Consider using SharePoint for your Risk Register

Jun 23, 2020

At most organisations I’ve worked, the IT risk register has been in Excel.  There are some great Excel templates around for this such as in the excellent (and also free) ISO27k1 toolkit https://www.iso27001security.com/html/toolkit.html.

Deep in the operational heart of vBridge however, once we started running an ISO 27001 information security management system (ISMS) some cracks started to appear.

Now I don’t want to bag Excel because it’s brilliant - and when it comes to risk registers there isn’t a better place to start.  Excel is great at recording risks, their owner, the severity (calculated from impact and likelihood), existing controls and notes about risk activities.  It also has effective filtering, colour-coding to make it friendly, and if you’re super onto-it, lots of VLOOKUPS across multiple sheets.

The problem is that it doesn’t integrate well with broader ISMS activities – such as tracking controls (which really need their own register), the activities associated with risk treatment, and the ISO 27001 Statement of Applicability, which ties all these together.  This last item in particular is of great interest to ISMS auditors.

So, what did we do?  Well we migrated our risk register to SharePoint.  Our risks and controls now sit in SharePoint lists, and our activities are tracked in Microsoft Planner.  We use PowerAutomate (Flow and PowerApps) to bring these different elements together.

The nice thing is that once you put data in SharePoint you can display and manage it in lots of separate ways and make processes easier – for example we recently built a PowerApp to simplify our internal audits.  If you’re not familiar with PowerApps, it’s a low-code rapid application development platform designed for mobility (although you can make desktop applications too).  Its standard functionality is free with Office 365.

There’s a saying that “necessity is the mother of invention”.  Now that we’ve  opened the PowerAutomate door lots of other opportunities for its use have appeared.  If you have a Microsoft 365 subscription and haven't looked past Outlook, Word and Excel it’s worth another look.

And as you are putting all of this great data into Office 365 make sure you are backing it up, vBridge can of course help with this with our “vBridge Backup for Office 365” product – find out more here (https://vbridge.co.nz/business-solutions/secure-backup-for-office-365-made-easy/)

Peter Brook

Peter is our vBridge Operations and Information Security Manager. He has over 20 years experience in many NZ organisations including PGG Wrightson, CDHB, Lyttelton Port Company and Spark Digital.