How to Build a Cyber Risk Assessment Template (with Example)

A cyber risk assessment template is a repeatable spreadsheet or governance form that records assets, threats, vulnerabilities, likelihood, impact and treatments so teams produce a ranked, auditable action list. In the UK, organisations map findings to data protection checks under UK GDPR and to guidance from the Information Commissioner’s Office (ICO, 2025), the National Cyber Security Centre (NCSC Annual Review 2025) and the European Union Agency for Cybersecurity (ENISA threat environment 2025). Cyber risk assessment template is a key part of that picture.

Use this guide to build a practical cyber risk assessment template you can run in workshops, feed into board reporting and map to ICO, NCSC and ENISA guidance cited above.

• What it is: A repeatable form that scores assets by likelihood and impact to produce a ranked, board-ready list of actions.
• Key fields: Asset, unique identifier, owner, likelihood score, impact score, combined score, treatment, target remediation date.
• When to use it: Use for routine reviews, vendor spot-checks and board reporting; escalate to a full cyber security risk assessment for ISO 27001 audits.
• Effort planning: Scope workshop hours, data gathering and remediation tracking before you start, and align the template to ICO, NCSC and ENISA guidance cited above.

🧭 What is a cyber risk assessment template and who should use it?

A cyber risk assessment template is a repeatable form that captures assets, threats, vulnerabilities, likelihood, impact, scores, owners and treatments so teams can assess and compare risks quickly. In the UK, CISOs, risk leads, IT heads and compliance teams should use this template.

Core fields the template must include

• Asset, threat and vulnerability: List the asset name, asset owner and where the asset runs.
• Likelihood and impact: Use a 1 to 5 scale and define what each number means.
• Score: Calculate risk as Likelihood × Impact.
• Owner and treatment: Assign an owner, choose Treat/Avoid/Transfer/Accept and capture planned remediation date.

After this, every row should show a clear next action and an accountable owner.

When a template is enough and when you need more

A template is sufficient for routine annual reviews, board-ready summaries and vendor risk spot-checks, especially for mid-market firms wanting pragmatic controls. Use a formal Cyber Security Risk Assessment service when you need evidence for ISO 27001, an auditor wants a control maturity baseline, or when regulators such as the Information Commissioner’s Office (ICO) or the Financial Conduct Authority (FCA) require documented due diligence.

How the template maps to standards and regulators

Map columns to the NIST Cybersecurity Framework (NIST), ISO 27001 and the National Cyber Security Centre (NCSC) Cyber Assessment Framework so findings plug into governance, risk and compliance reporting. Include a Data Protection row for UK GDPR and ICO requirements and a supplier risk column for NIS2 and DORA where relevant.

In our experience, a lean template forces prioritisation: You finish with a ranked list of actions and owners rather than an amorphous risk register. For examples and further reading, see the NCSC Annual Review 2025 (NCSC, 2025) and the ICO data security incident trends guidance (ICO, 2025).

🧰 What you need before you start

At CyPro, we expect you to arrive with specific data, people and tools before you draft a cyber risk assessment template. Starting without these prerequisites causes scope drift and produces a template that cannot be validated against real evidence.

Minimum data and documents

• Asset inventory or configuration management database (CMDB) extract, including cloud and SaaS items and a named owner for each asset.
• Vulnerability scan exports with CVE identifiers and scan dates, ideally scans completed within the last 90 days.
• Network diagram or architecture map showing trust zones and internet connections.
• Business impact information for major applications, including recovery time objective (RTO) and recovery point objective (RPO).
• Relevant policy and compliance references: ISO 27001 clauses in scope and Data Protection Impact Assessments for systems processing personal data under UK GDPR.

People, roles and access

• Assign a template owner who can settle trade off decisions between technical teams and the business, and sign off the scoring model.
• Give an IT admin read access to the CMDB and vulnerability tooling to export CSVs and answer clarification questions.
• Involve a Data Protection Officer (DPO) or privacy lead to confirm which assets process personal data and to advise on ICO reporting evidence.

Tools, feeds and format choices

Choose a working format up front, such as a spreadsheet for the first draft, then migrate to a Governance, Risk, and Compliance (GRC) tool when you need repeatable reporting. Include threat context from authoritative sources such as NCSC, 2025 and the Information Commissioner’s Office data security incident trends (ICO, 2025).

Quick comparison: Spreadsheet versus GRC tool

Criteria	Spreadsheet	GRC tool
Speed to first draft	Hours	Days to weeks (setup)
Integration with scans	Manual CSV imports	Automated connectors and normalised data
Board reporting	Ad hoc charts and exports	Scheduled dashboards and audit trail
Suitable for	Small, one-off assessments	Recurring programme and regulated firms

Time budget: Expect 4 to 8 hours to assemble a minimal CSV template, 12 to 40 person hours to map CVEs to likelihood and impact scores, and 2 to 5 days if you integrate tooling.

