What a Security Risk Assessment Template Should Include

A blank page is the hardest place to start a security risk assessment. A good security risk assessment template solves that problem. It gives a consistent structure for recording threats, vulnerabilities, risk ratings and treatments, so that the assessment is repeatable, comparable over time, and defensible to a board or a regulator. Used well, a template speeds the work up. Used badly, it turns a thinking exercise into a box-ticking one.

This guide sets out what a security risk assessment template should contain, how each field maps to the AS ISO 31000:2018 risk management process,¹ and the common mistakes that make a template misleading rather than useful.

Key takeaways

• A security risk assessment template is a structured register for recording assets, threats, vulnerabilities, existing controls, risk ratings and treatments in one place.
• The fields should map to the AS ISO 31000:2018 process, with security-specific guidance drawn from SA HB 167:2025.
• A risk rating comes from combining likelihood and consequence, usually on a matrix agreed before the assessment begins.
• A template is a starting structure, not a substitute for analysis. The judgement about what is credible and what matters is the assessment.
• The output should be readable by both an executive deciding on investment and the staff who will carry out the treatments.

What is a security risk assessment template?

A security risk assessment template is a pre-set structure, usually a table or register, for capturing the results of a security risk assessment in a consistent way. Each row records a single risk: the asset at stake, the threat to it, the vulnerability that threat could exploit, the controls already in place, a likelihood and consequence rating, the resulting risk level, and the treatment that will reduce it.

The point of a template is consistency. When every risk is recorded the same way, an organisation can compare risks against each other, track them as they change, and show how a security decision was reached. That record is what makes an assessment defensible if it is later questioned by a board, an auditor, an insurer or a regulator.

A template is not the assessment itself. It is the container. The value lies in the analysis that fills it, which is why the same template can produce a sound assessment in experienced hands and a misleading one in a hurry.

What fields should a security risk assessment template include?

A practical security risk assessment template records each risk as a row, with columns that follow the risk management process from end to end. The core fields are:

• Asset or function. What is being protected, for example a data centre, a cash office, a public foyer, or a critical business process.
• Threat source. Who or what could cause harm, for example an intruder, a disgruntled insider, an activist group, or an opportunistic offender.
• Threat event or scenario. The specific way harm could occur, for example forced entry after hours, theft of an asset, or unauthorised access to a restricted area.
• Existing controls. The measures already in place, for example access control, CCTV, security patrols, or screening procedures.
• Vulnerability. The weakness that the threat could exploit despite those controls.
• Likelihood. A rating of how likely the scenario is, against an agreed scale.
• Consequence. A rating of how serious the impact would be, against an agreed scale.
• Risk rating. The combined result of likelihood and consequence, usually read from a risk matrix.
• Risk owner. The person accountable for the risk and its treatment.
• Treatment or recommendation. The action proposed to reduce the risk, whether that is a new control, an improvement to an existing one, or an accepted risk.
• Target or residual risk. The rating the risk is expected to reach once the treatment is in place.
• Priority and timeframe. How urgent the treatment is and when it is due.

Recording all of these in one place is what turns a list of worries into a register an executive can act on.

How does the template align to AS ISO 31000:2018?

The fields above are not arbitrary. They follow the risk management process set out in AS ISO 31000:2018, Risk management — Guidelines, which is the current Australian standard.¹ The asset and context fields reflect the standard’s first step of establishing the scope, context and criteria. The threat, vulnerability and existing-control fields support risk identification. The likelihood, consequence and risk-rating fields are risk analysis and evaluation. The treatment, owner, residual-risk and priority fields are risk treatment.

For security specifically, the Standards Australia handbook SA HB 167:2025, Managing Security-Related Risks, applies the AS ISO 31000:2018 process to security risk, with guidance on threat and vulnerability assessment techniques.² A template built around these two documents keeps an assessment aligned to recognised practice rather than to one consultant’s personal format.

