What Should Be Included in Your Risk Assessment
Transcription
So, you’ve done your risk assessment and the auditor is coming. What do I want to see when I come out to see you? Ideally, for an auditor, a risk assessment is holistic. It looks at your entire organization. Not just the information technology stack but talks about everything from key-man vulnerabilities, to environmental threats, to operational threats, to existential concepts that keep you up at night. I want to see that the organization, especially for a SOC2 audit, addresses everything that could potentially go wrong. Now, that’s a tall order for any standard. I want you all to look at what’s important to you and make sure you’ve covered all of the bases. There’s nothing worse for an auditor than to walk in, identify a brand-new risk, realize its significance, and to note that the organization that you’re working with doesn’t even recognize that that risk exists.
So, you’ve done your risk assessment and the auditor is coming. What do I want to see when I come out to see you? Ideally, for an auditor, a risk assessment is holistic. It looks at your entire organization. Not just the information technology stack but talks about everything from key-man vulnerabilities, to environmental threats, to operational threats, to existential concepts that keep you up at night. I want to see that the organization, especially for a SOC2 audit, addresses everything that could potentially go wrong. Now, that’s a tall order for any standard. I want you all to look at what’s important to you and make sure you’ve covered all of the bases. There’s nothing worse for an auditor than to walk in, identify a brand-new risk, realize its significance, and to note that the organization that you’re working with doesn’t even recognize that that risk exists.
