If the default ISMS Risks & Treatment Plan doesn’t align with your organisation’s risk methodology, ISMS.online provides flexible options to customise your risk map. You can either adjust the configuration directly within the platform (for unscored maps), or contact our Support team to apply a tailored Risk Map—either platform-wide or to a specific instance.



What Can Be Customised?

You have full control over several elements of the risk map configuration, including:


  • Impact and Likelihood Levels
     Adjust the number of levels used to suit your framework. The default ISO 27001 map uses five.


  • Scoring Methodology
    Choose how scores are calculated:
    • Additive (Impact + Likelihood)


  • Multiplicative (Impact × Likelihood)


  • Sequential (each square assigned a unique value)


  • Labels for Impact and Likelihood
    You can customise the wording of each level. The default map uses:
    Insignificant, Minor, Moderate, Major, Severe


  • Grid Size
    Grid dimensions (e.g. 3×4, 4×4) will affect the number of available levels.

  • Colour Mapping
    Choose from a range of colours: Grey, Turquoise, Blue, Orange, Black, Brown, Yellow, Purple, Green, Red.
    Note: Colours must follow a consecutive pattern. The system does not allow non-sequential colour transitions (e.g. Blue > Red > Blue).


  • Review Periods by Risk Level
     Customise reminder intervals. The default map uses 1, 3, 6, and 12 months.




There are two ways to request a risk map customisation depending on if you have already scored your risk map or not and these are as follows:


Customising an Unscored Risk Map (Self-Service)

If your risk map has not yet been scored, you can customise it directly in the platform.

Steps:

  • Open the Risk Map you’d like to customise.


  • Click the Settings icon in the top-right corner.



  • Scroll to Change colours, labels, size or review periods, then select Configure risk map.



You’ll be able to update all available options.
 Customisations can continue until the first risk is scored.



Requesting a Custom Risk Map via Support

If your map has already been scored, further changes must be handled by our Support team. Here’s how to request a customisation:

Step 1: Create a Template Risk Map

  • Go to Work > All Work



  • Click Create New




  • From the dropdown, select Tool



  • Choose ISO 27001 Risk and Treatment Plan




  • Set up your desired configuration in the new template


Step 2: Send Your Request

Once your template is ready:

  • Email support@isms.online with:
    • A link to the template map
    • A list of maps you’d like the configuration applied to
    • Details of any specific requirements
    • If you have a support user, please team us into the tool

We’ll confirm and apply the customisation—either to all maps or to a specific one, depending on your request.

Important Notes

  • While we aim to retain existing data, certain changes may require existing risk scores to be cleared.
  • We recommend exporting your current map before any customisation takes place. This can be attached to a control (such as 6.1) to document your risk assessment methodology before and after changes.
  • Custom risk map configurations are typically applied platform-wide unless you request otherwise.
  • All customisation requests are completed within 5 working days from receipt of the necessary information.
  • Ensure your customisation approach is reflected in the 6.1 Risk Assessment Process section of your Policies and Controls Project.