How to work with risks
Overview
Where to find it in ISOPlanner: https://portal.isoplanner.app/risks/overviewRisks are the possibility of future events which may have negative effects on the goals your organization has on the topic of the compliance frameworks you are implementing.
Risks are important to acknowledge and register in some ISO standards like ISO 27001. If they are not relevant for your compliance frameworks, you may disable the menu option altogether, in the menu Administration-Settings, tab: Modules.
Risks can be Added in accordance with your organisation needs. When creating a new risk, linking a Control to it (in Related Information) will automatically determine to which Standard that risk is applicable. To which control(s) a risk is linked is visible in the Overview of all risks, in the column “Controls”. By clicking on it, system opens a list/overview of all the controls a particular risk is linked to.
Risk Code, Title and Permission of each Risk can be Edited directly in the list, by marking one Risk and clicking on the button “Edit” a new window opens with the aforementioned options to be edited. If a particular Risk is not needed, it can be Removed from the list. Single Risks can be copied by marking one from the existing list and choosing the option “Copy“. This will open a new window where the Code, Title and Sharing Permissions can be determined for the new Risk. At the bottom of that window are the options to Save the new Risk or to have it saved and immediately opened, for additional changes of its properties. Reports on risks can be created directly in the menu, with the options to create reports for: Risk assessment, Risk treatment plan or Risk changes.

Some properties can be changed on multiple risks at once. By marking two or more risks, the button “Edit” changes to “Bulk edit” and by clicking on it, new window opens with the option to change the Tags, Owner, Status, Group or Sharing Permissions of all the selected risks.
It is also possible to create copies of multiple risks at once. Marking the risks you would like to create a copy of, and clicking on the button “Bulk copy“, new window opens with the option to add tag(s) to new risks and to confirm the action. We recommend to add the tag (example: “Classification: “change””) to be able to find the newly created risks more easily. Once you confirm the action, new risks will be created. Except for the Code of the risk, all other properties of the copied risks are identical to the original ones. Codes of the new risks will always start with “R” and the numbering will start with the next available number.

On the right side is the View button where certain columns can be added or removed from the risk overview.
Latest change filter provides the option to narrow down the overview of risks based on when the latest change on the risk was done or defining the audit year of the task or defining the period yourself.

Risk
When a Risk is open, by default it shows a ‘Details’ tab with the main information of the risk.
There is also a “Tasks & Events” tab where the task related related to that risk are listed.
In the tab “Dashboard” an overview of controls and tasks related to it is visible in the form of list.
Analysis

If an analysis task is already created for this risk, you can open it here.
To create a new analysis tasks use the button “Create new analysis task”
Use this type of task when you want someone, for example the risk owner, to analyze the risk.
The risk analysis task will also appear in the ‘Tasks & Events’ tab.
View
The ‘View’ button allows you to change the view on your risk.
- Sections expanded – shows all information for the risk by default, where sections can be collapsed.
- Sections collapsed – shows a collapsed summary of the risk by default, where sections can be expanded.
Properties
Each risk has the following properties:
- Code
- Owner
- Group
- Shared with
- Status
- Tags
The status can be any of:
- New: each new created risk will enter in this status.
- Analysis: used during analysis and filling of the risk properties and sections.
- In progress: used during the risk mitigation process until all controls are implemented.
- Review: used during the initial and/or annual review process.
- Accepted: the final state when the residual risk (Goal score) is accepted.
- Rejected: when this risk is not accepted or does not apply to your organization.
- Archived: the risk is not applicable anymore and is kept for traceability.
Apart from these properties, risk have the following sections.
Assets
In addition to the “Description” text field where the type of assets the risks relates to can be described, it’s also possible to link a risk to one or more assets as entered into the Asset module.
If you have entered a description of an Asset which is not available in Asset module, with the option “Convert description to Asset” it is possible to convert description into an asset. In that process, the first line of the description will be the name of the asset and the rest will be the asset description. Once the description is converted to an asset, link to the new asset is automatically created and the text description is removed.

Threat
Fill in the descriptions of the risk events that may occur.
You can enter multiple threats in rich text format and our AI Assistant can help you fill in this field.
Risk analysis
The risk analysis consists of scores, classifications and the description of the consequence of the risk.
Scores are given on the aspects of Likelihood, Impact and Score.
There are three columns for each Score:
- Initial: the change and impact if no measures were taken,
- Current: the score including the measures already taken and will be updated with each risk evaluation,
- Goal: the maximum score you are willing to accept for this risk.
By default, the range for both change and impact are on a 1 to 3 scale. This scale can be changed in the menu: Administration / Settings / Risks.
Classifications
The classifications are check-boxes that indicate whether the risk is classified as such. Examples of classifications are: Confidentiality, Integrity, Availability, Quality.
The classifiations can be adjusted. There is a checkbox for each group of classifications that you define here.
Consequence
This is a rich text field where you can describe the consequence (impact) if the threat occurs.
In this field you can also add additional information to substantiate the chosen chance and impact. Our AI Assistant can help you fill this in.
Risk treatment strategy
For the risk treatment strategy, select between the options:
- Mitigate: implement controls to reduce the risk score.
- Avoid: stop using the related assets in a way that exposes them to the threat.
- Transfer: for example, take out an insurance to transfer the risk to another party.
- Accept: accept the risk without taking additional action.
A text field is available for describing the risk treatment strategy in more detail. You may refer to linked documents with a ‘badge’ and to a selection of controls which may be chosen in the ‘Related information’ panel.
Related information

The pane which can be opened on the right contains more information related to the risk. Specifically for risks, there is a tab called ‘Controls’. Add an existing control to the risk by typing in the search box and clicking one of the found suggested items to link the control to the risk.
Our AI assistant can suggest controls for you
Click the ‘Add new control’ button if you want to create a brand-new control instead of selecting an existing control from the list.
The meaning of this relationship is that the set of selected controls will mitigate the risk, when they are implemented.
If you are working with an ISO standard that includes the identification of risks but doesn’t contain a set of controls, then you have two options:
- Create your own controls and link them to the appropriate risks as described.
- Don’t use controls and instead use the ‘Risk treatment strategy’ text field with each risk to describe how the risk will be treated.
In this case you may disable the ‘Controls’ menu option altogether in the menu Administration – Settings – Modules.
AI Assistant
Our AI Assistant can help you with risks in the following areas:
- Suggestions of controls. The AI Assistent is able to suggest controls that can mitigate the selected risk.
- Conversations. AI is integrated into the text editor on specific locations in ISOPlanner. Next to simple queries like ‘Summarize’ or ‘Expand upon’, this editor supports conversations about these topics:
- Risk threats
- Risk consequences

Board
The overview of risks has a tab called “Board”. This will show you the risks sorted into columns per risk state. You can drag and drop risks to another column to change its state.

Analytics
The overview of risks has a tab called ‘Analytics’. This will show you three matrices, called ‘Start’, ‘Current’ and ‘Goal’.
Each cell in each matrix shows the number of risks that have that specific combination of likelihood and impact.
For example, in the “Current” matrix, if the cell which corresponds to likelihood of 2 and an impact of 2 has the number 11 in it, that means that there are 11 risks where the current Likelihood is set to 2 and the current impact is set to 2.
Click a cell to see a list of all those risks.
