graphgrc

GOV-02: Risk Assessment

Objective

Identify and manage security risks to the organization.

Description

Security risk assessments are conducted annually. Risks are identified, evaluated, and prioritized. Risk treatment plans are developed and tracked. Executive leadership is informed of risk status.

Implementation Details

Annual Risk Assessment: Formal risk assessment conducted annually. Identify threats, vulnerabilities, likelihood, impact.

Risk Register: Maintain risk register with identified risks, risk ratings, treatment plans, owners.

Risk Treatment: For each risk, document treatment (mitigate, accept, transfer, avoid). Track remediation actions.

Executive Reporting: Present risk assessment results to executive team. High/critical risks require executive acceptance or funding for mitigation.

Examples

2024 annual risk assessment identified 15 risks, 3 high, 12 medium
High risk: No multi-region DR - approved budget for multi-region deployment in Q1 2025
Risk register tracks 15 open risks, 8 with active remediation
Quarterly risk status briefing to CEO and board

Audit Evidence

Risk assessment methodology
Risk register with current risks
Risk treatment plans and remediation status
Executive presentation and approval records

Framework Mapping

SOC 2

CC3.1 ^[Risk assessment process identifies risks to achieving security objectives]
CC3.2 ^[Risk assessment considers internal and external factors and their impact on security]
CC3.4 ^[Risk assessment considers potential for fraud in evaluating security risks]

Article 32 ^[Risk assessment determines appropriate technical and organizational measures based on risk level]

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Charter:

Information Security Program Charter ^[Charter defines risk-based approach, risk management framework as core program principle]
Risk Management Strategy ^[Risk management framework: methodology (likelihood × impact scoring), risk appetite (moderate), treatment options (mitigate/accept/avoid/transfer), decision authority, risk register]

This site is open source. Improve this page.