ISORISK: Compliance Risk
An organisation-level risk register entry for ISO 27001 information security risks and ISO 9001 quality risks, with threat/vulnerability analysis, treatment planning, and residual risk tracking.
Default definition. This article describes the default
ISORISK definition shipped with DemandFlow. Administrators can add, remove, rename, or re-type fields, change which ones are required, and alter the layout from the Definitions screen in Settings. Your tenant's current schema may differ from what is shown here. To read the current definition at any time, GET the DEFINITION object whose id matches ISORISK.Entity properties
| Property | Value |
|---|---|
| Entity code | ISORISK |
| Display name | Compliance Risk |
| Plural | Compliance Risks |
| Level | 90070 |
Use cases
ISORISK is the organisation-level risk register required by ISO 27001 clause 6.1.2 (Information security risk assessment) and ISO 9001 clause 6.1 (Actions to address risks and opportunities). Unlike RISK (which is project-scoped via SUB|PJ), ISORISK lives at SUB level for enterprise-wide compliance risk management. The risk assessment follows ISO 27005 methodology: identify assets, threats, and vulnerabilities; assess likelihood and consequence; determine risk level; select treatment option; track residual risk.
Fields
Risk Identification
| Field | Type | Required | Notes |
|---|---|---|---|
name | text | Yes | Risk Title. |
riskRef | text | Risk Reference. | |
category | enum | Yes | Valid ids: informationSecurity (Information Security), dataProtection (Data Protection / Privacy), compliance (Compliance / Regulatory), operational (Operational), technical (Technical), thirdParty (Third-Party / Supply Chain), quality (Quality), reputational (Reputational), financial (Financial), legal (Legal / Contractual). |
status | enum | Yes | Valid ids: identified (Identified), assessing (Under Assessment), treating (Treatment In Progress), accepted (Accepted), monitoring (Monitoring), closed (Closed). |
description | text (multi-line) | Yes | Risk Description. |
Threat & Vulnerability
| Field | Type | Required | Notes |
|---|---|---|---|
threat | text (multi-line) | What threat could exploit the vulnerability? | |
vulnerability | text (multi-line) | What weakness could be exploited? | |
affectedAssets | text (multi-line) | What information assets or processes are at risk? | |
isoClauseRef | text | ISO Clause / Control Reference. |
Inherent Risk Assessment
| Field | Type | Required | Notes |
|---|---|---|---|
likelihood | enum | Yes | Valid ids: rare (1 - Rare), unlikely (2 - Unlikely), possible (3 - Possible), likely (4 - Likely), almostCertain (5 - Almost Certain). |
consequence | enum | Yes | Valid ids: insignificant (1 - Insignificant), minor (2 - Minor), moderate (3 - Moderate), major (4 - Major), catastrophic (5 - Catastrophic). |
riskLevel | enum | Yes | Based on likelihood x consequence matrix Valid ids: low (Low), medium (Medium), high (High), critical (Critical). |
riskOwner | reference → user | Yes | Risk Owner. |
identifiedDate | date | Date Identified. | |
nextReviewDate | date | Next Review Date. |
Treatment (ISO 27001 6.1.3)
| Field | Type | Required | Notes |
|---|---|---|---|
treatmentOption | enum | Yes | ISO 27001 clause 6.1.3 risk treatment options Valid ids: mitigate (Mitigate / Reduce), accept (Accept), transfer (Transfer), avoid (Avoid). |
treatmentPlan | text (multi-line) | How will this risk be treated? | |
relatedControls | text (multi-line) | ISO 27001 Annex A controls that address this risk |
Residual Risk
| Field | Type | Required | Notes |
|---|---|---|---|
residualLikelihood | enum | Valid ids: rare (1 - Rare), unlikely (2 - Unlikely), possible (3 - Possible), likely (4 - Likely), almostCertain (5 - Almost Certain). | |
residualConsequence | enum | Valid ids: insignificant (1 - Insignificant), minor (2 - Minor), moderate (3 - Moderate), major (4 - Major), catastrophic (5 - Catastrophic). | |
residualRiskLevel | enum | Valid ids: low (Low), medium (Medium), high (High), critical (Critical). | |
riskAcceptedBy | reference → user | Who formally accepted the residual risk? (ISO 27001 6.1.3(f)) | |
riskAcceptedDate | date | Risk Acceptance Date. |
Cost & Impact
| Field | Type | Required | Notes |
|---|---|---|---|
costImpact | number | Potential Cost Impact. | |
treatmentCost | number | Estimated cost of implementing the treatment plan | |
treatmentNotes | text (multi-line) | Treatment Notes. |
Additional panels
- Activity timeline panel attached.
Relationships
- Lookups:
riskOwnerpoints at a user;riskAcceptedBypoints at a user. - Related lists:
AUDITACTION(formatSUB|ISORISK).
Creating a Compliance Risk via the API
POST /v1/objects
Authorization: Bearer <your-pat>
Content-Type: application/json
{
"entity": "ISORISK",
"level": 90070,
"comboKey": "SUB:<your-sub-id>|ENT:",
"name": "Example",
"category": "informationSecurity",
"status": "identified",
"description": "..."
}Listing Compliance Risks
# All records in your tenant
GET /v1/entities/ISORISK/SUB:<your-sub-id>