Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning System AccessCreating Departments and Assigning Users
Integrations
Discovery
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAIA
KAIA explainedPrinciples of AI at Kertos
Interacting with KAIA
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainingsGuidance
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs
Auto Checks
Auto Checks explainedAuto Checks: AWS Auto Checks: GCPAuto Checks: AzureEnabling Auto Checks by Reconfiguring the Azure IntegrationEnabling Auto Checks by Reconfiguring the GCP IntegrationEnabling Auto Checks by Reconfiguring the AWS Integration
AWS Auto Checks Detailed Explanations

Managing risks

The Risks section in Kertos enables organizations to identify, assess, treat, and document risks in a structured, compliant, and repeatable way. Whether you're aiming for compliance with ISO 27001, GDPR, or other frameworks, Kertos supports your efforts with intuitive tools like the Risk Matrix, predefined risk catalog, and automated control suggestions.

Purpose

 

Manually managing information security risks across different departments and frameworks is complex, error-prone, and difficult to scale. Without a centralized and consistent risk assessment approach, it’s easy to overlook threats, duplicate effort, or fall short of audit requirements. This can be solved using the “Risks” section of the Kertos platform.

Capabilities

 

  • Predefined Risk Templates: allow for quick risk creation and reduce manual entry
  • Risk Matrix: provides a visual overview that helps prioritize risks based on likelihood and impact.
  • Suggested Controls: offer automated recommendations based on risk context, making it easier to apply the right mitigations.
  • Ownership Assignment: enables clear accountability by assigning one or more responsible individuals to each risk.
  • Residual Risk Tracking: allows for reassessment after controls are applied, helping to evaluate treatment effectiveness.

How It Works
 

Risk Overview

 

 

On the Risk Overview page, you'll find the following sections:

  • Categories: Risks are grouped by context to help you navigate and manage them more easily.
  • Risk matrix: This visual tool maps risks based on two dimensions - Impact and Likelihood. Click on any square in the matrix or on a risk level name to filter the list to that severity level.
  • Overview: Displays a list of all added risks, along with key information about each. Clicking on any of the risks will open the Detail View for that risk.

 

Detail View

 

 

General
 

  • Title: The name of the risk.
  • Description: A detailed explanation of the risk.
  • Risk category: The context or area of the organization where the risk occurs.
  • Owners: The individuals responsible for managing the risk. These should be people who are operationally close to the risk’s context and capable of accurately assessing and addressing it.

 

Risk Description
 

  • Threats: What potential dangers could affect your company?
  • Vulnerabilities: What weaknesses could be exploited?
  • Damages: What consequences might arise if the vulnerabilities are exploited?

 

CIA Assessment

Specify which components of the CIA triad are affected by the risk (multiple selections allowed):

  • Confidentiality
  • Integrity
  • Availability
  • Authenticity (available only for clients with a DORA subscription, as required by the DORA regulation)

 

Risk Assessment
 

  • Likelihood: How likely is it that this risk will materialize? (Rated from 1 = Rare to 4 = Likely)
  • Impact: How severe would the consequences be? (Rated from 1 = Insignificant to 4 = Catastrophic)
  • Risk Score = Likelihood x Impact

 

Risk Treatment
 

  • Acceptance: Has the company decided to accept the risk?
    • If yes, no further treatment details are required.
    • If no, proceed to define the treatment mechanism.
  • Treatment Mechanism: Will the risk be avoided, mitigated, or transferred (e.g., through insurance)?
  • Treatment Description: A detailed explanation of how the risk is being addressed in your organization.

 

Applied Controls

This section allows you to link controls to the risk:

  • Click “Link controls” to open a window where you can select controls from various frameworks.
  • On the right-hand side, you’ll see “Suggested Controls” automatically recommended based on the characteristics of the risk.
  • You can either click “Link All Suggested” to quickly add all recommended controls or manually select specific ones and press “Link selected”.

 

Residual Risk
 

  • Re-assess the Likelihood and Impact of the risk after the treatment and controls have been applied. The scoring method remains the same as in the initial Risk Assessment.

Notes

  • Use this field to add any additional information or context relevant to the risk.

 

Documenting Risks

 

 

In the Risks tab, you can add and manage risks either by selecting predefined risks from the Catalog or by creating them manually. Both methods allow you to document key risk information and ensure a structured and compliant risk assessment process.

 

Adding risks from the Catalog

 

 

1. Select the category you want to add risks for.

2. Browse the list and preview any risk by clicking on it.

3. Select individual risks or use the checkbox at the top to select all.

4. Click “Add selected” to create these risks.

5. The added risks will appear in the overview.

 

Adding risks manually

 

 

1. On the overview page, click “Add Risk” in the top right corner.

2. You’ll be taken to the Detail View of a new, empty risk.

3. Fill out all required fields (as described in the Detail View section) and click “Save” when finished.

 

FAQs

 

How do I know which risks apply to my organization?

Start with the Risk Catalog for a curated list of common risks across categories. You can preview and select relevant ones, or ask KAIA for guidance if you’re unsure. It's also best practice to derive risks from your assets, assuming your asset inventory is complete.

What’s included when I add a risk from the catalog?

Catalog risks come with a predefined title, description, threats, vulnerabilities, and potential damages. You’ll still need to assign owners, complete the risk and CIA assessments, define treatment, and link applicable controls.

Can I edit catalog risks after adding them?

Yes. Once added, catalog risks behave like manually created ones - you can customize all fields to reflect your company’s specific context.

Do I need to include all controls immediately when creating a risk?

Not necessarily. Once a risk is added, open its Detail View and scroll down to the Applied Controls section. Click “Link Controls” to view expert-recommended controls. You can either apply them all using “Link all suggested” or pick specific ones to “Link selected.”

Is it better to assess risks before or after implementing controls?

You should assess risks based on your current situation, including any controls already in place. This gives an accurate picture of your security posture and helps measure control effectiveness.

Was this article helpful?

Powered by Product Fruits