Common Criteria 3.2
During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” When an auditor is assessing an organization’s compliance with this, they will observe how an organization is assessing the significance of risks found in their risk assessment. Let’s take a look at what organizations need to do to demonstrate compliance with common criteria 3.2.
Quantifying or Qualifying the Significance of Risks
In order for an organization to demonstrate that they comply with common criteria 3.2, they’ll need to show their auditor how they go about assessing the significance of risks identified in their risk assessment. This can be done by implementing processes that allow an organization to quantify or qualify the significance of risks. During the beginning stages of a risk assessment, qualifying the likelihood of a risk and the potential impact that the risk has to the organization is helpful in risk-ranking the threats. On the other hand, once an organization has qualified the likelihood and impact of each risk, quantifying them takes risk-ranking to the next level. An organization may opt to quantifiably risk-rank the threats by high, medium, or low or they may choose to use numerical values to demonstrate the level of risk. While qualifying the risks may not be as accurate as quantifying them, both options help an organization in assessing the significance of risks.
For instance, let’s say that an organization has conducted their risk assessment and they found these risks: an open door that could allow a malicious intruder to access a sensitive area and a vulnerability in the network that could allow malicious hackers to access secure data. The organization is now tasked with assessing the significance of these risks, plus they must consider the likelihood and impact. The organization decides to quantifiably risk-rank the likelihood and impact of these threats based on a scale of one to ten. They determine that the likelihood of a malicious intruder entering through the open door is a four and the impact would be a seven, whereas the likelihood of a malicious hacker infiltrating the network and accessing sensitive data would be a seven and the impact a nine. By allocating a figure to the likelihood and impact of these risks, an organization can calculate the significance or severity of the risks by multiplying the likelihood by the impact. In this case, the significance of the malicious intruder would be 28 and the malicious hacker would be 63. By assessing the significance of risks, the organization would know to prioritize the vulnerability in the network over the open door.
More SOC 2 Resources
A very important element in your risk assessment that you must have in place to comply with SOC 2 common criteria 3.2 (CC3.2) is a way to quantify or qualify the significance of your risk. You want to make sure that you put a figure in there for the impact of a threat to that risk. For example, if you have a risk of an open door to an area in your location and the threat is an intruder, what would the impact be if that intruder came into that sensitive area? You need to qualify that somehow. The second aspect of this is to quantify or qualify the likelihood of that happening. What would be the likelihood of an intruder coming in and doing that? You have to make sure that that is considered within the risk assessment and that you have some way of ranking things according to that impact and that likelihood, so that you can make the best decisions going forward on how you’re going to address those risks.