Practical next step: Export a CMDB slice and a vulnerability scan CSV, then draft columns for asset, owner, CVE ID, likelihood 1 to 5, impact 1 to 5, aggregated risk, treatment and target date.

If you prefer expert help, see our Cyber Risk Assessment service or our Cyber Security Assessment service for a fuller review.

🔍 Step 1: Define scope, record assets and capture threats

Choose scope by business service or dataset and create a scoped asset register that lists asset name, owner, location, business impact category, and initial threat entries.

Include a single-line objective for the scope, for example: “Protect payroll processing service to a confidentiality and availability standard suitable for 10,000 employees.” After this, you should have a named owner for the scope and a timebox for discovery.

What to record in the template

Record these columns as a minimum: Asset identifier, asset type, owner, location, business service, business impact category, confidentiality/availability/integrity ratings, software versions, CVE IDs, threat scenario, likelihood score, impact score, aggregated risk score, proposed treatment, estimated cost and target completion date. A good cyber risk assessment template maps these columns to NIST Cybersecurity Framework (NIST), ISO 27001, National Cyber Security Centre (NCSC) guidance and UK GDPR so outputs plug straight into governance and regulator reporting.

Expected outcome: A scoped register with assigned owners and measurable risk scores ready for prioritisation.

Common pitfall: Over-scoping.

Fix: Split scope into business-service batches and enforce a 3 to 7 day discovery timebox per batch.

How to run discovery and capture threats

Extract the CMDB or existing asset inventory, run authenticated network discovery where possible, interview asset owners and ingest vulnerability feeds for known software. Use automated queries to pull software versions and CVE IDs, then surface the top 10 exposures by business impact. Prioritise identity and credential risks, which 2025 research shows are a established cause of breaches (IBM, 2025).

Include third-party components and SaaS dependencies as assets; Forrester research recommends including cyber risk ratings or an initial third-party scorecard in the template to speed decision making (Forrester, 2025).

Practical tip: Output the register as a filtered CSV and a pivoted workbook so owners can view their items only. After this step, you should be able to produce a ranked list of risks, each with an owner, treatment and completion date ready for the next step: Scoring and prioritisation.

🔢 Step 2: Assess likelihood, impact, score risks and set priorities

Use a repeatable likelihood multiplied by impact score, map the totals to priority tiers, and escalate High and essential items for treatment and board review so the register drives action.

Scoring model and formula

Use three likelihood levels and four impact levels, convert them to numbers, and calculate a numeric risk score by multiplying likelihood by impact.

• Define likelihood as 1 = Rare, 2 = Possible, 3 = Likely.
• Define impact as 1 = Negligible, 2 = Minor, 3 = Major, 4 = Severe.
• Calculate the risk score: Risk score = Likelihood score × Impact score.
• Map totals to tiers: 1 to 3 = Low, 4 to 6 = Medium, 7 to 9 = High, 10 to 12 = essential.

This arithmetic keeps scoring simple, repeatable, and auditable for board reporting.

Translate impact into UK business metrics

Map each impact band to concrete UK metrics: Estimated financial loss, customer numbers affected, regulatory exposure under UK GDPR, and operational downtime.

For example: Major impact = probable data loss affecting ~10,000 customers or an estimated loss over £250,000, Severe = sustained outage over 24 hours plus regulatory notification likely.

Link the financial and notification columns to UK data protection triggers and the Information Commissioner’s Office guidance so your register supports compliance ICO, 2025.

Calibration workshop

Run a 90-minute workshop with IT, legal, compliance and a business owner per asset class to align interpretations. Use three anonymised scored examples per asset class and a one-page cheat sheet that lists the numeric mapping and example incidents.

At CyPro, we run this session early to remove scoring variance, and we provide the cheat sheet as part of our Cyber Risk Assessment deliverable.

Prioritisation, owners and escalation

Export the scored register as CSV with these columns: Asset, threat, likelihood score, impact score, total score, tier, owner, recommended treatment, estimated cost, target date. Escalate all High and essential rows to your executive risk committee within the next governance cycle, and review Medium items in the quarterly risk meeting. For assurance, cross-check priorities against national incident trends reported by the National Cyber Security Centre NCSC, 2025.

If you need a ready workbook, our Cyber Security Consultants service supplies an editable cyber risk assessment template with prebuilt formulas and reporting tabs so you can score, prioritise and escalate in hours not weeks.

🔧 Step 3: Build the template, populate a worked example and hand it over

Create a spreadsheet or GRC view with validation, dropdowns and formula-driven risk scores, add one fully populated example row, save a user guide tab and hand over an editable file to owners.

Template structure

Include a formula cell:

• Inherent score = Likelihood * Impact.
• Residual score = Inherent score – Control effectiveness.

How to add validation and simple formulas

• Configure cell validation and dropdowns for Likelihood and Impact using values 1 to 5 and labels (Rare, Unlikely, Possible, Likely, Almost certain).
• Use this Excel formula for Inherent score: =C2*D2 where C is Likelihood and D is Impact.
• For Control effectiveness, use a percentage dropdown and calculate the residual score: =E2*(1-F2), where E is the inherent score and F is Control effectiveness (0.00 to 1.00).
• Protect formula cells but leave input cells editable.

