Common Criteria 3.2
When a service organization undergoes a SOC 2 audit, auditors will be looking to validate that they comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. Common criteria 3.2 (CC3.2) states, “The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” We’ve discussed the different types of risks organizations can face and the importance of using the findings of a risk assessment, so let’s take a look at how to manage risks and what organizations need to do to demonstrate compliance with common criteria 3.2.
Managing Organizational Risks
A major component of using your risk assessment is assessing how to manage risks identified during the assessment. This includes evaluating the significance of the risks, assessing the likelihood of the risks, and determining how to respond to those risks. Ultimately, management must decide if they will accept, avoid, reduce, or share the risks found and how they will go about doing that. For instance, when an organization’s management meets to discuss the findings of the risk assessment, they’ll determine whether or not they want to accept certain risks or share them with someone else. This might be the case when an organization has partnered with a third-party vendor to perform part of their business process. If a risk is identified because of that partnership, the organization might reject that risk and place the responsibility on the vendor to mitigate it. Organizations might also opt to accept certain risks and will then have to determine additional controls to put into place to alleviate them.
So, how can an organization demonstrate compliance with common criteria 3.2 during a SOC 2 audit? Organizations should formally document how they plan to use their risk assessment to manage risk. In doing so,organizations are able to provide clear evidence to an auditor that they have performed a risk assessment, evaluated the significance of the risks to the organization,and have determined a plan to manage the risks identified. By having a process in place of how to manage risks, organizations are more likely to achieve their business objectives and maintain a strong security posture.
More SOC 2 Resources
After your organization sits down and documents their risk assessment, the questions “So what? What do we do with this?” might be asked. The purpose of common criteria 3.2 is to look at how you used your risk assessment in order to make choices about how those risks were going to be managed. For example, you’ll have a meeting where you discuss your risks and you’ll decide whether or not to accept or avoid certain risks. We’re going to reduce this risk by putting additional controls in place, or we’re going to share this risk with someone else. You might look at insurance as a way to transfer risk away. Ultimately, as an auditor, we’re going to be looking at the decisions that you’ve made about how you are going to manage those risks. Having it documented in your risk assessment is a very important place to start.