Overview:
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.
Action Items:
1) Create a risk assessment policy and related procedures and publish to the company intranet for employees to access and review.
2) Create a disaster recovery and business continuity policy and plan and publish to the company intranet for employees to access and review.
3) Inspect the risk assessment and treatment process policy, or equivalent, to determine that policies and procedures are in place to guide personnel in developing risk mitigation activities, including monitoring processes and development of policies, procedures, and communications to meet the entity’s objectives during response, mitigation, and recovery efforts.
4) Inspect the most recent risk assessment completed to determine that security stakeholders perform a risk assessment on an annual basis that includes an evaluation of risk mitigation control activities for risks arising from potential business disruptions.
5) Inspect the disaster recovery and business continuity policy and plan to determine that disaster recovery and business continuity plans are in place to guide personnel in procedures to protect against disruptions caused by an unexpected event and that the plans are reviewed, updated, and approved annually based on the business impact analysis during the annual risk assessment process.
6) Inspect the insurance certificate to determine that the organization acquired insurance to mitigate the financial impact of a business disruption.
Related Documents:
1) Risk assessment policy
2) Disaster recovery and business continuity plan
3) Sample of recent business risk assessments
4) Business insurance certificate
Additional Guidance:
The following points of focus highlight important characteristics related to this criterion:
1) Considers Mitigation of Risks of Business Disruption—Risk mitigation activities include the development of planned policies, procedures, communications, and alternative processing solutions to respond to, mitigate, and recover from security events that disrupt business operations. Those policies and procedures include monitoring processes and information and communications to meet the entity's objectives during response, mitigation, and recovery efforts.
2) Considers the Use of Insurance to Mitigate Financial Impact Risks—The risk management activities consider the use of insurance to offset the financial impact of loss events that would otherwise impair the ability of the entity to meet its objectives.
Article ID: 247
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/soc-2-developing-risk-mitigation-activities-cc9-1-247.html