BIZOPS-13 Business Changes Risk

What is this control about?

A risk register must be used to track the identified risks. The risks must include considerations of fraud, business changes, technology impact, vendor impact and regulatory changes.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• TrustCloud provides a template and automate this via Trust Register

Control implementation

Perform a Risk Assessment that includes:

• Risk identified
• Risk impact
• Risk rating
• Mitigating controls identified
• Residual risks
• Risk Owner

For SOC 2:

• All the above steps including the company goals. There must be a clear link between the risk identified and the company goals. The link can be addressed by documenting it within the policy.

For HIPAA security:

• All the above steps including the impact of disclosure of PHI as part of the risk impact.

For ISO 27001:

• All the above steps including the internal and external stakeholders needs as part of the risk identified.

For Privacy (GDPR, ISO 27701,CCPA):

• All the above steps including the privacy risks as part of the risks identified.

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Upload the most recently completed Risk Register

Evidence example

From the suggested action above, an example is provided below.

• TrustCloud provides a template and automates this via Trust Register

No screenshot deemed necessary, as template provided serves as artifact example