SOC 2 Academy: Who Should Make Updates To Your Risk Assessment?

by Joseph Kirkpatrick / January 11th, 2019

The Importance of Teamwork During a Risk Assessment

During a SOC 2 audit, an auditor will assess an organization’s risk assessment processes. This includes not only assessing how the organization assesses risk, but the people involved in the risk assessment process as well. Auditors will want to see that the organization has a process in place regarding who should make updates to the risk assessment. Why is that? One of the common findings of SOC 2 audits is that organizations treats their risk assessment as something that they update without much thought from the previous year, and they often don’t involve the appropriate members from the organization to contribute to the risk assessment process. Why is teamwork important during a risk assessment? Who should make updates to the risk assessment? Let’s discuss.

Conducting a risk assessment is a proactive way that organizations can identify and assess organizational risk, but a risk assessment is not a one-man job. In order to get the most out of a risk assessment, more than just the IT department needs to be involved. Compliance, operations, and even the front desk receptionist and security guards could be involved in identifying, assessing, and mitigating risks. If just the IT department is involved, critical information could be left out of the risk assessment. For instance, there might be updated regulations or laws that an organization is required to adhere to, and if the compliance personnel doesn’t notify the IT team, the organization might be at risk for non-compliance. Likewise, let’s say that operations implemented a new product development process. If they aren’t involved in the risk assessment, who else will be able to explain the intricacies and potential vulnerabilities of the new process? If various departments aren’t involved in the risk assessment process, how will anyone know who should make updates to the risk assessment? Ultimately, utilizing teamwork during the risk assessment process allows organizations to identify risks that they may have otherwise missed, helping them increase the effectiveness of the risk assessment and strengthen their security posture.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

One of the common findings that we have in an entity’s risk assessment is that it was just treated as something that they updated without much thought from the previous year, and they didn’t involve the appropriate members from the organization to contribute to the risk assessment process. It shouldn’t be something that just one person knows about, or one person completes, because you might be missing some very relevant intelligence from people who work at the warehouse or people who work in sales. The risk assessment involves not only people who work in IT, but also people who work in compliance, operations, or even the front desk receptionist. Consider how you can involve the most people in your organization in your risk assessment process, so that you can identify risks that you might not be aware of.

[/av_toggle]

[/av_toggle_container]