Checks We Perform

Below is a list of all the checks we perform. Select one to view more information.
Risk Assessment
1.0 Is the scope of the risk assessment defined? Does it focus on any particular department, product, or geography?

Description:

Risk Assessments are mandated by several frameworks, including SOC 1, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA, and more. Many of these frameworks require that your assessment is based on an industry standard methodology, such as NIST 800-30, ISO 27005, OCTAVE, etc.
Risk Assessment
1.6 Does the assessment address operational, financial, regulatory, and technical risk?

Description:

The risk assessment must address the potential for risks in all areas of the organization in order to be truly effective. A comprehensive risk assessment should address operational, financial, regulatory, and technical risk.
Risk Assessment Standards
1.1 Does the assessment follow an industry standard methodology? (i.e. NIST 800-30, ISO 27005, OCTAVE)

Description:

Risk Assessments are mandated by several frameworks, including SOC 1, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA, and more. Many of these frameworks require that your assessment is based on an industry standard methodology, such as NIST 800-30, ISO 27005, OCTAVE, etc.
Risk Assessment Standards
1.5 Was the risk of fraud assessed in order to satisfy the requirements of the COSO Internal Control framework?

Description:

Internal Control best practices require the organization to assess the risk of fraud. This could include the risk of incentives, pressures, attitudes, and rationalizations that could influence someone to commit fraud. When a service organization undergoes a SOC 1 or SOC 2 audit, auditors will be inspecting the risk assessment to determine if it incorporates the COSO Internal Framework requirement, which states, “the entity considers the potential for fraud in assessing risks to the achievement of objectives.”
Asset Inventory
1.2 Has an asset inventory been performed to identity critical assets, such as people, locations, systems, data, and processes?

Description:

The first step in conducting a risk assessment is to identify and inventory your organization’s assets, which include your organization’s hardware, software, system interfaces, data, physical locations, personnel, cloud technologies, business processes, etc.
Likelihood and Impact
1.3 Has an assessment been completed to establish the impact of threats realized? (i.e. Low, Moderate, High)

Description:

The impact of a threat can be described in terms of loss or degradation of one, or a combination, of the following three security goals: confidentiality, integrity, and availability. This review will evaluate how you quantify or qualify the impact.
Vulnerability and Threats
1.4 Is there a formal, documented risk register that ranks risk according to quantitative or qualitative measures?

Description:

Organizations should document and rank risk within an official risk register. This register should consider the vulnerability and impact to each asset for each threat realized. The resulting ranking provides management with a prioritized approach for budget and resources.
Vulnerability and Threats
1.9 Does the assessment include the risk posed by third parties and dependencies in systems, processes, or locations?

Description:

Organizations need to establish requirements for vendor and business partner engagements that ensure the risks associated with these partners are addressed and planned. If your third-party partner experiences a threat or breach, it may be an impact you. Your organization should include the risk posed by third parties in the formal risk assessment.
Risk Treatment
1.7 Has a formal, documented risk treatment plan been developed to include current and planned controls to achieve acceptable risk levels?

Description:

After risks have been identified and assessed for importance and likelihood, a risk management action plan should be created. This formal, documented plan serves as the guide your organization will follow to mitigate any identified risks to achieve acceptable risk levels. You should develop security control recommendations to either mitigate, transfer, accept, or avoid the risk. These controls must be tested regularly to ensure they are suitably designed for your organization’s risks and that they are operating effectively. Your risk treatment plan can be utilized to track remediation efforts and adjust the controls when necessary.
Risk Treatment
1.8 Has a formal, documented Statement of Applicability (SoA) been written to identify framework controls that do or do not apply to the environment?

Description:

A formal, documented Statement of Applicability (SoA) should be written to identify the specific framework controls that do or do not apply to the environment. Justification should be documented when risk evaluation determines that a control does not apply.