cc3-2 Critical priority Security / Risk Assessment

Security risks are identified and analyzed

A formal risk assessment process identifies what can go wrong, how likely it is, and how severe the impact would be. This is the core of any security program. Without it, security investment is driven by gut feel and visible incidents rather than actual exposure. SOC 2 auditors want to see a documented risk register maintained over time, not just a one-time spreadsheet.

16h estimated effort

risk assessment register threat-modeling

Complete first: cc3-1

Implementation steps

1

Conduct an annual risk assessment

At least once per year, run a structured risk assessment. Gather input from engineering, ops, and business teams on what threats they perceive. Enumerate threat categories: unauthorized access, data loss, service disruption, insider threat, supply chain attack. For each, estimate likelihood and impact. Document results in a risk register.

confluence notion google-sheets vanta drata
2

Maintain a live risk register

Create a risk register that is updated throughout the year as new risks emerge or existing ones change. Each entry should include: risk description, likelihood rating (1-5), impact rating (1-5), inherent risk score, current controls, residual risk score, risk owner, and target remediation date for unacceptable risks.

google-sheets notion confluence jira
3

Treat identified risks with controls

For each risk rated above your acceptable threshold, define a treatment: accept, mitigate, transfer, or avoid. Mitigated risks should have specific controls assigned. Track control implementation status. This connects your risk assessment directly to your security roadmap.

jira linear notion google-sheets