explicitly — e.g., "risks scoring 1 – 4 require acceptance with documented rationale; 5 – 14 require treatment; 15+ require board escalation."
Treatment Options
Four standard options under ISO 27005:
- Avoid — remove the source of the risk (retire a system, don't enter a market)
- Transfer — shift to a third party (insurance, outsourcing)
- Mitigate — apply controls to reduce likelihood or impact
- Accept — explicit, documented acceptance with rationale and sign-off
Every risk must have a treatment decision. "We'll think about it" is not a treatment.
Common UAE Risks You'll Likely Need
Sector-specific risks vary, but these show up in almost every UAE mid-market risk register:
- Business email compromise (BEC) leading to wire fraud
- Ransomware via phishing email or malicious attachment
- Cloud misconfiguration exposing customer data
- Lost or stolen employee device containing sensitive data
- Third-party / supplier compromise (supply-chain attack)
- Unauthorized access via stolen credentials (credential stuffing)
- Insider data theft on offboarding
- Payment card data exposure (for fintech / e-commerce)
- Regulatory penalty for PDPL non-compliance (for data-handling businesses)
- Loss of certification (ISO 27001) due to audit findings
Each needs a specific threat × vulnerability combination, not just "ransomware might happen."
The Review Cadence That Survives Audit
A register reviewed once a year at audit time looks exactly like a register reviewed once a year at audit time. Auditors notice.
Defensible cadence:
- Quarterly: review of high and critical risks (score 15+). Owner updates progress; any new treatments documented.
- Annually: full register review. Add new risks, retire resolved ones, re-score changed ones.
- On change: any material business event (new system, new market, incident, organisational change) triggers ad-hoc review.
The register date of last review should never be more than 90 days old for high-scoring risks.
The Biggest Mistake Mid-Market Companies Make
Copying a generic template from a consultant. We've seen risk registers that list "Data Breach" as a single risk with a score. Auditors hate this, and they're right to — a "Data Breach" is an outcome, not a risk. The risk is specific: credential phishing → Entra ID compromise → SharePoint document exfiltration — with a specific likelihood score based on your current controls and a specific impact score based on the value of what's in SharePoint.
Build it from your actual assets, not from a template.
What It Costs to Do This Right
A proper risk register takes time — typically 2 – 3 weeks of focused work for a UAE mid-market organisation. You can build it in-house if you have a credentialed risk lead; most don't.
External build cost: AED 20,000 – 45,000 for a standalone Risk Assessment & Register Build. Included as a sub-deliverable of ISO 27001 Implementation.
After it's built, maintenance is on you. The handover workshop covers how to keep it alive; ongoing retainer support is a 2027 offering on our roadmap.
Need a risk register your next audit won't laugh at?
