Toolkit 5 - Unified AI & Security Risk System

One risk register for information security and AI lifecycle risks. Replace fragmented ISMS and AI risk spreadsheets with a single governance-ready register, unified scoring method, and audit-traceable evidence hooks.

Built on the Build Once. Comply Twice.™ principle - one risk method, one scoring scale, one evidence spine that works across both ISO 27001 and ISO/IEC 42001.

Designed for organisations that already run an ISMS risk process and need AI risk integrated properly.

Toolkit 5 - Unified AI & Security Risk System output view
Illustrative output view.

Available now

Instant digital download
21 artefacts. No subscription. One-off purchase.
£499inc. VAT
Purchase - £499 inc. VAT

🔒 Secure checkout via Lemon Squeezy ⚡ Instant delivery to your email 📄 7-day refund policy 👤 Your governance data stays with you

Outputs may be shared with auditors, customers, regulators, and advisers for assurance.

After using this toolkit you will have

  • One risk register for security and AI risks - no parallel processes, no competing registers
  • Consistent 1-5 scoring across InfoSec and AI lifecycle risks with a clear Low / Medium / High / Critical banding
  • AI system inventory with ownership, classification, lifecycle stage, and evidence linkage
  • AISIA artefacts demonstrating proportionate impact assessment for each AI system
  • Lifecycle evidence across design, development, validation, deployment, monitoring, and retirement
  • A clean audit trail: every risk entry links to evidence, every AI system links to its assessment and treatment

Designed for

  • Organisations already running an ISMS risk process that need AI risk integrated properly
  • Risk owners and governance leads who need repeatable, defensible assessments
  • Internal audit teams needing traceability from risk to controls to evidence
  • GRC, InfoSec, and AI governance leads
  • Teams consolidating multiple risk registers and AI governance spreadsheets

What this replaces

Most organisations running an ISMS have an established risk register. When AI governance requirements arrive, the typical response is to create a separate AI risk spreadsheet alongside it.

The result is two registers with different scoring scales, different owners, different evidence expectations, and no clean narrative connecting them at audit.

This toolkit replaces that with one unified risk architecture: the same 1-5 scoring model, the same treatment framework, and evidence hooks that trace from any risk entry back to a physical artefact in your evidence library.

The risk scoring model covers six categories:

  • InfoSec
  • AI Lifecycle (bias, drift, misuse, model failure, performance degradation)
  • AI Ethics (transparency, fairness, contestability)
  • AI Transparency
  • Supplier (third-party AI tools and embedded AI features)
  • Operational

It is not a certification scheme and does not guarantee certification outcomes. It supports practical governance and audit-ready evidence across both standards.

How it works

Run the risk process (first pass)

  1. Open the Unified Risk Register and review the HOME tab - scoring model, categories, and navigation
  2. Register AI systems in the AI System Register tab
  3. Run AISIA Short Form triage for each AI system to establish initial risk bands
  4. For High-risk systems, complete the AISIA Long Form
  5. Enter risk entries in the Risk Register with scores, owners, and evidence IDs
  6. Complete treatment plans in the Risk Treatment Plan tab
  7. Export the Risk Summary and Audit Pack tabs for stakeholder reporting

Ongoing operations

  • Update lifecycle stage tracking as systems progress through design to retirement
  • Complete lifecycle templates at each stage to capture evidence and approvals
  • Review Risk Heatmap monthly to track position and spot emerging risks
  • Complete Model Cards for AI systems requiring documentation
  • Use Export tabs for governance committee reporting and audit preparation

Everything included - 21 files

Contents at a glance: 5 guides and reference sheets, 2 risk and inventory workbooks, 2 AISIA assessment forms, 6 AI lifecycle phase templates, 4 model documentation templates, 2 version control assets.

A complete operational risk and governance system - not just a risk register template. File formats follow the go-live delivery manifest.

