Risk Treatment Plan Guidance
Compliance frameworks require organizations to define and apply an information security risk treatment process. To satisfy this requirement, the risk assessment report generated as a result of completing the risk assessment within Drata will include two tables: “Risk Assessment Results” and “Risk Treatment Plan”. To meet compliance requirements for risk assessment and risk treatment, a risk assessment and a risk treatment plan will need to be completed on at least an annual basis.
The “Risk Assessment Results” table will include the risks identified and the risk rating based on the likelihood and impact identified by your organization as a result of completing the risk assessment within Drata.
The “Risk Treatment Plan” table will include the remediation plans and the details for ensuring that the identified risk is appropriately treated. The first two columns of the “Risk Treatment Plan” will be completed when the risk report is generated out of Drata. The remaining columns will need to be completed by your organization upon receiving the risk assessment report.
The following defines each column and the type of information that will be necessary for completing the “Risk Treatment Plan” table:
Remediation Plan - Document how you are mitigating or treating the identified risk. We recommend including links to tickets or other documentation that details the technical aspects of the risk mitigation. If you choose to not mitigate (such as accepting, avoiding or transferring) the risk, you can make a note of that in this column and mark the remaining columns N/A.
Remediation Owner - The person within your organization who will be responsible for the success of the remediation plan for the identified risk.
Target Remediation Date - The target completion date for the remediation. Your auditor will inquire about remediation plans that have a target date in the past to determine if the remediation has been completed.
Likelihood After Remediation - The likelihood of the risk occurring after a remediation plan has been implemented. Use the same scale as the likelihood column from the same column in the “Risk Assessment Results” table (1-5).
Impact After Remediation - The impact to the organization if the risk were to materialize after a remediation plan has been implemented. Use the same scale as the impact column from the same column in the “Risk Assessment Results” table (1-5).
Risk Rating After Remediation - Multiply the “Likelihood After Remediation” column by the “Impact After Remediation Column” to get your Risk Rating. Likelihood after remediation X Impact after remediation
Relevant Requirements - These are the relevant requirements (i.e. SOC 2 Criteria and/or ISO 27001 Annex A controls) that tie to the remediation that you will implement. Please reference the “Recommended Requirements Mapping” section below for our recommendations on which requirements map to which risk assessment items.
The following is an example of completed “Risk Assessment Results” and “Risk Treatment Plan” tables for example identified risks as a result of completing the Risk Assessment within Drata.
4. Risk Assessment Results
