If the default ISMS Risks & Treatment plan does not fit your organisations own Risk Methodology, you can customise the risk map following the steps in this guide / the system, Otherwise our Support team can create a Custom Risk Map for you via our development team. This can then be applied to all existing and future Risk Maps created in your platform. Or, you can have it applied to a specific map.

The following can be customised in ISMS.online risk maps:

  • The number of impact and likelihood levels - for example, in the default ISO 27001 risk map, there are five levels
  • The scoring methodology (numbers on the risk map squares) - this can be:
     'Additive' (impact + likelihood):
    'Multiplicative' (impact x likelihood)
    'Sequential' where each position would have a unique number (1,2,3,4,5...):
  • The labels for impact and likelihood levels - for example, in the default ISO 27001 risk map, impact labels are: Insignificant, Minor, Moderate, Major, Severe
    The number of options available is linked to the grid size (i.e 4 x 4, 3 x 4 etc)
  • The colour levels for the map, and where those colours will go. The following colours are available for risk maps in ISMS.online:
    (Grey, Turquoise, Blue, Orange, Black, Brown, Yellow, Purple, Green, Red.)
    You'll start off with a blank map, and be asked to select the colour you want for the square:

    Please note that the colours should ideally run consecutively, as the system won't accept if the colours either side are the same, but the middle different. for example: if 1 and 3 are blue, the system won't allow 2 to be red.

  • The reminder period for each colour level - in the pre-configured ISMS Risks & Treatments map these are 1, 3, 6 and 12 months

There are two ways to request a risk map customisation depending on if you have already scored your risk map or not and these are as follows:

Customising a risk map within the platform

If you have a risk map where none of the risks have been scored, you can customise your risk map using the following steps:

1. Select the settings option on the top right of your risk map:

2. Scroll down to the 'Change colours, labels, size or review periods' and select 'configure risk map':

3. From here you should see all the options listed above and you should be able to go through all of these and customise your risk map to your specifications

You'll be able to make further adjustments in the system up until you score your first risks.

Requesting a Custom Risk Map Through Support

How to request a Custom Risk Map

If you have an existing risk map that has risks that have already been scored, you can request a risk map customisation through our support team. To request a custom Risk map, you can first create your desired risk map by completing the following steps:

1. Go to work, then all work:

2. Select 'Create New':

3. On the drop down menu, select 'Tool':

4. Select 'Create New' next to 'ISO 27001 Risk and Treatment Plan':

5. Go through the steps as outlined and create the risk map to the desired customisations.

6. Email us at support@isms.online with your desired specifications, the maps you would like customising as well as a link to the template risk map you have created. If you have a support user on the platform we will ask you to team us in to the tool.

Please Note:

While we do our best to ensure that any changes does not impact existing scoring / readings, some times we have no choice but to clear any existing readings from an existing risk map when applying the customisation.

We recommend taking an export of the risk map before any customisation work happens so you can attach the export to a control (e.g 6.1) to show the methodology before and after the customisation.

We would usually apply this customisation to all existing and future Risk Maps. Unless you would only like this required to a specific map, in which case please let us know which one.

As per all support requests, we will ensure this work is completed within 5 working days from receiving the required information. 

The above information will need to be reflected in '6.1 Risk assessment process' of your Policies and Controls Project.