Read-only guides

  1. Start Here - Toolkit 5 PDF
    Orientation guide and file sequence.
  2. Product Master Guide - Toolkit 5 PDF
    Full customer guide for implementing the risk system.
  3. Quickstart - 60 Minutes - Toolkit 5 PDF
    Timed implementation guide for the first working session.
  4. Auditor Orientation Sheet - Toolkit 5 PDF
    Read-only briefing for audit and assurance stakeholders.
  5. Licensing Terms - Toolkit 5 PDF
    Read-only licence and permitted-use reference.

Risk workbooks

  1. Unified Risk Register XLSX
    Master risk log with unified scoring, treatment tracking, heatmap and audit-ready exports.
  2. AI Inventory Workbook XLSX
    AI system register with model metadata, supplier mapping, data lineage and lifecycle dashboard.

Assessment forms

  1. AISIA Short Form DOCX
    Rapid triage tool for proportionate AI system impact assessment.
  2. AISIA Long Form DOCX
    Full weighted assessment for higher-risk AI systems.

Lifecycle templates - Design through Retirement

  1. Lifecycle 01 - Design Phase DOCX
    Editable design-stage lifecycle template.
  2. Lifecycle 02 - Development Phase DOCX
    Editable development-stage lifecycle template.
  3. Lifecycle 03 - Validation and Testing DOCX
    Editable validation and testing lifecycle template.
  4. Lifecycle 04 - Deployment and Release DOCX
    Editable deployment and release lifecycle template.
  5. Lifecycle 05 - Monitoring and Drift Management DOCX
    Editable monitoring and drift management lifecycle template.
  6. Lifecycle 06 - Retirement and Decommissioning DOCX
    Editable retirement and decommissioning lifecycle template.

Model documentation and controls

  1. Model Card Short Form DOCX
    Concise model documentation for lower and medium-risk systems.
  2. Model Card Long Form DOCX
    Full model documentation for higher-risk systems.
  3. Metadata Block Horizontal DOCX
    Editable horizontal metadata block.
  4. Metadata Block Vertical DOCX
    Editable vertical metadata block.
  5. Version Control Embedded DOCX
    Embedded version control block for templates.
  6. Version Control Standalone DOCX
    Standalone version control template.

Sample preview slice

This preview describes the output structure without exposing the scoring method, workbook mechanics or implementation engine.

  • Unified risk register view with owners, treatment status, review cadence and evidence IDs.
  • AISIA short-form route showing proportionate escalation from intake to risk treatment.
  • Model-card and lifecycle evidence hooks that connect risk decisions to the evidence spine.

Outputs and evidence you can generate

  • A unified risk register with consistent scoring rationale across security and AI
  • Treatment plans with owners, deadlines, and implementation status
  • Residual risk visibility and review cadence evidence
  • AISIA artefacts demonstrating proportionate AI impact assessment
  • Lifecycle evidence across design, development, validation, deployment, monitoring, and retirement
  • Model documentation (model cards) suitable for internal assurance and audit conversations
  • Audit trail: approvals, actions, monitoring triggers, and exceptions all traceable to Evidence IDs

Where it fits in the system

Toolkit 5 is the operational governance engine. It connects policy intent (Toolkit 4) to real-world controls and evidence, and gives auditors a clean narrative: risks are identified, assessed, treated, and reviewed.

Every risk entry, AISIA form, and lifecycle template includes an evidence reference field that maps directly to your evidence library and, if you use Toolkit 2, to the evidence mapping area in the Integration Engine.

If you also use Toolkit 6 - AI Lifecycle Control System - your AISIA assessments, lifecycle documentation, and model cards will be richer and connect directly to a dedicated AI inventory. The two toolkits are designed to operate together as an integrated governance spine.

Licence summary (plain English)

  • Licensed to a single legal entity (the purchasing organisation)
  • Authorised users include employees and individual contractors acting on your behalf
  • Outputs may be shared with auditors, customers, regulators, and advisers for assurance
  • Toolkit files may not be shared, resold, or reused as a commercial method across other organisations

When this is not for you

  • You want a lightweight list without governance ownership - this is a real risk system that requires maintained entries, owners, and review dates
  • You do not intend to review and update risks - registers must be maintained to be effective and credible
  • You want a technical model testing tool rather than governance risk management
  • You want certification guarantees rather than risk evidence and structure

Procurement justification

This purchase supports development of a more consistent AI and information security risk management approach.