Item # | Observation | Category | Threat | Likelihood | Impact | Risk Rating |
1 | AcmeCorp does not encrypt Customer Data while the data is in transit | Engineering | Customer Data may be accessed by unauthorized parties while in transit | 3 | 4 | 12 - HIGH |
2 | AcmeCorp has not conducted an Incident Response test or tabletop in the last 12 months | Information Security | Without proper training, key stakeholders may not know how to react or respond in the even of a real incident | 2 | 3 | 6 - MEDIUM |
3 | [...] | [...] | [...] | [...] | [...] | [...] |
4 | [...] | [...] | [...] | [...] | [...] | [...] |
5 | [...] | [...] | [...] | [...] | [...] | [...] |
6 | [...] | [...] | [...] | [...] | [...] | [...] |
7 | [...] | [...] | [...] | [...] | [...] | [...] |
8 | [...] | [...] | [...] | [...] | [...] | [...] |
9 | [...] | [...] | [...] | [...] | [...] | [...] |
5. Risk Treatment Plan
Item # | Remediation Plan | Remediation Owner | Target Remediation Date | Likelihood after remediation | Impact after remediation | Risk Rating after remediation | Relevant Requirements |
|
| Who is responsible for the risk remediation? | When does the remediation need to be completed? | What is the new likelihood of this risk occurring after remediation has been put in place? | What is the new impact of this risk after remediation has been put in place? | Multiply the new likelihood and new impact to determine the new risk rating | Which controls are relevant to this risk and remediation plan? |
1 | Acme Corp will enforce TLS on the connection between the customer and Acme Corp’s SaaS Application | Head of Engineering | 01/31/2022 | 1 | 4 | 4 - LOW | ISO (2013): A.10.1.1 A.13.1.1 A.14.1.2
ISO (2022): A.8.20 A.8.24 A.8.26
SOC 2: CC6.6 CC6.7 |
2 | Acme Corp will conduct an Incident Response Tabletop with key stakeholders | CISO | 02/28/2022 | 1 | 3 | 3 - LOW | ISO (2013): A.16.1.1 A.16.1.2 A.16.1.3 A.16.1.4 A.16.1.5 A.16.1.6 A.16.1.7
ISO (2022): A.5.24 A.5.25 A.5.26 A.5.27 A.5.28 A.6.8
SOC 2: CC7.5 |
3 | [...] | [...] | [...] | [...] | [...] | [...] |
|
4 | [...] | [...] | [...] | [...] | [...] | [...] |
|
5 | [...] | [...] | [...] | [...] | [...] | [...] |
|
6 | [...] | [...] | [...] | [...] | [...] | [...] |
|
7 | [...] | [...] | [...] | [...] | [...] | [...] |
|
8 | [...] | [...] | [...] | [...] | [...] | [...] |
|
9 | [...] | [...] | [...] | [...] | [...] | [...] |
|
Recommended Requirements Mapping
When using these recommendations, remove the requirements from the relevant requirements column that do not apply to your organization. The item # below will align to the item # in your complete risk assessment report.
Item # | Risk Statement | Relevant Requirements |
|
| Which controls are relevant to this risk and remediation plan? |
1 | Do you use industry standards (i.e. OWASP Software Assurance Maturity Model, ISO 27034, BSIMM) to build in security for your Systems/Software Development Lifecycle (SDLC)? * | SOC 2: CC8.1 ISO 27001 (2013): A.14.1.1, A.14.2.1 ISO 27001 (2022): A.5.8, A.8.25 HIPAA: 164.306(a), 164.306(b) PCI: 6.3(b) |
