What Should Be Included in Your Risk Assessment

So, you’ve done your risk assessment and the auditor is coming. What do I want to see when I come out to see you? Ideally, for an auditor, a risk assessment is holistic. It looks at your entire organization. Not just the information technology stack but talks about everything from key-man vulnerabilities, to environmental threats, to operational threats, to existential concepts that keep you up at night. I want to see that the organization, especially for a SOC2 audit, addresses everything that could potentially go wrong. Now, that’s a tall order for any standard. I want you all to look at what’s important to you and make sure you’ve covered all of the bases. There’s nothing worse for an auditor than to walk in, identify a brand-new risk, realize its significance, and to note that the organization that you’re working with doesn’t even recognize that that risk exists. 

Related Videos