← Concepts
Security Program Management and OversightSY0-701 · Task 5.2

Risk register — SY0-701

Learn what a risk register is, how it differs from a risk assessment, and how it is tested on the CompTIA Security+ SY0-701 exam.

What it is

A risk register is a repository of risk information including the data understood about risks over time (NIST SP 800-221, NISTIR 8286, sourced from OMB Circular A-11). It is a living record — maintained at the organizational level — that documents identified risks, the decisions made about them, and the ongoing status of those decisions.

The record covers two broad categories of entries: risks that have been formally accepted, and risks that have documented remediation strategies (such as entries in Plans of Action and Milestones) (NISTIR 8170).

Mental model

Think of the risk register as the organizational memory for risk decisions. Risk management is a continuous process with four stages — establishing context, assessing risk, responding to risk, and monitoring risk (NIST SP 800-39). The risk register is the artifact that persists across all four stages. It captures what was found (assessment output), what was decided (response choice), and what the current state is (monitoring status). Without the register, those stages produce ephemeral results with no institutional continuity.

When to use it

The register is consulted or updated whenever a risk decision is made or reviewed. The table below contrasts it with the most closely confused concept:

DimensionRisk RegisterRisk Assessment
What it isA persistent repository of risk information over timeA process of identifying, estimating, and prioritizing risks
Primary artifactA continuously maintained document or databaseA report or set of findings produced at a point in time
PurposeTrack accepted risks and remediation status across the lifecycleProduce the inputs (identified risks, likelihood, impact) that feed the register
TimingOngoing; updated as risks change or decisions are revisitedPeriodic or event-driven; produces a snapshot
NIST grounding"Repository of risk information … over time" (SP 800-221)"Process of identifying risks … resulting from the operation of an information system" (SP 800-30 Rev. 1)

A risk assessment feeds the register; the register is not itself an assessment.

Common misconception

The trap: treating the risk register as a deliverable produced by a single risk assessment, rather than as an ongoing repository.

A risk assessment is a process that produces findings. Those findings are inputs that get recorded in the risk register — but the register outlives any single assessment. It accumulates entries over time, tracks the status of responses, and records which risks have been formally accepted. Candidates who conflate the two may answer questions about "where accepted risks are formally documented" by pointing to the assessment report. The NIST definition is explicit: the register is a repository of data over time, not a point-in-time output.

A related misconception is that a risk register only contains unresolved or active risks. Per NISTIR 8170, both formally accepted risks and those with documented remediation strategies appear in the register — both classes of decision are recorded, not just open items.

How it shows up on the exam

Questions targeting this concept typically ask candidates to identify the correct artifact for a described scenario. The cognitive target is distinguishing the risk register from other risk management outputs — particularly from a risk assessment report or an isolated remediation plan.

Signal phrases to recognize in a question stem:

  • "formally documented and accepted" — points toward the register as the record of accepted risks
  • "track over time" or "ongoing status" — distinguishes the register (a persistent repository) from a point-in-time assessment
  • "where risks and their responses are recorded" — describes the register's function as a repository

Candidates who understand that risk management is a continuous process (NIST SP 800-39) — and that the register is the artifact maintaining continuity across that process — are well-positioned to distinguish it from adjacent concepts on scenario-based items.

Related concepts

  • Risk assessment — the process whose outputs (identified risks, likelihood, impact) are recorded in the register
  • Quantitative risk analysis — a method for estimating risk magnitude; its outputs may populate register fields
  • Qualitative risk analysis — an alternative analysis method whose categorical ratings also feed register entries

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.