Managing risks in ISMSVision (detailed guide)

This guide follows the structure of the in-app Risk Management workspace: the same tabs your users see— Overview, Risks, Controls, Non-conformities, Improvement opportunities, Statement of Applicability, and Configuration. URLs use the prefix /app/risk-management with a segment for each workspace tab (for example /app/risk-management/risks).

Overview tab

The overview aggregates register and library health so you can steer a review meeting without opening every record. Metrics include counts of active and closed risks, draft items, high-residual active risks, active risks missing residual assessment, risks with assessment gaps, active risks without linked controls, open and major non-conformities, controls whose effectiveness needs improvement, controls referenced from risk records, and a Statement of Applicability summary derived from the control library.

Tables list top “attention” risks (by residual severity and data completeness), a risk status breakdown, and short lists of open non-conformities and active improvement opportunities for quick navigation into detail screens.

Risks tab and risk detail

The Risks tab is the operational risk register: create and maintain entries, filter and triage, and open a full-page risk detail view per risk id (/app/risk-management/risks/:id).

Risk record sections (detail tabs)

Each risk’s detail view is organised into tabs such as: Overview; Scenario & context (narrative and optional references to related service desk tickets); Assets; Ownership; Assessment (inherent and residual ratings aligned to your configured risk matrix—basic bands or enterprise-style numeric scoring); Controls (links into the control library); Treatment & evidence; Notes; Response & acceptance; and Activity for change history. Field-level guidance hints in the UI mirror the same concepts auditors ask about: who owns the risk, how it was identified, and how residual position is justified.

Supporting picklists—risk type, lifecycle status, identification source—are not hard-coded; they come from your tenant configuration so labels match your ISMS policy vocabulary.

Controls tab and control detail

The Controls tab is the control library used for risk treatment and SoA reporting. Controls carry configurable attributes such as status (for example planned vs implemented), effectiveness ratings, category (often mapped to organisational / people / physical / technological groupings), monitoring frequency, and catalogue metadata where you import or maintain control text. Opening a control shows its own detail layout and the risks that reference it—so control owners see downstream dependencies in one place.

Non-conformities tab

Findings from audits, tests, or reviews are logged here with workflow status and source values you define (for example internal audit vs external audit). The tab is designed to sit beside risks and controls so you can relate a non-conformity to the control that failed and, where relevant, feed remediation back into risk residual scores.

Improvement opportunities tab

Improvement opportunities (OFIs) appear in their own tab so positive backlog is visible next to formal NCs. The overview surfaces a short list of active items; your process decides when an OFI graduates into a risk or a change request outside the module.

Statement of Applicability tab

The SoA tab reads from the same control library maintained under Controls. It renders a table with Annex (or catalogue) reference, control title, an applicability indicator, and justification text—so ISO 27001’s “which controls apply and why” question is answered from live data rather than a one-off export. See also the blog series what is a SoA?, how to fill an SoA, and how ISMSVision helps with the SoA.

Configuration hub

Choosing Configuration navigates to /app/risk-management/configuration, a hub of cards grouped into four areas:

• Risk configuration — risk types; risk lifecycle statuses; risk identification sources; common threats library; and the risk matrix editor (likelihood × impact mapping to inherent ratings, including enterprise priority grids where enabled).
• Workflows & automation — risk workflows built with the same visual designer as service management but scoped to risk management events; plus notification templates filtered to risk, NC, OFI, and control-related templates you tag in system configuration.
• Control configuration — control status list; control effectiveness ratings; control categories; monitoring frequency options.
• Non-conformity configuration — NC workflow statuses and NC sources for consistent reporting.

Together, these settings encode your methodology: scales, wording, and lifecycle states auditors see on sampled records match what your policies describe.

Practical tips

• Stabilise the risk matrix before bulk import—changing scales mid-cycle complicates year-on-year comparison.
• Link every material risk to at least one control so residual ratings are explainable and the SoA stays authoritative.
• Use workflows for repeatable approvals (for example management sign-off on high risks) instead of ad hoc email threads—so evidence stays in the activity stream.

For a quicker tour, read managing risks in ISMSVision (overview). For ISO language mapped to these features, see how ISMSVision supports ISO 27001 risk requirements.