Risk register: indicators, owners, thresholds

5.2 Risk management

📘CompTIA Security+ (SY0-701)

Overview

A risk register is like a master list where an organization keeps track of all the risks that could affect its IT systems, data, or operations. Think of it as a detailed log that helps IT teams identify, monitor, and manage risks in a structured way.

It is a key tool in risk management, helping organizations know:

What risks exist
How severe they are
Who is responsible for them
What actions to take

The risk register is often a table or database that contains structured information about risks.

Key Components of a Risk Register

For the exam, the CompTIA Security+ expects you to understand these three main elements:

1. Indicators

Indicators show signs that a risk may happen or is happening. They are measurable pieces of information that alert the organization to potential issues.

In IT terms, indicators are often linked to security events or trends, such as:

A sudden spike in failed login attempts → might indicate a brute force attack
Increased malware detections in endpoint systems → could indicate infection spreading
Frequent network downtime → could indicate unstable servers or infrastructure issues

Indicators help organizations detect risks early, so they can act before it turns into a bigger problem.

Exam Tip: Indicators are sometimes called risk triggers or warning signs.

2. Owners

A risk owner is the person responsible for managing a specific risk. They make sure that risk responses are planned, executed, and monitored.

In IT environments, examples of risk owners include:

CISO (Chief Information Security Officer) → for enterprise-wide security risks
IT Manager / System Admin → for server or application risks
Network Engineer → for network security risks like DDoS attacks or outages
Database Administrator → for database integrity and backup risks

Why this matters: Assigning an owner ensures that risks are actively managed rather than being ignored.

Exam Tip: A risk without an owner is often considered unmanaged and higher priority.

3. Thresholds

A threshold defines the level at which a risk becomes unacceptable and requires action. Think of it as a trigger point: when a risk exceeds this level, it must be addressed immediately.

In IT examples:

Number of failed login attempts → Threshold = 10 attempts in 5 minutes triggers account lockout
Network downtime → Threshold = more than 5 minutes of outage triggers escalation to IT management
Malware detection rate → Threshold = 3 infected systems in a day triggers incident response

Thresholds help organizations prioritize risks and determine when to escalate incidents. They are often set in quantitative terms (numbers, percentages) or qualitative terms (high/medium/low risk levels).

Exam Tip: Thresholds are linked to risk appetite, which is how much risk the organization is willing to accept.

Putting It All Together – Example Risk Register Table

Risk ID	Risk Description	Indicator	Owner	Threshold	Mitigation/Action Plan
001	Unauthorized access to servers	Multiple failed logins	System Admin	>5 failed logins/10 min	Lock account & investigate
002	Ransomware infection	Endpoint malware detection	IT Security Team	>2 infected devices/day	Isolate devices & scan network
003	Network downtime	Server unreachable	Network Engineer	>5 minutes	Notify IT manager & restore

Exam Tip: You don’t need to memorize a table, but understand the relationship between indicators, owners, and thresholds, and how they help manage IT risks.

Key Points to Remember for the Exam

A risk register is a tool to track, monitor, and manage risks in IT environments.
Indicators show warning signs or triggers of a risk.
Owners are responsible for managing risks and implementing mitigation strategies.
Thresholds define the acceptable level of risk and when action is needed.
Risk registers improve risk visibility, accountability, and proactive management.

💡 Memory Tip:
Think “IOT” → Indicator, Owner, Threshold. Every risk needs all three to be effective and actionable.