SOC 2_CC3.2


Security Risk Assessment


COSO Principle 7: The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

Includes Entity Subsidiary Division Operating Unit and Functional Levels—The entity identifies and assesses risk at the entity subsidiary division operating unit and functional levels relevant to the achievement of objectives.Analyzes Internal and External Factors—Risk identification considers both internal and external factors and their impact on the achievement of objectives.Involves Appropriate Levels of Management—The entity puts into place effective risk assessment mechanisms that involve appropriate levels of management.Estimates Significance of Risks Identified—Identified risks are analyzed through a process that includes estimating the potential significance of the risk. Determines How to Respond to Risks—Risk assessment includes considering how the risk should be managed and whether to accept avoid reduce or share the risk.Identifies and Assesses Criticality of Information Assets and Identifies Threats and Vulnerabilities—The entity’s risk identification and assessment process includes (1) identifying information assets including physical devices and systems virtual devices software data and data flows external information systems and organizational roles; (2) assessing the criticality of those information assets; (3) identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identified assets.Analyzes Threats and Vulnerabilities From Vendors Business Partners and Other Parties—The entity’s risk assessment process includes the analysis of potential threats and vulnerabilities arising from vendors providing goods and services as well as threats and vulnerabilities arising from business partners customers and others with access to the entity’s information systems. Considers the Significance of the Risk—The entity’s consideration of the potential significance of the identified risks includes (1) determining the criticality of identified assets in meeting objectives; (2) assessing the impact of identified threats and vulnerabilities in meeting objectives; (3) assessing the likelihood of identified threats; and (4) determining the risk associated with assets based on asset criticality threat impact and likelihood.


Click here to Start your FREE trial today!

Explainer video


What is a Cybersecurity Compliance Framework?

You don’t need to clutter your security and privacy programs with an ever-increasing number of tools as they become more sophisticated. The Lionfish platform offers a one-stop solution to track progress and monitor any framework, from custom-built ones to highly-specialized and in-demand top security and privacy frameworks and certifications.

With the Lionfish platform, every framework is supported with guided scoping, policies, controls, automated evidence collection, and continuous monitoring, ensuring efficient preparation for audits or attestation in minimal time.

The Lionfish platform is compatible with a wide range of security and privacy frameworks, including:

Click here to Start your FREE trial today!

Explainer video