What is RskRgstr

Risk Register (RskRgstr) is web-based system created by Information Security professionals to record, score & report cybersecurity risk.

What problem we solve?

  1. Risk Management is a primary need for all private and public sector organizations to address increasing government and industry mandates.
  2. Fragmented Understanding of Risk – The knowledge of cybersecurity risk (project risk, third party risk, penetration testing, business impact analysis, and so on) is scattered inside an organization.
  3. Difficulty in Prioritization of risk management activities with lack of single risk view.
  4. Compliance Needs – Provides an evidence of a properly managed risk program.
  5. Expensive and Cumbersome systems or use of Spreadsheets to track risk.

How RskRgstr Solves Problems

  1. Minimalistic Approach – Designed by veteran risk management professionals, a minimalistic approach for risk management.
  2. Unified View of Risk – RskRgstr solves this by providing a unified way of documenting all risks in one place.
  3. Prioritization – RskRgstr associates priority and risk levels with findings and capability of searching/ reporting.
  4. Compliance Evidence – A defined approach to risk management with evidence of assessments and findings.
  5. Focus on Value Creation – An approach to minimize useless features and infrastructure needs and focus on creating value to reduce cost and training needs.


Available for installation within your network or Software as a Service (SaaS), as a training tool, and as a software package.


This project started in 2004 and was initially named as SMART (Security Management And Risk Tracking) and was developed in PHP. Later on it was renamed as RskRgstr and moved to Python/Django platform for more modular development.

Features and How it Works?

  • Core Concepts

    An Assessment

    Assessment is the foundation of RskRgstr. Assessments can be of many types, including but not limited to:

    • Internal risk assessments of business units or business processes
    • Third party risk
    • Penetration testing
    • Business Impact analysis
    • Application security
    • Threat modeling

    New types of assessments can be added as needed. In large enterprises, assessments can be associated with smaller business units.

  • Risk Recording

    The Concept of Finding

    An Assessment has many findings. Findings have associated risk, assets, applications, risk treatment types and so on. A risk matrix, which is configurable, is used to associate a finding with a risk level (automatically calculating based upon likelihood and impact). Findings can have a priority and owners.

    Risk Recording

  • Risk Reporting

    Search Capabilities

    Searching on multiple criteria to identify highest risk finding across all assessments, risk status, risk levels and so on.