cc3-1 High priority Security / Risk Assessment

Security objectives are defined to enable risk identification

You cannot assess risk without first knowing what you are trying to protect. This control requires that the organization clearly defines what its security objectives are — availability of its service, confidentiality of customer data, integrity of transactions — so that risks can be evaluated against those objectives. Vague objectives produce vague risk assessments that miss real threats.

6h estimated effort

risk objectives scope planning

Complete first: cc1-1

Implementation steps

1

Define the scope of what you are protecting

Document the systems, data, and processes that are in scope for your security program. For a SaaS company this typically includes: production infrastructure, customer data stores, authentication systems, admin access paths, and third-party integrations. This scope definition feeds directly into your risk assessment.

confluence notion lucidchart draw-io
2

Write explicit security objectives

State your security objectives in writing. These should be specific enough to evaluate risk against. Example objectives: 'Customer data is accessible only to authorized users', 'Production systems maintain 99.9% availability', 'All code changes are reviewed before deployment'. These become the benchmark for your risk assessment.

confluence notion google-docs
3

Link objectives to your SOC 2 trust service categories

Map your objectives to the Trust Services Categories you are reporting on. If you are reporting on Security and Availability, make sure your objectives cover both. This mapping helps auditors see that your program is aligned with the criteria.

confluence notion google-sheets