SOC 2 Academy: Using a Risk Assessment

by Joseph Kirkpatrick / December 21st, 2018

Common Criteria 3.1

During a SOC 2 audit, auditors will validate that organizations comply with the common criteria listed in the 2017 SOC 2 Trust Services Criteria. When an auditor is assessing an organization’s compliance with common criteria 3.1, which states, “The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives,” they will want to see that the entity not only conducts but uses their risk assessment. Let’s take a look at how organizations can go about using their risk assessment and why it’s so important.

The Importance of a Risk Assessment

Conducting a risk assessment is a proactive way that organizations can identify and assess organizational risk. However, another key element of a risk assessment is using the findings to prioritize the risks to the organization’s business continuity, reputation, financial health, and more. How can an organization’s management utilize their risk assessment? They can do so in a few ways, including:

  1. Managing day-to-day activities: Having a prioritized list of risks to an organization allows an entity’s management to have a better understanding of which risk needs more attention and how they can execute a plan of action to mitigate those risks during their day-to-day activities.
  2. Budgeting: When leadership understands where the organization’s risks lie, they will have more insight into how they need to budget and allocate funds to alleviate risks.
  3. Mitigating: Once management understands which risks are more important and they have allocated the necessary funds, they can begin mitigating the risks identified during the risk assessment.
  4. Monitoring: By conducting risk assessments on a regular basis, entities will be able to use their findings, compare them to past assessments, and monitor their progress.

Without conducting risk assessments on a regular basis, organizations will be unable to risk-rank threats to their organization, mitigate those risks efficiently, and ensure that their business objectives are met. For SOC 2 compliance, it’s absolutely necessary for organizations to perform risk assessments and demonstrate that they use their findings in a way that helps them meet their objectives.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

[av_toggle_container initial=’1′ mode=’accordion’ sort=” styling=” colors=” font_color=” background_color=” border_color=” custom_class=”]
[av_toggle title=’Video Transcription’ tags=”]

While having a risk assessment is an important requirement for your SOC 2 compliance efforts, I also want to point out how important it is to utilize it on a day-to-day basis within your organization. The assessment of risk is something that you can use to manage your activities on an ongoing basis. For example, if you don’t know what your level of risk is on any particular day, you may not know what priority to place on certain activities. For example, in your budget, using your risk assessment is a way to allocate dollars to the areas that bring the best bang for the buck to make sure that you’re spending dollars in areas where you have the highest risks. Just make sure that you leverage your risk assessment and use it in the way that it is intended.