2 | Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents? * | SOC 2: CC6.6, CC6.8, CC7.1, CC7.2 ISO 27001 (2013): C9.1, A.12.4.3, A.12.6.1, A.12.6.2, A.13.1.1, A.13.1.2 ISO 27001 (2022): C9.1, A.8.8, A.8.15, A.8.19, A.8.20, A.8.21 HIPAA: 164.308(a)(5)(ii)(B), 164.312(c)(1) PCI: 11.4(a), 11.4(b), 11.4(c) |
3 | Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference? * | SOC 2: CC7.1, CC7.2, CC7.3 ISO 27001 (2013): A.12.4.1, A.12.4.2, A.12.4.3 ISO 27001 (2022): A.8.15 HIPAA: 164.308(a)(5)(ii)(C), 164.312(b), 164.312(c)(2) PCI: 10.4 |
4 | Do you segregate production and non-production environments? * | SOC 2: CC8.1 ISO 27001 (2013): C9.1, A.12.1.4, A.14.2.2, A.14.2.8, A.14.2.9 ISO 27001 (2022): C9.1, A.8.31, A.8.32, A.8.29 PCI: 6.4.1(a) |
5 | Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements? * | SOC 2: CC6.6 ISO 27001 (2013): C9.1, A.13.1.1, A.13.1.2, A.13.1.3 ISO 27001 (2022): C9.1, A.8.20, A.8.21, A.8.22 PCI: 1.1.4(a) |
6 | Do you use manual and/or automated source-code analysis to detect security defects in code prior to production? * | SOC 2: CC7.1, CC8.1 ISO 27001 (2013): A.12.1.2, A.12.6.1, A.14.2.1, A.14.2.2, A.14.2.8, A.18.2.3 ISO 27001 (2022): A.5.36, A.8.8, A.8.25, A.8.28, A.8.29, A.8.32 PCI: 6.4.5.3(b) |
7 | Do you review your applications for security vulnerabilities and address any issues prior to deployment to production? * | SOC 2: CC7.1, CC8.1 ISO 27001 (2013): A.12.1.2, A.12.6.1, A.14.2.1, A.14.2.2, A.14.2.8, A.18.2.3 ISO 27001 (2022): A.5.36, A.8.8, A.8.25, A.8.29, A.8.32 HIPAA: 164.306(a), 164.306(b), 164.306(c), 164.306(d), 164.306(e), 164.308(a)(1)(i), 164.316(a) PCI: 6.1, 6.4.5.3(b) GDPR: 32 |
8 | Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance? * | SOC 2: CC1.2, CC3.1, CC3.4, CC4.1, CC4.2, CC5.1, CC5.2, CC7.1 ISO 27001 (2013): C9.3, A.12.6.1, A.18.2.2, A.18.2.3 ISO 27001 (2022): C9.3.1, A.5.36, A.8.8 HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(8) PCI: 11.3.1(a), 11.3.1(b), 11.3.2(a), 11.3.2(b) GDPR: 32 |
9 | Does your organization have a plan or framework for business continuity management or disaster recovery management? * | SOC 2: CC5.3, CC9.1, A1.2, A1.3, P4.2 ISO 27001 (2013): A.11.1.4, A.12.3.1, A17.1.1, A.17.1.2, A.17.1.3 ISO 27001 (2022): A.5.29, A.5.30, A.7.5, A.8.13 HIPAA: 164.308(a)(7)(i), 164.308(7)(ii)(B), 164.308(a)(7)(ii)(C), 164.310(a)(2)(i), 164.312(a)(2)(ii) PCI: 12.10.1(b)(3) GDPR: 32 |
10 | Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings? * | ISO 27001 (2013): A.5.1.1, A.12.1.1, A.12.7.1, A.18.2.3 ISO 27001 (2022): A.5.1, A.5.36, A.5.37, A.8.8, A.8.34 HIPAA: 164.306(a), 164.306(b), 164.306(c), 164.306(d), 164.306(e), 164.308(a)(1)(i), 164.316(a) PCI: 6.1 GDPR: 32 |
11 | Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems? | SOC 2: CC6.8 ISO 27001 (2013): A.12.6.2 ISO 27001 (2022): A.8.19 HIPAA: 164.310(b) PCI: 12.3.5 |
12 | Do you have policies/procedures in place to ensure production data shall not be replicated or used in non-production environments? * | SOC 2: C1.1 ISO 27001 (2013): C7.5.3, A.12.1.4, A.14.2.2, A.14.3.1 ISO 27001 (2022): C7.5.3, A.8.31, A.8.32, A.8.33 PCI: 6.4.3 |
13 | Do you have key management policies binding keys to identifiable owners? * | SOC 2: CC6.1 ISO 27001 (2013): A.9.1.1, A.9.1.2, A.9.4.1, A.10.1.1, A.10.1.2 ISO 27001 (2022): A.5.15, A.8.3, A.8.24 HIPAA: 164.308(a)(4)(i), 164.312(a)(2)(iv) PCI: 3.6(a) |
