Document ID: SOC2-RISK-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: CISO / Risk Owner
Purpose
This procedure defines how [Organisation Name] identifies, assesses, and treats risks to the security, availability, and confidentiality of its systems and customer data, in accordance with SOC 2 CC3.1โCC3.4. Risk assessments are performed at least annually and whenever significant changes occur.
1. Risk Assessment Process
Step 1 โ Identify Assets
List all information assets within the SOC 2 scope boundary:
- Production systems and infrastructure
- Customer data stores and pipelines
- Third-party integrations and APIs
- Employee endpoints and identities
Step 2 โ Identify Threats and Vulnerabilities
For each asset, identify applicable threats and vulnerabilities using the reference table below.
Step 3 โ Score Likelihood and Impact
Likelihood Scale
| Score | Level | Definition |
|---|---|---|
| 1 | Rare | Unlikely to occur; no known instances in the industry |
| 2 | Unlikely | Could occur but is not expected; limited precedent |
| 3 | Possible | May occur; known to happen in similar organisations |
| 4 | Likely | Expected to occur in most circumstances |
| 5 | Almost Certain | Near-certain to occur; actively exploited in the wild |
Impact Scale
| Score | Level | Definition |
|---|---|---|
| 1 | Negligible | No customer impact; no regulatory consequence |
| 2 | Minor | Limited impact on a small number of customers; no breach |
| 3 | Moderate | Measurable customer impact; potential contractual breach |
| 4 | Major | Significant customer data exposure; regulatory notification likely |
| 5 | Critical | Mass data breach; service-wide outage; existential business risk |
Risk Score = Likelihood ร Impact
| Score Range | Rating | Action Required |
|---|---|---|
| 1โ4 | Low | Accept or monitor; review at next annual assessment |
| 5โ9 | Medium | Treat within 90 days; assign owner |
| 10โ16 | High | Treat within 30 days; escalate to CISO |
| 17โ25 | Critical | Treat immediately; notify Executive Team |
Step 4 โ Select Treatment Option
| Option | When to Use |
|---|---|
| Mitigate | Implement controls to reduce likelihood or impact to acceptable level |
| Accept | Residual risk is within risk appetite; document formal acceptance with owner sign-off |
| Transfer | Purchase cyber insurance or contractually transfer risk to a third party |
| Avoid | Cease the activity that creates the risk |
Step 5 โ Implement and Verify
Assign an owner, set a due date, and track treatment in the Risk Register. Verify that implemented controls reduce the residual risk score as expected.
2. Threat and Vulnerability Reference
| Threat | Example Vulnerabilities |
|---|---|
| Unauthorised access | Weak passwords, missing MFA, over-privileged accounts |
| Data exfiltration | Unencrypted storage, missing DLP, insider threat |
| Service disruption | Single point of failure, no DR plan, DDoS exposure |
| Supply chain compromise | Unvetted vendors, no access review for third parties |
| Ransomware | Unpatched systems, no offline backups, phishing susceptibility |
| Misconfiguration | Public S3 buckets, open security groups, default credentials |
| Insider threat | Excessive access, no activity monitoring, poor offboarding |
| Social engineering | No security awareness training, no phishing simulation |
3. Risk Register Template
| Risk ID | Asset | Threat | Vulnerability | Likelihood | Impact | Score | Rating | Treatment | Owner | Due Date | Residual Score | Status |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| RISK-001 | Customer database | Unauthorised access | Single-factor auth on admin console | 4 | 5 | 20 | Critical | Enforce MFA for all admin access | Engineering Lead | [Date] | 4 | Open |
| RISK-002 | Production API | Data exfiltration | API keys in environment variables (plaintext) | 3 | 4 | 12 | High | Migrate to secrets manager (AWS SSM/Vault) | DevOps Lead | [Date] | 3 | In Progress |
| RISK-003 | Cloud infrastructure | Misconfiguration | No automated config scanning | 3 | 4 | 12 | High | Deploy AWS Config / Prisma Cloud | Security Eng | [Date] | 4 | Open |
| RISK-004 | Employee endpoints | Ransomware | Missing endpoint protection | 3 | 3 | 9 | Medium | Deploy EDR to all endpoints | IT Admin | [Date] | 2 | Complete |
| RISK-005 | Third-party integrations | Supply chain attack | No vendor security review process | 2 | 4 | 8 | Medium | Implement vendor assessment procedure | Compliance | [Date] | 4 | Open |
4. Review Schedule
| Event | Frequency |
|---|---|
| Full risk assessment | Annually (minimum) |
| Risk register review | Quarterly |
| Ad-hoc reassessment | After significant system change, incident, or new vendor onboarding |
| Management review | Annually as part of SOC 2 management review cycle |
5. Residual Risk Acceptance
Residual risks rated Medium or above that are formally accepted must be documented with:
- Risk description and score
- Business justification for acceptance
- Risk owner name and signature
- Review date (maximum 12 months)
| Risk ID | Description | Residual Score | Justification | Accepted By | Review Date |
|---|---|---|---|---|---|