Transcript
One of the questions that we get quite frequently is “What is the auditor going to ask us for in reference to our risk assessment?” And we are going to want to see some evidence that you have conducted a risk assessment. We’ll usually start by asking for your risk assessment policy. This should be a document that outlines how you do your risk assessment. How frequently does it occur? Who is involved? Which risk assessment methodology have you chosen? Then, we will want to see the documentation- the format really doesn’t matter- what we’re looking for is clear identifiers around your assets and the risk that you have identified for those assets. We want to see that you’ve taken into account the threats that can impact the confidentiality, integrity and availability of those assets. We will want to see what the impact would be to your organization if those threats were to be realized against those assets. That’s how you quantify or qualify the risks for each one of those things. So, we’ll want to see a ranking of risks in your risk register that shows us that you have an understanding of the risk in your environment. So, this documentation can be very important to show to the auditor, and also proof that these discussions have been had amongst your team when it comes to risk assessment. Quite frequently we’ll be told, “We talk about risk in our monthly management meeting” and so we’ll want to see some documentation- perhaps an agenda or meeting minutes- that would corroborate the fact that risk management is discussed in that forum. Bring these pieces together to show to your auditor and feel free to reach out to us if we can provide you any guidance at all in preparing for an audit.