GOV-005 Risk Assessment
Description
Information security risks are identified and assessed on a defined schedule and when significant changes occur. Risk assessments document threats, vulnerabilities, likelihood, impact, and current controls, and results are used to prioritize treatment decisions.
Rationale
A repeatable risk assessment process is the mechanism by which an organization identifies where its security investment should be directed. Without documented risk assessments, control selection is arbitrary.
Framework Mappings (6)
| GRC-02 | Risk Management Program | partial |
| GDPR-Art.32.2 | Risk-Based Security Assessment | partial |
| 5.1 | Policies for information security | informative |
| RA-3 | Risk Assessment | full |
| CC3.2 | COSO Principle 7: Identifies and Analyzes Risk | full |
| CC3.4 | COSO Principle 9: Identifies and Analyzes Significant Change | partial |
Evidence (2)
Completed risk assessment report documenting threats, vulnerabilities, likelihood, impact ratings, and current controls for in-scope information assets.
Example: Annual Information Security Risk Assessment Report (Google Drive / SharePoint), dated within the last 12 months, showing a named assessor, risk register extract, and treatment recommendations.
Test: Request the most recent risk assessment report. Verify: (1) the report is dated within the defined assessment interval, (2) it documents threats, vulnerabilities, likelihood, and impact for each assessed asset or domain, (3) current controls are noted against each risk, (4) treatment decisions (accept/mitigate/transfer/avoid) are recorded, (5) a named assessor is identified.
Risk register showing current risk inventory with likelihood, impact, and treatment status populated.
Example: Risk register (ISMS tool, spreadsheet, or GRC platform such as Vanta/Drata), with columns for risk ID, description, likelihood, impact, treatment decision, owner, and current status — reviewed within the last 12 months.
Test: Query or export the risk register. Verify: (1) risks identified in the most recent assessment are present, (2) each risk has a named owner, (3) treatment status is populated and current, (4) the register shows a last-reviewed date within the defined interval.
Questions (3)
Does your organization conduct formal information security risk assessments on a defined schedule?
A risk assessment should document threats, vulnerabilities, likelihood, impact, current controls, and treatment decisions, produced by a named assessor.
How often is a full information security risk assessment conducted?
Most frameworks require annual assessment at minimum, plus ad hoc assessment on significant system or business changes.
Does your organization maintain a risk register that records identified risks with likelihood, impact ratings, treatment decisions, and named owners?
The register should be reviewed at defined intervals and reflect the current state of the risk landscape, including treatment status for each open risk.