BIZOPS-11 Risk Register

What is BIZOPS-11 Risk Register Control?

A risk register must be used to track the identified risks. The risks must include considerations of fraud, business changes, technology impact, vendor impact, and regulatory changes.

Available tools in the marketplace

Tools

No tool recommendation is made for this section.

Available templates

TrustCloud has a curated list of templates, internally or externally sourced, to help you get started. Click on the link for a downloadable version:

• TrustCloud provides a template to automate this via Trust Register

Control implementation

To implement this control,

Perform a risk assessment that includes:

1. Risk identified
2. Risk impact
3. Risk rating
4. Mitigating controls identified
5. Residual risks
6. Risk Owner

For SOC 2:

• All the above steps, including the organizational goals, must establish a clear link between the identified risk and the organizational goals. The link can be addressed by documenting it within the policy.

For HIPAA security:

• All the above steps, including the impact of disclosure of PHI, are part of the risk impact.

For ISO 27001:

• All the above steps, including the needs of internal and external stakeholders, are part of the risk identified.

For privacy (GDPR, ISO 27701, CCPA):

• All the above steps, including the privacy risks, are part of the risks identified.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

1. Upload the most recently completed risk register.

Evidence example

For the suggested action, an example is provided below:

1. TrustCloud provides a template and automates this via Trust Register.
   The template provided serves as an example.