Risk lab

Build a risk register from assets, threats, vulnerabilities, scoring, treatment, and control mapping

The Risk Lab is intentionally educational rather than bureaucratic. Choose a company scenario, build risk statements, score likelihood and impact, pick the treatment path, and connect the result to Annex A controls.

Risk analysis

Identify assets, threats, and vulnerabilities, then score likelihood and impact to see why the risk matters.

Risk treatment

Choose between mitigate, avoid, transfer, and accept with a business rationale instead of a compliance reflex.

Control linkage

Map treated risks to Annex A controls, then continue into the SoA builder to mark applicability and implementation status.

Continue to SoA builder View the full implementation journey Open the control library

CloudPilotParis, FranceB2B SaaS

A fast-growing SaaS startup stores customer data, uses cloud infrastructure, ships product weekly, and is under pressure from enterprise buyers asking for ISO 27001 alignment.

Assets

Customer production database / Base de données de production client
Source code repository / Dépôt de code source
Customer support platform / Plateforme de support client
Cloud administration accounts / Comptes d'administration cloud

Threats

Credential theft / Vol d'identifiants
Production misconfiguration / Mauvaise configuration de production
Supplier outage / Panne fournisseur
Unauthorized code change / Modification de code non autorisée

Vulnerabilities

Inconsistent access review / Revue des accès incohérente
Weak logging review discipline / Discipline de revue des logs faible
Limited supplier due diligence / Due diligence fournisseur limitée
Shared admin practices / Pratiques d'administration partagées

Risk register builder

Build risk statements with treatment and controls

Risk 1Score 9Medium

AssetThreatVulnerability

Likelihood3

Impact3

Treatment

Map controls to this treated risk

Risk register view

Generated learner-friendly register

Customer production database exposed to Credential theft

Vulnerability: Inconsistent access review

Likelihood 3Impact 3Treatment mitigate

SoA linkage

Move treated risks into applicability logic

2 unique controls selected

Use the dedicated SoA builder to mark controls as applicable or not applicable, add justification, and export a learner-friendly SoA summary.

5.15 Access control5.18 Access rights

Open the SoA builder