Populate a worked example

Create one example row for a common issue, for example:

• Externally exposed Remote Desktop Protocol (RDP)
• Vulnerability: Outdated patch
• Likelihood 4
• Impact 5
• Inherent 20
• Controls: MFA and network ACLs
• Control effectiveness 0.6
• Residual 8
• Owner: IT Ops
• Target date: 30 days

The worked example shows how score changes when controls improve and how owners update status.

Hand-over checklist

Save the file as an editable master and a locked view for board reporting. Add a user guide tab with field definitions, scoring rules and an example row. Assign each owner edit rights and run a 30-minute walkthrough. After handover, export the register as CSV for import into ticketing or GRC systems.

Include external threat context when you hand over: Cite the frequency of nationally notable attacks and the ENISA threat trends so owners see the real-world basis for prioritisation (National Cyber Security Centre, 2025, ENISA threat environment 2025).

📋 Step 4: Assign owners, set cadence and operationalise the register

Assign named owners, deadlines and treatment types for every risk, and make the register a standing item in governance meetings so actions are tracked and decisions are visible.

Also, define updated SLAs, schedule a monthly triage and embed the register into IT change and incident response processes.

What to do

Assign one owner per row in the register, label the treatment type (Accept, Mitigate, Transfer, Avoid), set a numeric priority and a deadline, and add a short acceptance criteria line. Use a single column for the ticket or backlog ID that links to the remediation task.

How to do it

Configure the spreadsheet or GRC view so owners are selectable from a dropdown, deadlines trigger colour changes, and the ticket column contains a hyperlink to your ticketing system. Configure an automated weekly email to owners that lists overdue items. If you use a Security Operations Centre (SOC) ticket queue or Jira, map the ticket ID column so updates flow bi-directionally.

Expected outcome

After this step the register is a living operational tool: Every High and essential risk has an owner, a timeboxed treatment, and a mapped ticket. Boards see a locked executive view and owners have edit rights to their rows only. This reduces friction when escalating to an executive risk committee.

Common pitfall and fix

A common pitfall is owners not updating progress. Fix this with executive-backed reporting that includes one-line monthly status, and provide a two-field update template: % complete and next action. If owners lack authority, escalate ownership to a manager who can allocate budget or change controls.

In our experience, linking risks to incidents and change records speeds remediation and clarifies accountability. For guidance on typical incident rates and national context, consult the National Cyber Security Centre, 2025 review and IBM’s credential-theft analysis in the IBM X-Force Threat Index 2025. For services that help build operational registers and roadmaps see our Cyber Strategy and Roadmap and IT Disaster Recovery Plan services.

📊 How to measure success

The primary success measures are whether high risks are reduced, mean time to remediate falls, and an accurate asset inventory exists with owners and treatment dates.

Define measurable metrics

Set clear metrics: Percentage of High and essential risks mitigated, mean time to remediate (MTTR), percentage of assets with an assigned owner, and inventory freshness. For each metric, assign an owner, a data source, and a reporting frequency. Include the cyber risk assessment template field names that feed these metrics so owners know which columns to update.

Targets and how to measure them

Use concrete targets: 90% of High risks mitigated within 90 days, MTTR for essential incidents under 24 hours, 100% asset ownership for production systems, and inventory updated weekly. Pull evidence from ticketing systems, configuration management databases, and vulnerability scanners. For board reporting, aggregate the spreadsheet into a locked executive view and show trend lines for each metric.

Reporting cadence and templates

Report technical metrics monthly to the security operations owner and quarterly to the board. Produce two tables: A technical dashboard for owners and a one-page executive summary for non-technical directors. Use visual flags: Red for overdue, amber for at-risk, green for on-track. Link your quarterly board view to the authoritative evidence: Tickets, change logs and incident reports.

Common systemic pitfalls and signals to watch

Common failures include stale inventories, unowned risks, and metrics that are hard to verify. Watch these signals: Repeated re-opening of closed tickets, increasing time between inventory updates, and executive reports without linked evidence. If any High risk lacks an owner or a ticket, escalate immediately to the risk committee.

Practical checklist and owners

Checklist: Map each metric to a spreadsheet column, automate pulls where possible, assign a monthly owner for each metric, and create a locked board view. Our approach often combines automated feeds from scanners with a manual weekly reconciliation to keep the register reliable. If you need outside help, engage our Cyber Security Consultants for templating and automation, or our Cyber Security as a Service team to run feeds and produce board reports Cyber Security Consultants Cyber Security as a Service.

Evidence-based metrics matter: Use threat and incident data when setting targets. The ENISA threat environment 2025 and IBM X-Force analysis help calibrate realistic targets for identity and ransomware risks IBM X-Force 2025.

❓ Frequently asked questions