A
risk register is a documented inventory of identified risks — including description, likelihood, impact, risk owner, current controls, and treatment plan.
Risk registers operationalize risk management. Each risk has an owner. Risks must be reviewed regularly. Link to security roadmap — high-priority risks drive near-term remediation projects. Required by ISO 27001, NIST, and most frameworks.