Link assets to risks in the Risk Register
Arnold Tim
The Risk Register currently lacks the ability to link risks to specific assets from the inventory. Adding this functionality would improve risk visibility, impact analysis, and mitigation tracking.
Use Case
When a security risk is identified, it often impacts specific assets within the organization’s inventory (e.g., servers, databases, applications). For example, if a vulnerability is discovered in a particular server, users should be able to directly associate that server from the inventory with the identified risk. This linkage would allow for:
- Better visibility into which assets are at risk.
- More accurate risk assessment based on the criticality of affected assets.
- Easier mitigation tracking, as teams can quickly identify which assets require action
Created by Elżbieta Żurakowska
Grigory Emelianov
Cool idea, thanks Amir El Sayed we will keep it in mind. We already see a strong use case for Risk-Vendor mapping. But other elements seem to create more noise than help in our experiments. Do you have specific useful examples where mapping the inventory assets and people to specific risks would help a lot?
Amir El Sayed
Grigory Emelianov This issue is coming up everywhere in our daily usage. When implementing specific tooling we might accept or mitigate specifics risks, concerning that software. Also as the original post stated, specific assets might come with an individual risk, which is hard to link without a direct mention of the risk name (or id) inside the free text. We encountered this issue several times in our last audit, as we had to search for risks while looking at assets or vendors.
J
Jakub Wanat
@Amir El Sayed: Amir proposes enabling links between risks and other entities (e.g., vendors, people, inventory items) to maintain a cohesive and accurate risk register. He suggests adding these links directly when creating or updating those entities. This would especially help with vendor-related risk assessments.