14 | Do you encrypt tenant data at rest (on disk/storage) within your environment as well as data in transit? * | SOC 2: CC6.1, CC6.7, PI1.5 ISO 27001 (2013): A.6.2.1, A.9.1.2, A.9.2.2, A.10.1.1, A.12.3.1, A.13.1.1, A.14.1.2, A.18.1.3 ISO 27001 (2022): A.5.15, A.5.18, A.5.33, A.8.1, A.8.13, A.8.20, A.8.24, A.8.26 HIPAA: 164.312(a)(2)(iv), 164.312(e)(1), 164.312(e)(2)(ii) PCI: 4.1(e), 12.3.10(b) GDPR: 32 |
15 | Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)? * | SOC 2: CC6.8, CC7.1, CC7.2 ISO 27001 (2013): C9.1, A.12.4.1, A.12.4.2, A.12.4.3, A.13.1.1 ISO 27001 (2022): C9.1.1, A.8.15, A.8.20 HIPAA: 164.308(a)(5)(ii)(C), 164.312(b) PCI: 10.5.5, 10.6.1(b), 10.7(c) |
16 | Are infrastructure audit logs centrally stored, retained, and reviewed on a regular basis for security events (e.g., with automated tools)? * | SOC 2: CC7.2 ISO 27001 (2013): A.12.4.1, A.12.4.2, A.12.4.3 ISO 27001 (2022): A.8.15 HIPAA: 164.312(b) |
17 | Does your system's capacity requirements take into account current, projected, and anticipated capacity needs for all systems used to provide services to the tenants? * | SOC 2: A1.1 ISO 27001 (2013): C9.1, A.12.1.3 ISO 27001 (2022): C9.1.1, A.8.6 |
18 | Do you regularly update network architecture diagrams that include data flows between security domains/zones? | SOC 2: CC2.1 ISO 27001 (2013): C7.5.1 ISO 27001 (2022): C7.5.1 HIPAA: 164.308(a)(4)(ii)(A) PCI: 1.1.2(a), 1.1.2(b), 1.1.3(a) |
19 | Do you collect capacity and use data for all relevant components of your cloud service offering? * | SOC 2: A1.1 ISO 27001 (2013): C9.1, A.12.1.3 ISO 27001 (2022): C.9.1.1, A.8.6 |
20 | Do your engineers review code changes for injection flaws, such as SQL injections and OS command injection? * | SOC 2: CC6.8 ISO 27001 (2013): A.12.1.2, A.12.6.1, A.14.2.1, A14.2.2 ISO 27001 (2022): A.8.8, A.8.25, A.8.32 PCI: 6.3.2 |
21 | Do you deliver SDLC and/or OWASP Top 10 training to full time and contractor developers who develop or maintain code and infrastructure that can affect the security of the system? * | ISO 27001 (2022): A.8.28 PCI: 6.5(b) |
22 | Do you consistently identify systems that contain user data as containing user data in an inventory list of digital assets? * | SOC 2: CC2.1, CC6.1 ISO 27001 (2013): A.8.1.1, A.8.2.1 ISO 27001 (2022): A.5.9, A.5.12 HIPAA: 164.310(d)(2)(iii) PCI: 2.4(a), 2.4(b) |
23 | Do you configure networks to restrict inbound and outbound traffic to only that which is absolutely necessary, especially for sensitive assets, such as databases and storage points that contain sensitive user data? * | SOC 2: CC6.1 ISO 27001 (2013): A.13.1.2 ISO 27001 (2022): A.8.21 PCI: 1.2.1(a), 1.3.4, 8.7(b) |
24 | Do you conduct functionality testing on new code changes to ensure changes do not adversely affect the availability or security of the system? * | SOC 2: CC8.1 ISO 27001 (2013): A.12.1.2, A.14.2.2, A.14.2.8 ISO 27001 (2022): A.8.29, A.8.32 PCI: 6.4.5.3(a) |