How do you rate a risk on the template?

A risk rating is not a single number that exists on its own. It is the product of two judgements: how likely the scenario is, and how serious it would be if it happened. Most templates use a matrix, often five by five, that agrees in advance what each likelihood and consequence level means and what colour or rating their combination produces.

The discipline that matters is agreeing the scales before the assessment starts. If likelihood and consequence are defined consistently, two assessors looking at the same site should reach similar ratings, and the organisation can compare a risk in one location against a risk in another. If the scales are vague, the ratings become opinion dressed up as measurement.

A worked example shows how a single row comes together. Suppose the asset is an after-hours loading dock, the threat is an opportunistic intruder, and the vulnerability is a service door that is often propped open. The existing controls are perimeter fencing and CCTV. An assessor might rate the likelihood as possible and the consequence as moderate, giving a medium risk. The treatment might be a self-closing door with an alarm on prolonged opening, which lowers the likelihood and brings the residual risk down to low. That single row records the whole chain of reasoning.

What are the common mistakes with a security risk assessment template?

A template makes an assessment faster, but it can also make a poor assessment look professional. The most common mistakes are:

• Treating the template as a checklist. Filling every row without testing whether each control actually works produces a tidy document and a false sense of security.
• Rating risks without agreed scales. If likelihood and consequence are not defined, the ratings cannot be compared or defended.
• Listing controls that exist on paper. A control that is present but not maintained or followed is a vulnerability, not a strength.
• Copying a generic register. A template from another organisation or sector will list threats that do not apply and miss the ones that do.
• Stopping at the rating. A risk rating with no owner, treatment or timeframe is an observation, not a decision.

A template is a tool for thinking clearly, not a way to avoid thinking. The judgement about what is credible, what is already covered, and what matters most is the assessment, and it is where an experienced assessor earns their place.

How Agilient can assist

Agilient provides independent, vendor-neutral security risk assessment consultants who conduct assessments to AS ISO 31000:2018 and SA HB 167:2025. Rather than handing over a blank template, Agilient runs the assessment with the organisation, tests whether existing controls work, and delivers a register and report that an executive can act on and that staff can implement. Where the assessment finds a control gap, an independent security audit can confirm whether the wider control set is operating as intended, and the approach connects to the broader discipline of security risk management.

Agilient works across government, healthcare, aviation, defence and critical infrastructure, in Sydney, Melbourne, Brisbane, Adelaide and Canberra.

Request a security risk assessment or book a short briefing to talk through the right starting point for your organisation.

Frequently asked questions

What is a security risk assessment template?

A security risk assessment template is a structured register, usually a table, for recording each risk in a consistent way: the asset, the threat, the vulnerability, the existing controls, a likelihood and consequence rating, the resulting risk level, and the treatment. It gives an assessment a repeatable structure that can be compared over time and defended to a board or regulator.

What should a security risk assessment template include?

It should include the asset or function at stake, the threat source and scenario, existing controls, the vulnerability, likelihood and consequence ratings, the combined risk rating, the risk owner, the recommended treatment, the target or residual risk, and a priority and timeframe.

Which standard should a security risk assessment template follow?

It should follow AS ISO 31000:2018, Risk management — Guidelines, the current Australian standard, with security-specific guidance from SA HB 167:2025, Managing Security-Related Risks.

Is a free security risk assessment template enough?

A template provides a starting structure, but it does not perform the analysis. The judgement about which threats are credible, whether controls actually work, and which risks matter most is the assessment, and that is the part that protects the organisation.

How is a risk rated on the template?

A risk is rated by combining its likelihood and its consequence, usually on a matrix agreed before the assessment begins. Agreeing the scales in advance is what makes the ratings consistent and comparable.

References

1. Standards Australia, AS ISO 31000:2018 Risk management — Guidelines, standards.org.au
2. Standards Australia, SA HB 167:2025 Managing Security-Related Risks, standards.org.au