As organizations grow in their Information Security programs, a common method of recording all risk is by utilizing a risk register. A risk register helps to identify, assess, and track potential threats by collecting pertinent information to mitigate these risks.

Typically, a risk register is comprised of the following.

1. Risk Description: A detailed explanation of the risk and how it could affect the organization.
2. Cause: The event or trigger that could lead to the risk.
3. Impact: The potential consequences if the risk materializes.
4. Likelihood: The probability of the risk occurring.
5. Outcome: The overall effect on the organization if the risk happens.
6. Risk Level: The priority of the risk based on a risk matrix.
7. Cost: The estimated expense to mitigate or minimize the risk.
8. Mitigation Actions: Steps taken to reduce the risk.

Using a risk register helps in delegating responsibilities, improving risk identification, and prioritizing response actions. It also supports compliance with standards like ISO/IEC 27001, which requires organizations to maintain a risk register as part of their Information Security Management System (ISMS).