25 | Do you enforce a QA stage within your development practices that includes testing functionality on a staging server before code is pushed to production? * | SOC 2: CC8.1 ISO 27001 (2013): A.12.1.2, A.14.2.2, A.14.2.8 ISO 27001 (2022): A.8.29, A.8.32 PCI: 6.4.5.3(a) |
26 | Regarding security headers, do your web endpoints meet an 'A' grade according to securityheaders.io ? (note: this could be scripted if a list of URLs is provided) * | SOC 2: CC6.1 ISO 27001 (2013): A.10.1.1 ISO 27001 (2022): A.8.24 PCI: 2.2(a), 2.2(c) GDPR: 5, 32 |
27 | Does your web framework encode all rendered output, e.g., React JSX? * | SOC 2: CC6.1 ISO 27001 (2013): A.10.1.1 ISO 27001 (2022): A.8.24 PCI: 2.2(a), 2.2(c) GDPR: 5, 32 |
28 | Do you enforce application password requirements? * | SOC 2: CC6.1, CC6.6, C1.1 ISO 27001 (2013): A.9.2.4 ISO 27001 (2022): A.5.17 HIPAA: 164.312(a)(2)(i), 164.312(c)(1), 164.312(e)(2)(i) PCI: 8.1.6(b), 8.2.3(a), 8.2.3(b), 8.2.5(b) |
29 | Do you monitor for and apply security patches for vulnerabilities in third party libraries and their dependencies? Do you use a software composition analysis tool? * | SOC 2: CC6.8 ISO 27001 (2022): A.6.3, A.8.28 PCI: 6.2(b) |
30 | Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)? | SOC 2: CC1.1, CC2.2, CC5.2, CC5.3 ISO 27001 (2013): A.5.1.1 ISO 27001 (2022): A.5.1 HIPAA: 164.316(a) PCI: 12.6.2 GDPR: 5, 24, 25, 32 |
31 | Do you disclose which controls, standards, certifications, and/or regulations you comply with? | N/A |
32 | Are your technical, business, and executive managers responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility? | SOC 2: CC1.2, CC5.3 ISO 27001 (2013): C9.3, A.5.1.2, A.18.2.2 ISO 27001 (2022): C9.3.1, C9.3.3, A.5.1, A.5.36 HIPAA: 164.306(e), 164.308(a)(8), 164.316(b)(2)(iii) |
33 | Do you have the capability to continuously monitor and report the compliance of your infrastructure against your information security baselines? | SOC 2: CC2.1, CC2.2, CC5.1, CC5.2, CC7.1 ISO 27001 (2013): A.12.7.1, A.13.1.1 ISO 27001 (2022): A.8.20, A.8.34 HIPAA: 164.312(b) |
34 | Do you conduct risk assessments associated with data governance requirements at least once a year? | SOC 2: CC1.2, CC2.1, CC3.1, CC3.2, CC3.3, CC3.4, CC4.1, CC4.2, CC5.1, CC5.2 ISO 27001 (2013): C6.1.2, C6.2, C8.2, A.18.2.1, A.18.2.2 ISO 27001 (2022): C6.1.2, C6.2, C8.2, A.5.35, A.5.36 HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(8) PCI: 12.2(b) |
35 | Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures? | SOC 2: CC2.1, CC5.3 ISO 27001 (2013): C4.1, C5.1, C5.2, C6.2, A.5.1.1, A.7.2.3 ISO 27001 (2022): C4.1, C5.1, C5.2, C6.2, A.5.19, A.6.4 HIPAA: 164.308(a)(1)(ii)(C) PCI: 5.4, 12.1 GDPR: 32 |
36 | Are employees made aware of what actions could be taken in the event of a violation via their policies and procedures? | SOC 2: CC2.1, CC5.3 ISO 27001 (2013): C4.1, C5.1, C5.2, C6.2, A.5.1.1, A.7.2.3 ISO 27001 (2022): C4.1, C5.1, C5.2, C6.2, A.5.1, A.6.4 HIPAA: 164.308(a)(1)(ii)(C) PCI: 5.4, 12.1 GDPR: 32 |
37 | Do you perform, at minimum, annual reviews to your privacy and security policies? | SOC 2: CC1.2, CC5.3, P1.1 ISO 27001 (2013): C9.3, A.5.1.2, A.18.1.4, A.18.2.2 ISO 27001 (2022): C9.3.1, C9.3.2, C9.3.3, A.5.1, A.5.34, A.5.36 HIPAA: 164.306(e), 164.308(a)(8), 164.316(b)(1)(i), 164.316(b)(1)(ii), 164.316(b)(2)(iii) PCI: 2.5, 3.7, 4.3.0, 5.4, 6.7, 7.3.0, 8.8, 9.10, 10.9, 11.6, 12.1.1, 12.6.2 GDPR: 24, 25 |
