Overview
The risk library is a curated catalog of common information security risks organized by category, framework, and industry. Instead of starting from scratch, you can browse the library and add relevant risks to your registers with pre-populated descriptions, suggested scores, and framework references.Library vs. Custom Risks
LowerPlane distinguishes between two risk sources:| Source | Description |
|---|---|
| Library | Pre-built risks from the LowerPlane risk catalog with industry-standard descriptions and scoring suggestions |
| Custom | Risks created directly in your registers, tailored to your specific environment |
Browsing the Library
Navigate to Risk > Risk Library to access the catalog. The library provides:- Search — find risks by title, description, or keywords
- Category filter — filter by risk category (Data Privacy, Endpoint Security, Infrastructure, etc.)
- Framework filter — filter by applicable compliance framework (50+ frameworks available)
- Favorites — bookmark frequently used risks for quick access
Risk Template Properties
Each library entry includes:| Field | Description |
|---|---|
| Title | Concise name of the risk |
| Description | Detailed explanation of the risk scenario, threat actors, and potential consequences |
| Category | Risk category classification |
| Framework | Applicable compliance frameworks |
| Industry | Industries where this risk is most relevant |
| Likelihood | Suggested likelihood score (1-5) |
| Impact | Suggested impact score (1-5) |
| Risk Score | Calculated score (likelihood x impact) |
| CIA Category | Confidentiality, Integrity, or Availability classification |
| Controls | Suggested controls for mitigation |
| Mitigation | Recommended mitigation strategy |
| References | External references and standards |
Adding Library Risks to Your Register
Browse and Select
Navigate to the risk library and find the risk you want to add. Use search and filters to narrow the catalog.
Select Target Register
Choose which risk register should receive the risk. If you have multiple registers, select the most appropriate one.
Risk Categories in the Library
The library covers risks across all major information security domains:AI & Machine Learning
Model poisoning, training data leakage, adversarial attacks, bias in decision systems.
Data Privacy
Unauthorized access, consent violations, data subject request failures, cross-border transfer issues.
Data Protection
Encryption failures, backup gaps, data loss, retention policy violations.
Endpoint Security
Malware infections, unpatched systems, stolen devices, unauthorized software.
Identity & Access
Credential compromise, privilege escalation, orphaned accounts, weak authentication.
Infrastructure
Server outages, configuration drift, capacity exhaustion, single points of failure.
Network & Perimeter
DDoS attacks, firewall misconfiguration, unauthorized network access, DNS hijacking.
SDLC & DevOps
Insecure code, supply chain attacks, secrets in repositories, deployment failures.
Vendor Management
Third-party breach, vendor non-compliance, subprocessor risk, contract gaps.
Framework Coverage
Library risks are tagged with the compliance frameworks they relate to:| Framework | Coverage |
|---|---|
| ISO 27001 | Risks mapped to Annex A controls |
| SOC 2 | Risks mapped to Trust Services Criteria |
| HIPAA | Risks specific to healthcare and PHI protection |
| GDPR | Risks related to data protection and privacy rights |
| PCI-DSS | Risks involving payment card data and cardholder environments |
Creating Custom Templates
If the pre-built library does not include a risk specific to your environment, you can create custom risk templates.Define the Template
Fill in all template fields: title, description, category, framework mappings, industry tags, suggested scores, CIA category, and mitigation guidance.
Editing and Deleting Custom Templates
Custom templates can be edited or deleted at any time. Editing a custom template does not affect risks that were previously added to registers from that template — the register copy is independent.Pre-built library risks cannot be edited or deleted. Only custom templates support modification.
Usage Tracking
The library tracks how many times each risk template has been added to registers across your organization. This usage count helps identify which risks are most commonly relevant and can guide your risk assessment priorities.Favorites
Mark frequently used risk templates as favorites for quick access. Favorites appear at the top of the library when the favorites filter is enabled.Importing and Exporting
- Import — upload risk templates from a CSV file to bulk-populate your custom library
- Export — download the library (or filtered subset) as a CSV for offline review or sharing with stakeholders
Best Practices
- Start with the library when building a new risk register — it provides a solid foundation of industry-standard risks
- Customize every added risk to reflect your specific context — generic descriptions and scores are less useful to auditors
- Create custom templates for risks unique to your industry, technology stack, or business model
- Review the library quarterly — LowerPlane may add new risks based on emerging threats
- Use framework filters when building a framework-specific risk register (e.g., filter by HIPAA when building a healthcare risk register)
- Favorite your most relevant risks to speed up future risk assessments
- Track usage counts to understand which risks are most prevalent across your organization