What Risk Assessment Method is Appropriate
Transcript
One of the worries when you go into assessment is that the assessor is going to hold you to an impossible standard for your organization. But one of the beautiful things about the SOC2 assessment in particular is that the standards can largely be organizationally set. Provide you hit certain minimum thresholds; it isn’t really my place to tell you how you’re doing it is wrong. Instead, think about your organization and its maturity. Think about the idea that the thing you do is actually present. It might just not be in a form the auditor expects. Commonly we see this with risk assessment. You can’t run a business in today’s world and not constantly be asking yourself, “What could go wrong tomorrow? How can I keep that from happening? How do I make sure that my services get delivered on time and appropriately?” That process is risk assessment. So how do you do that with your team? How do you keep track of that? Do you have a standup every week where you talk about the last week’s risks that popped out in the SANS newsletter? If so, did you take minutes? Is there a meaning record? That may truly be the most appropriate form of risk assessment and the most appropriate form of risk assessment activity for your organization. But the key to remember here is process maturity and capability. The more comfortable you are with your own processes, the more it makes sense to make sure that those processes are documented and maintained- and the less deviation you’ll have from them. Remember, what I’m looking for as an auditor is consistency and understanding. Keeping things consistent is difficult to do without documentation. But you always need to do what’s appropriate for your organization.
One of the worries when you go into assessment is that the assessor is going to hold you to an impossible standard for your organization. But one of the beautiful things about the SOC2 assessment in particular is that the standards can largely be organizationally set. Provide you hit certain minimum thresholds; it isn’t really my place to tell you how you’re doing it is wrong. Instead, think about your organization and its maturity. Think about the idea that the thing you do is actually present. It might just not be in a form the auditor expects. Commonly we see this with risk assessment. You can’t run a business in today’s world and not constantly be asking yourself, “What could go wrong tomorrow? How can I keep that from happening? How do I make sure that my services get delivered on time and appropriately?” That process is risk assessment. So how do you do that with your team? How do you keep track of that? Do you have a standup every week where you talk about the last week’s risks that popped out in the SANS newsletter? If so, did you take minutes? Is there a meaning record? That may truly be the most appropriate form of risk assessment and the most appropriate form of risk assessment activity for your organization. But the key to remember here is process maturity and capability. The more comfortable you are with your own processes, the more it makes sense to make sure that those processes are documented and maintained- and the less deviation you’ll have from them. Remember, what I’m looking for as an auditor is consistency and understanding. Keeping things consistent is difficult to do without documentation. But you always need to do what’s appropriate for your organization.