38 | Is the likelihood and impact associated with inherent and residual risk determined independently, considering all risk categories? | SOC 2: CC1.2, CC2.1, CC3.1, CC3.2, CC3.3, CC3.4, CC4.1, CC4.2, CC5.1, CC5.2 ISO 27001 (2013): C6.1.2, C6.2, C8.2, A.18.2.1, A.18.2.2 ISO 27001 (2022): C6.1.2, C6.2, C8.2, A.5.35, A.5.36 HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(8) PCI: 12.2(b) |
39 | Do you have a documented security incident response plan? | SOC 2: CC2.2, CC2.3, CC4.2, CC7.3, CC7.4, CC7.5, CC9.1 ISO 27001 (2013): A.5.1.1, A.16.1.1, A.16.1.5, A.16.1.6, A.16.1.7 ISO 27001 (2022): A.5.1, A.5.24, A.5.26, A.5.27, A.5.28 HIPAA: 164.308(a)(6)(i), 164.308(a)(6)(ii), 164.316(a), 164.402 PCI: 12.10.1(a) GDPR: 32 |
40 | Have you tested your security incident response plans in the last year? | SOC 2: CC7.5 ISO 27001 (2013): C7.2, A.16.1.1, A.16.1.6 ISO 27001 (2022): C7.2, A.5.24, A.5.27 HIPAA: 164.308(a)(6)(i), 164.308(a)(6)(ii) PCI: 12.10.2 |
41 | Do you conduct application-layer and network-layer vulnerability scans regularly as prescribed by industry best practices? | SOC 2: CC1.2, CC3.1, CC3.2, CC3.4, CC4.1, CC4.2, CC5.1, CC5.2, CC7.1, CC7.2 ISO 27001 (2013): A.12.6.1, A.18.2.2, A.18.2.3 ISO 27001 (2022): A.5.36, A.8.8 HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B) PCI: 6.6, 11.2.1(a), 11.2.2(a) GDPR: 32 |
42 | Does your company require employment agreements to be signed by newly hired or onboarded workforce personnel prior to granting access to corporate facilities, resources, and assets? * | SOC 2: C1.1, P6.4 ISO 27001 (2013): A.7.1.2, A.7.2.1 ISO 27001 (2022): A.5.4, A.6.2 |
43 | Does your company conduct background verification screening for all employees and contractors? | SOC 2: CC1.1, CC1.4 ISO 27001 (2013): A.6.1.1, A.7.1.1 ISO 27001 (2022): A.5.2, A.6.1 HIPAA: 164.308(a)(3)(ii)(B) PCI: 12.7 |
44 | Do your employment offers include non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details? * | SOC 2: C1.1, P6.4 ISO 27001 (2013): A.7.1.2, A.7.2.1 ISO 27001 (2022): A.5.4, A.6.2 |
45 | Do you define allowance and conditions for BYOD devices and its applications to access corporate resources? * | SOC 2: CC1.1, CC1.5, CC2.2, CC6.1 ISO 27001 (2013): A.5.1.1, A.7.2.1, A.8.1.3 ISO 27001 (2022): A.5.1, A.5.4, A.5.10 HIPAA: 164.306(a), 164.306(b), a64.306(c), 164.310(b) PCI: 12.3.5 |
46 | Do you provide a formal security awareness training program for all applicable personnel at least once per year? * | SOC 2: CC1.4, CC1.5, CC2.2, CC5.2 ISO 27001 (2013): C7.3, A.5.1.1, A.7.2.2 ISO 27001 (2022): C7.3, A.5.1, A.6.3 HIPAA: 164.308(a)(5)(i), 164.530(b) PCI: 12.6.1(b) |
47 | Do you document employee acknowledgment of training they have completed? * | SOC 2: CC1.4, CC1.5, CC2.2, CC5.2 ISO 27001 (2013): C7.3, A.5.1.1, A.7.2.2 ISO 27001 (2022): C7.3, A5.1, A.6.3 HIPAA: 164.308(a)(5)(i), 164.530(b) PCI: 12.6.1(b) |
48 | Do you specifically train your employees regarding their specific role and the information security controls they must fulfill? * | SOC 2: CC1.4 HIPAA: 164.308(a)(5)(i), 164.530(b) PCI: 6.5(b), 9.9(c), 9.9.3(c),, 12.6.1(c), 12.10.4 |