The toolkit provides reusable risk assessment structures, risk registers, treatment workflows, impact assessment materials and evidence templates intended to support more defensible and traceable governance activity.

The materials can be implemented internally by risk, information security, AI governance, data, compliance and internal audit teams to link AI inventory, assessment outputs, treatment actions, owners and evidence records.

This is a one-off digital toolkit purchase. The supplier does not require access to our AI systems, datasets, prompts, models, customer records, source code, production environments, internal systems, risk registers or completed evidence to fulfil this purchase.

The purchase is proportionate because it provides a common risk method for AI and security activity, reducing duplication across separate spreadsheets, inventories, impact assessments and treatment logs.

Designed for internal approval and governance workflows.

Frequently asked questions

Is this only for AI risks?

No. It is designed to unify information security risks and AI lifecycle risks in one register. The scoring model and treatment framework apply equally to both.

Does it include example AI risks?

Yes. The register includes preloaded example risks across common AI failure modes including bias, drift, misuse, hallucination, model failure, supplier risk, and data quality issues.

What is an AISIA?

An AI System Impact Assessment (AISIA) is a structured triage tool for evaluating an AI system's risk level before deciding what governance and lifecycle evidence is required. The Short Form takes 10-20 minutes per system.

Can we use our existing risk scoring model?

You can, but the value is strongest when scoring is consistent across security and AI. The unified 1-5 model is designed to be directly compatible with standard ISMS risk scoring approaches.

How does this link to Toolkit 2?

Risk entries include an evidence reference field that maps directly to artefacts in your evidence library and to the evidence mapping area in Toolkit 2. This creates a three-step audit trace: control → risk → evidence.

Is this a certification scheme?

No. It supports ISO 27001 and ISO/IEC 42001 alignment and produces audit-ready artefacts, but does not constitute certification or guarantee certification outcomes.

How does payment work and who processes it?

Payment is processed securely by Lemon Squeezy, who act as merchant of record for AIBI Systems. Your payment, VAT collection, and any post-sale compliance are handled directly by Lemon Squeezy. Your download link is delivered to your email immediately after payment. All prices shown are inclusive of VAT.

Do I have to upload my governance data to AIBI Systems?

No. The paid toolkits are downloadable files that you use inside your own organisation. When you use them internally, AIBI Systems does not host, access, process or monitor your completed AI inventories, risk registers, assessments, policies or evidence records. Your governance evidence remains under your control.

Is AIBI a GRC platform?

No. AIBI is a practical toolkit and implementation system. It helps you structure AI governance, evidence and ISO 27001 to ISO/IEC 42001 alignment without requiring a new platform.

Can I use AIBI with our existing systems?

Yes. The toolkits can be used to support or inform your existing ISMS, SharePoint library, Microsoft 365 environment, GRC platform, audit evidence folder or internal governance process. There is no requirement to migrate your controls, risks or documents into a new system.

Does AIBI replace consultants or auditors?

No. AIBI provides structured implementation materials. You can use them independently, with your internal team, with a consultant, or as preparation for audit and assurance conversations.

Best pairing: AI Risk & Lifecycle Control bundle

Toolkit 5 is the risk method. Pair it with Toolkit 6 to connect AI inventory, AISIA, lifecycle controls, and risk treatment in one operating route.

£1,295 inc. VAT bundle price£1,598 inc. VAT individuallySave £303
View AI Risk & Lifecycle Control

Toolkit 5 also appears in AI Governance Starter and AI Ethics & Risk. This page highlights AI Risk & Lifecycle Control because it is the strongest operational pairing for TK5.

Or get Toolkit 1 through Toolkit 6 in the Complete System Bundle.

Toolkit 5 - Unified AI & Security Risk System

One risk register for information security and AI lifecycle risks.

Purchase - £499 inc. VAT Compare toolkit bundles

Instant download. One-off purchase. Outputs may be shared with auditors, customers, regulators, and advisers for assurance.