Risk Register

Version 1.0 · Updated 1 July 2026

View on GitHub →

Risk Register

1. Purpose

This register records the information security risks identified through Fenn’s risk assessment process. It documents each risk’s scoring, treatment decision, and assigned owner. It is the primary evidence that Fenn has assessed and is managing its information security risks in accordance with ISO 27001:2022 and UK GDPR Art. 32.

2. How to Read This Register

Risks are scored using the methodology defined in FENN-POL-007. Likelihood and impact are each rated 1 to 5. Risk score equals likelihood multiplied by impact. Scores of 1 to 5 are Low, 6 to 12 are Medium, and 13 to 25 are High. Inherent risk is the score before controls are applied. Residual risk is the score after controls are applied.

3. Risk Register

IDRiskAssetCIAInh. LInh. IInh. ScoreRatingControlsAnnex ATreatmentRes. LRes. IRes. ScoreOwner
RR-001Ransomware or destructive malware encrypts or destroys Fenn infrastructurePlatform infrastructure, customer dataC, I, A3515HighEndpoint detection and response on all devices; immutable, encrypted backups; incident response plan (FENN-POL-003); security awareness training; patch managementA.8.7, A.8.13, A.8.16, A.5.26, A.6.3Mitigate2510Head of Security
RR-002Phishing or social engineering leads to credential compromiseEmployee accounts, Fenn systemsC, I4312MediumHardware security keys (Nitrokey 3) required for all staff; JumpCloud SSO; phishing awareness training; privileged access controls (FENN-POL-001)A.8.5, A.5.16, A.5.17, A.6.3, A.5.15Mitigate236Head of Security
RR-003Insider threat: employee or contractor accesses or exfiltrates data without authorizationCustomer data, employee data, Fenn systemsC, I248MediumLeast privilege access; JIT privileged access; quarterly access reviews; all privileged sessions logged; JML process (FENN-POL-001)A.5.15, A.8.2, A.8.5, A.8.15, A.5.18, A.6.5Mitigate144Head of Security
RR-004Cloud misconfiguration exposes Fenn systems or customer dataAWS infrastructure, customer dataC, A3412MediumAWS configuration reviewed against CIS benchmarks; IAM least privilege enforced; VPC architecture reviewed; changes follow documented change management processA.8.9, A.5.15, A.8.20, A.5.23, A.8.2Mitigate236CTO
RR-005Sub-processor breach exposes data Fenn has shared with a third-party vendorCustomer data, employee dataC248MediumVendor risk tiering (FENN-POL-004); DPAs in place with all sub-processors; sub-processor list maintained; contractual security requirements; right to auditA.5.19, A.5.20, A.5.22, A.5.31Mitigate144Head of Security
RR-006Software supply chain compromise introduces malicious code via a dependency or packagePlatform infrastructure, customer dataC, I, A248MediumDependency scanning; Dependabot alerts enabled; code review required before merge; software bill of materials maintainedA.5.21, A.8.25, A.8.29Mitigate236CTO
RR-007API authentication bypass allows unauthorized access to the Fenn platformPlatform infrastructure, customer data, employee dataC, I, A3515HighAPI authentication enforced on all endpoints; penetration testing; access logging via AWS CloudTrail and GuardDuty; application error alerting via Sentry; incident response plan (FENN-POL-003)A.8.5, A.8.3, A.8.16, A.8.20, A.5.26Mitigate248CTO
RR-008Insecure code deployed to production introduces exploitable vulnerabilityPlatform infrastructure, customer dataC, I, A3412MediumMandatory code review; staging environment required before production deployment; automated security testing in CI/CD pipeline; secure development trainingA.8.25, A.8.26, A.8.28, A.8.29Mitigate236CTO
RR-009Accidental data exposure during development or support activityCustomer data, employee dataC248MediumProduction data not used in development or testing environments; support access granted JIT and logged; access revoked on ticket closeA.8.3, A.5.15, A.8.33, A.8.5Mitigate144Head of Security
RR-010UK GDPR non-compliance leads to ICO investigation or enforcement actionCustomer data, employee dataC248MediumData retention policy (FENN-POL-005); DPA in place for all processor relationships; ICO registration maintained; DSAR procedure documented; privacy notice publishedA.5.31, A.5.34, A.5.33, A.8.12Mitigate144Head of Security
RR-011Customer loses their encryption key, rendering their farm data permanently unrecoverableCustomer dataC, A155LowAcceptance rationale: key loss risk disclosed in DPA and customer documentation; customers advised to maintain secure key backups; Fenn has no technical ability to recover customer keys by designA.8.24, A.8.13Accept155Head of Security
RR-012Total AWS London region failure causes platform unavailabilityPlatform infrastructureA144LowBCP defines recovery procedures for region-loss scenario (FENN-POL-006); UK-only backup held with separate provider; RTO up to 72 hours formally accepted; single-region architecture is a deliberate privacy commitmentA.8.14, A.5.29, A.5.30Accept144CTO
RR-013Lost or stolen laptop or mobile device exposes cached data or credentialsEmployee data, Fenn systemsC326MediumFenn-issued laptops only; full-disk encryption required; screen lock enforced; hardware keys required for authentication; lost or stolen devices reported to IT for immediate session revocation (FENN-POL-001)A.6.7, A.7.9, A.8.1, A.8.24Mitigate224Head of Security
RR-014Distributed denial-of-service attack renders the Fenn platform unavailablePlatform infrastructureA339MediumAWS Shield Standard (always-on, automatic); auto-scaling; monitoring and alerting via AWS; incident response plan (FENN-POL-003)A.8.6, A.8.16, A.8.20, A.5.26Mitigate236CTO

4. Review

This register is reviewed annually by the Head of Security. An out-of-cycle review is triggered by a significant change to Fenn’s systems, operations, or threat environment, or following any security incident rated P1 or P2 under FENN-POL-003.

  • FENN-POL-007: Risk Assessment and Treatment Methodology
  • FENN-POL-001: Access Control Policy
  • FENN-POL-003: Incident Response Plan
  • FENN-POL-004: Vendor Risk Management Policy
  • FENN-POL-005: Data Retention Policy
  • FENN-POL-006: Business Continuity Plan