BIZOPS-1 Risk Management

What is this control about?

The process to identify, evaluate, analyze and remediate the risks must be documented. This process must involve the executive leadership and those responsible for security and privacy of the data.

At TrustCloud, we get you started with a policy to update at your discretion.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Here is a  best practice from NIST in documenting a risk management framework
• TrustCloud Risk Management Policy

Control implementation

The following steps must be considered when implementing a risk management program:

• Assign a dedicated team or personnel responsible for coordinating the assessment and performing the assessment
• Define the internal factors (turnover, vendor risks, etc.) or external factors (economic changes, global catastrophes, regulatory changes) relevant to the organization
• Define and document the process for identifying risks
• Define and document the process for analyzing risks
• Define and document the process for remediating risks
• Assign an owner to each remediation and track resolution
• Define the frequency of the risk assessment process

For SOC 2:

• All the above steps including documentation of the company goals for the year or period. SOC 2 will evaluate how the company goals and objectives are integrated in the identification of potential risks that could affect the company’s goals.

For HIPAA security:

• All the above steps including documentation of the impact of disclosure of PHI (Protected Health Information) as part of the  the identification of risks. HIPAA will evaluate how the impact of PHI disclosure is captured in your risk assessment and how you plan on mitigating this risk.

For ISO 27001:

• All the above steps including documentation of the expectation of internal and external stakeholders as part of the identification of risks process. ISO 27001 will evaluate how the demands of your internal and external stakeholders are captured in your risk assessment.

For Privacy (GDPR, ISO 27701,CCPA):

• All the above steps including documentation of the privacy risks as part of the identification of risks process. Privacy frameworks will evaluate how privacy risks are captured in your risk assessment and how you plan on mitigating those risks.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Upload the Risk Management policy that includes the last revision date

Evidence example

From the suggested action above, an example is provided below.

• TrustCloud Risk Management Policy Template

No screenshot deemed necessary, as template provided serves as artifact example