Risk Management and Assessments for SOC 2 and ISO 27001
Risk management is essential when working towards SOC 2 or ISO 27001 compliance. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why risk assessments are important and how to conduct them for SOC 2 and ISO 27001 in five steps.
Why Are Risk Assessments for SOC 2 and ISO 27001 Important
It’s one of the most important controls in both security certifications because the risk assessment literally tells you what you need to include in your audit scope aka risk assessments are cheatsheets: “RM1.4 – Risk Assessment and Mitigation Methodology – Management performs a formal risk assessment (which includes risks related to security, fraud, regulatory, and technology changes) on an annual basis or in the event of significant changes. Identified risks along with mitigation strategies are documented and implemented by the organization’s executive management.“
More specifically, it tells you the security controls you need to implement for your organization, and why those controls are important. And as if you needed another reason, risk assessments are one of the top 3 things that delay your SOC 2 cert (people often wait until it’s too late to conduct a risk assessment, or they do it wrong).
Note: you don’t have to start from scratch on implementing this control because your leadership team probably already meets regularly to discuss these things and figure out ways to mitigate risks (many times this is not formalized and documented to show an auditor).
How to Implement Risk Management for SOC 2 and ISO 27001 for Your Audits
The key to running risk assessments for SOC and ISO is to leverage spreadsheets or automated tools like Tugboat Logic.
Yes, it’s that simple. Click the link here to see a detailed list of SOC 2 costs. As you build your spreadsheet, you will document your findings and action items, and it will allow you to discuss them with the leadership team and show auditors.
5 Step SOC 2 and ISO 27001 Risk Assessment
- Define your risk universe: ask each member of the exec team from a security standpoint, what worries them the most / what keeps them up at night? Definitely bring up risks related to security, fraud, fast-evolving regulations, reputation, and technology changes. Also, anything that can impact the organization’s performance is valid, e.g., market changes, difficulties finding the right talent, risks of an employee taking information to the competition, and risk of being hacked. We’ve included a list of the most common risks cited SaaS companies face below.
- Evaluate and assign: evaluate the likelihood and potential impact of the risk identified and assign it a level (High, medium, or low).
- Identify and transfer risk: identify controls to mitigate/reduce each risk as much as possible. You can also decide to accept or transfer the risk (e.g. buying insurance to cover the risk, outsourcing the risk to another party).
- Tackle residual risk: evaluate the risk again considering the mitigating factors you have identified and assign a level (High, medium or low).
- Final review and gap assignment: ensure all the mitigating controls/factors are operating effectively. If you identify any gaps, make sure that you assign it to someone to resolve it.
Additional Risk Management Considerations for SOC 2 and ISO 27001 Controls
- Have the leadership team involved at every step.
- The process your org undertakes should be formalized and documented.
- Make sure you review the risk assessment periodically (at least once a year, but ideally every quarter).
- Make sure the controls and or mitigation strategies are documented and are actually working.
- It’s okay to have gaps – just make sure they are documented and that a clear remediation plan is in place.
Common SOC 2 and ISO 27001 Risks SaaS Companies Face
- A natural disaster may take down the data center where the service is hosted.
- An employee/contractor may misuse the sensitive customer data and sell it.
- Misuse of information systems
- Unauthorized use of copyrighted material.
- Misuse of IP due to lack of appropriate copyright.
- Turnover or staff shortage that lead to insufficient support for customers.
- Non-compliance due to lack of due diligence that may impact the security, availability, and confidentiality commitments agreed by engaged vendors / third parties.
- Breach due to non-agreed SLAs between the company and vendors.
- Non-compliance to the company’s internal controls required to accomplish the company’s objectives.
- Non-commitment due to lack of defined accountability on the effectiveness of company’s security management.
- Non-achievement of company’s business and security objectives due to lack of resources.
- Technology risk functions are not providing adequate or effective information for executives and board members.
- New patches are not applied to the system to address flaws in security design.
- Scalability risk – Lack of system’s capability to cope and perform well under an increased or expanding workload or scope.
- Non-compliance due to lack of processes to identify changes in laws, regulations, and standards.
- Breach due to lack of due diligence for assessing the effectiveness of implemented controls required to achieve applicable laws and regulations.
- Non-awareness due to lack of guidelines for legal regulations.
PS: Launch a security program that protects your business, builds trust with customers, and impresses your board by downloading Security Best Practices for Startups.