49 | Is successful completion of the security awareness training considered a prerequisite for acquiring and maintaining access to sensitive systems? | SOC 2: CC1.4, CC1.5, CC2.2, CC5.2 ISO 27001 (2013): C7.3, A.5.1.1, A.7.2.2 ISO 27001 (2022): C7.3, A.5.1, A.6.3 HIPAA: 164.308(a)(5)(i), 164.530(b) PCI: 12.6.1(b) |
50 | Are personnel informed of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards, and applicable regulatory requirements? * | SOC 2: CC1.1, CC2.2, CC5.2, CC5.3 ISO 27001 (2013): A.7.1.2, A.7.2.1, A.8.1.3 ISO 27001 (2022): A.6.2, A.5.4, A.5.10 HIPAA: 164.316(a) PCI: 3.7, 4.3.0, 5.4, 7.3.0, 8.8, 9.10, 10.9, 11.6, 12.6.2 GDPR: 5, 24, 25, 32 |
51 | Are personnel informed of their responsibilities for maintaining a safe and secure working environment? | SOC 2: C1.1 ISO 27001 (2013): A.5.1.1, A.7.2.1, A.11.2.9 ISO 27001 (2022): A.5.1, A.5.4, A.7.7 HIPAA: 164.306(a), 164.306(c), 164.316(a) |
52 | Are personnel informed of their responsibilities for ensuring that equipment is secured and not left unattended? | SOC 2: CC1.1, CC1.5, CC2.2, CC6.1 ISO 27001 (2013): A.5.1.1, A.7.2.1, A.8.1.3 ISO 27001 (2022): A.5.1, A.5.4, A.5.10 HIPAA: 164.306(a), 164.306(b), a64.306(c), 164.310(b) PCI: 12.3.5 |
53 | Do you have asset return procedures for terminated employees outlining how company assets should be returned within an established period? | SOC 2: CC6.2, CC6.3, CC6.4, CC6.5, C1.2, P.4.3 ISO 27001 (2013): A.7.1.2, A.7.3.1, A.8.1.4 ISO 27001 (2022): A.5.11, A.6.2, A.6.5 HIPAA: 164.308(a)(4)(i) |
54 | Does your company restrict and/or control access to your accounting software and digital records? | SOC 2: CC6.1 |
55 | Does your company compare two independent sets of records for one set of transactions? (ex: matching delivery receipts to vendor payments, matching bank statements to the general ledger) | SOC 2: CC3.0 |
56 | Does your company continuously monitor its financial performance? (ex: comparing budgeted to actual cash flow) | SOC 2: CC3.0 |
57 | Does your company segregate various financial responsibilities? (ex: requiring two people to make purchases: one signs checks, one authorizes the purchase) | SOC 2: CC3.0 |
58 | Are new Finance employees trained on your financial reporting control requirements? | SOC 2: CC3.0 |
59 | Are new bank accounts or credit cards only opened through the direction and approval of the Board of Directors? | SOC 2: CC3.0 |
60 | Are all manually generated checks reviewed and approved by a Finance Manager? | SOC 2: CC3.0 |
61 | Do Finance personnel prepare amortization schedules for all recorded prepaid expenses, to then be reviewed and approved by management? | SOC 2: CC3.0 |
62 | Does management periodically review a fixed assets register to verify the existence and right to the assets, and document and report on the findings? | SOC 2: CC3.0 |
63 | Are employee benefit obligation adjustments regularly compared to budget and are significant variances investigated and reported on? | SOC 2: CC3.0 |
64 | Does management conduct monthly financial statement reviews to compare to budget, and investigate significant variances? | SOC 2: CC3.0 |
