Does anyone know of any good Risk Registers to start logging security risk that are found on the fly?
The problem that I am having is that we find so much in a day, things start to get lost in emails and we tend to forget the risks that was found because of multiple fires.
Something is wrong in your risk assessment process if you are finding new risks every day. It could also be that your risk identification was done at the wrong level of abstraction.
My guess is that you are doing this on a very low level and you should move up to understanding business impact. Risk is basically something of consequence that could go wrong. A technical vulnerability is not a risk. If you discover a new weakness in your webserver, that is a vulnerability and not a risk. The risk is, for example, that customer data could be stolen, or that your service could become unavailable.
If you view it like that, then discovering a new vulnerability would not create a new risk, it would affect the rating of an existing risk, and that is how it should be. So your server has more holes than you thought, that increases the potential frequency of loss, or whatever risk assessment method you are using (in FAIR, for example, it could reduce Resistance Strength).
Even if you uncover entirely new ways in which, say, personal data could be lost, the risk still is the loss of personal data. You just discovered a new attack path, not a new risk.
This doesn't directly answer your question, but it would solve your problem. I'm fairly certain that your existing Risk Register would serve you good enough if you thought of vulnerabilities as changing parameters in existing risks instead.
The risk register is a document which helps you to understand the risks within your organisation and help you plan out methods to resolve them. Often, you find many documents on the internet which give you some results, but most of it, is understood by very few people. As a result, the core issue, that is to resolve the risks is lost and most of the effort is directed towards understanding the risk register itself.
The risk register can be created by yourself, and custom suited to your organisation. When you create a register independently, you end up learning a lot more about the risks, and residual risks that can arise.
This is much better and will help you in your career and will also help your organisation. Of course, you can use ready-made formats, but make sure you suit it to the needs of your organisation.
The annex A of ISO 27001 will help you classify the risks into various groups and attend them one after the other. Taking this as a reference, you need to understand the vulnerabilities in each group and find the controls that will patch them. This is what is risk assessment and risk treatment.
On updating on the fly, if you are referring real time risk visibility and risk assignment on the go (proper assessment and mitigation actions to be followed with the risk management process), there are solutions available.
These solutions are categorized as GRC (Governance Risk Compliance) applications, the following diagram illustrates the functionality of such a platform:
Source: http://processgene.com/solutions/grc-software/
The GRC Solutions offers mechanism to automate the workflow which helps to reduce the cost and time required to maintain risk management. This helps to overcome the challenges in maintaining multiple excels, manual computations, etc.
