[Re-post] How to Conduct Risk Assessments for SOC 2 and ISO 27001
This week’s control is on risk assessments. Jose Costa (CISO at Tugboat Logic) and Harpreet Shergill (Senior Manager, IS Risk & Compliance) explain why risk assessments are important and how to conduct them in five steps.
Why this control is important
It’s one of the most important controls in both security certifications because the risk assessment literally tells you what you need to include in your audit scope aka risk assessments are cheatsheets: "RM1.4 – Risk Assessment and Mitigation Methodology – Management performs a formal risk assessment (which includes risks related to security, fraud, regulatory, and technology changes) on an annual basis or in the event of significant changes. Identified risks along with mitigation strategies are documented and implemented by the organization's executive management."
More specifically, it tells you the security controls you need to implement for your organization, and why those controls are important. And as if you needed another reason, risk assessments are one of the top 3 things that delay your SOC 2 cert (people often wait until it's too late to conduct a risk assessment, or they do it wrong).
Note: you don’t have to start from scratch on implementing this control because your leadership team probably already meets regularly to discuss these things and figure out ways to mitigate risks (many times this is not formalized and documented to show an auditor).
How to implement this control for your audits
Use a spreadsheet.
Yep, it’s that simple (it’s what a lot of consultants do for their clients and then charge them $300 - $400/hour to enter things into cells lol). Your spreadsheet will document your findings and action items, and allow you to discuss them with the leadership team and show auditors.
Just follow these five steps:
- Define your risk universe: ask each member of the exec team from a security standpoint, what worries them the most / what keeps them up at night? Definitely bring up risks related to security, fraud, fast-evolving regulations, reputation, and technology changes. Also, anything that can impact the organization’s performance is valid, e.g., market changes, difficulties finding the right talent, risks of an employee taking information to the competition, and risk of being hacked. We've included a list of the most common risks cited SaaS companies face below.
- Evaluate and assign: evaluate the likelihood and potential impact of the risk identified and assign it a level (High, Medium, or Low).
- Identify and transfer risk: identify controls to mitigate / reduce each risk as much as possible. You can also decide to accept or transfer the risk (e.g. buying insurance to cover the risk, outsourcing the risk to another party).
- Tackle residual risk: evaluate the risk again considering the mitigating factors you have identified and assign a level (High, Medium or Low).
- Final review and gap assignment: ensure all the mitigating controls / factors are operating effectively. If you identify any gaps, make sure that you assign it to someone to resolve it.
Additional considerations to ensure you clear this control
- Have the leadership team involved at every step.
- The process your org undertakes should be formalized and documented.
- Make sure you review the risk assessment periodically (at least once a year, but ideally every quarter).
- Make sure the controls and or mitigation strategy are documented and are actually working.
- It’s okay to have gaps – just make sure they are documented and that a clear remediation plan is in place.
The most common risks SaaS companies face
- A natural disaster may take down the data center where the service is hosted.
- An employee / contractor may misuse the sensitive customer data and sell it.
- Misuse of information systems
- Unauthorized use of copyrighted material.
- Misuse of IP due to lack of appropriate copyright.
- Turnover or staff shortage that lead to insufficient support for customers.
- Non-compliance due to lack of due-diligence that may impact the security, availability, and confidentiality commitments agreed by engaged vendors / third parties.
- Breach due to non-agreed SLAs between company and vendors.
- Non-compliance to company's internal controls required to accomplish company's objectives.
- Non-commitment due to lack of defined accountability on effectiveness of company's security management.
- Non-achievement of company's business and security objectives due to lack of resources.
- Technology risk functions are not providing adequate or effective information for executives and board members.
- New patches not applied to the system to address flaws in security design.
- Scalability risk – Lack of system's capability to cope and perform well under an increased or expanding workload or scope.
- Non-compliance due to lack of processes to identify changes in laws, regulations, and standards.
- Breach due to lack of due-diligence for assessing effectiveness of implemented controls required to achieve applicable laws and regulations.
- Non-awareness due to lack of guidelines for legal regulations.