65 | Are invoices authorized and accompanied by appropriate supporting documentation, and only after confirming the customer exists in a master customer file? | SOC 2: CC3.0 |
66 | Do you have predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations? | SOC 2: CC2.2, CC5.3, A1.1, A1.3, P6.5 ISO 27001 (2013): A.16.1.2 ISO 27001 (2022): A.6.8 HIPAA: 164.314(a)(2)(i)(c), 164.402 PCI: 12.10.1(b)(5) |
67 | Does legal counsel review all third-party agreements? | SOC 2: CC2.3, CC3.2, CC3.4, CC4.1, CC4.2, CC9.2, P6.2 ISO 27001 (2013): A.15.1.2 ISO 27001 (2022): A.5.20 HIPAA: 164.314(a)(1), 164.314(a)(2)(iii) |
68 | Do third-party agreements include provision for the security and protection of information and assets? | SOC 2: CC2.3, CC3.2, CC3.4, CC4.1, CC4.2, CC9.2, P6.2 ISO 27001 (2013): A.15.1.2 ISO 27001 (2022): A.5.20 HIPAA: 164.314(a)(1), 164.314(a)(2)(iii) |
69 | Do you have the capability to recover data for a specific customer in the case of a failure or data loss? | SOC 2: A1.3 ISO 27001 (2013): A.12.3.1, A.17.2.1 ISO 27001 (2022): A.8.13, A.8.14 HIPAA: 164.308(a)(7)(ii)(A), 164.310(d)(2)(iv) |
70 | Do you have the capability to restrict the storage of customer data to specific countries or geographic locations? | GDPR: 44, 45, 46, 49 |
71 | Can you provide the physical location/geography of storage of a tenant’s data upon request? | GDPR: 44, 45, 46, 49 |
72 | Do you provide the client with a list and copies of all subprocessing agreements and keep this updated? | SOC 2: CC2.3 ISO 27001 (2013): A.18.1.4 ISO 27001 (2022): A.5.34 HIPAA: 164.316(a) GDPR: 19, 28, 29 |
73 | Do you mandate annual information security reviews and audits of your third party providers to ensure that all agreed upon security requirements are met? | SOC 2: CC2.3, CC3.2, CC6.4, CC9.2, P6.2, P6.4 ISO 27001 (2013): A.15.1.2, A.15.2.1 ISO 27001 (2022): A.5.20, A.5.22 HIPAA: 164.308(b)(1), 164.314(a)(1) PCI: 12.8.4 |
74 | Do you have external third party services conduct vulnerability scans and periodic penetration tests on your applications and networks? | SOC 2: CC1.2, CC3.1, CC3.2, CC3.4, CC4.1, CC4.2, CC5.1, CC5.2, CC7.1, CC7.2 ISO 27001 (2013): A.12.6.1, A.18.2.2, A.18.2.3 ISO 27001 (2022): A.5.36, A.8.8 HIPAA: 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B) PCI: 6.6, 11.2.1(a), 11.2.2(a), 11.3.1(a), 11.3.1(b), 11.3.4(a) GDPR: 32 |
75 | Are sales transactions, volumes, and values reviewed monthly and compared to budget, and are explanations documented for any significant variances or differences? | SOC 2: CC3.0 |
76 | Are sales agreements reviewed by personnel with requisite experience to determine if the revenue recognition criteria are met? | SOC 2: CC3.0 |
77 | Are sales transactions that trigger promotional allowances or discounts reviewed and approved by management prior to executing an agreement? | SOC 2: CC3.0 |
78 | Are total promotional discounts reviewed monthly and compared to budget for significant variance? | SOC 2: CC3.0 |
79 | Are the methods by which promotional discounts are calculated and granted reviewed monthly by management and documented? | SOC 2: CC3.0 |