Overview
Annual Risk Assessment is the formal, organization-wide process of identifying, analyzing, and prioritizing risks that could impact the achievement of security, availability, confidentiality, processing integrity, and privacy objectives. It ensures management evaluates changes in the business and environment at least annually to meet SOC 2 CC3 requirements.
Step-by-Step Process
Define assessment scope
The Security Lead defines the scope of the annual risk assessment, including in-scope systems, services, locations, and data types relevant to SOC 2. The output is a documented scope statement aligned to the current SOC 2 boundary.
Role: Security Lead
Identify risk sources and events
The Security Lead, with input from IT and Engineering, identifies internal and external risk sources such as threats, vulnerabilities, and recent business or system changes. The output is a list of identified risks mapped to systems or processes.
Role: Security Lead
Assess likelihood and impact
Each identified risk is evaluated for likelihood and business impact using a defined risk rating methodology. The output is a completed risk register with likelihood, impact, and overall risk ratings.
Role: Security Lead
Identify existing controls
The Security Lead documents existing controls that mitigate each identified risk, referencing current policies, procedures, and technical safeguards. The output is an updated risk register showing control coverage per risk.
Role: Security Lead
Determine residual risk
Residual risk is calculated after considering existing controls, and risks are categorized as acceptable or requiring treatment. The output is a prioritized list of residual risks.
Role: Security Lead
Develop risk treatment plans
For risks requiring treatment, the Security Lead defines remediation actions, owners, and target completion dates. The output is documented risk treatment plans linked to each applicable risk.
Role: Security Lead
Obtain management review and approval
The completed risk assessment and treatment plans are reviewed with executive management for validation and approval. The output is documented management sign-off with date and approver.
Role: Security Lead
Retain and communicate results
The finalized risk assessment is stored in a central repository and key results are communicated to relevant stakeholders. The output is an archived risk assessment and evidence of stakeholder communication.
Role: Security Lead
What You Need Before Starting
- Current SOC 2 scope document
- System architecture diagrams
- List of in-scope applications and vendors
- Access to risk assessment tool (Drata, Vanta, or spreadsheet)
Evidence Your Auditor Expects
- Completed annual risk assessment document dated within the audit period
- Risk register export showing likelihood, impact, and residual risk ratings with timestamps
- Documented risk treatment plans with assigned owners and due dates
- Management approval record (email or tool-based sign-off) with date
How This Looks In Your Tools
Drata
Log in to Drata and navigate to Risk Management > Risk Assessments from the left-hand menu. Click “Create Risk Assessment,” select the assessment period, and confirm the SOC 2 framework.
Within the assessment, add risks manually or from Drata’s risk library, then assign likelihood, impact, and mapped controls for each risk. After completing all risks, route the assessment for approval using the “Request Approval” button and ensure the status shows “Approved.”
Vanta
Log in to Vanta and go to Risk > Risk Assessments from the main navigation. Select “New Assessment,” choose SOC 2 as the framework, and define the assessment period.
Add and evaluate risks by entering likelihood, impact, and mitigation details, then assign remediation tasks where needed. Use the “Review & Approve” workflow to capture management approval and confirm the assessment is marked “Complete.”
Spreadsheet
Open the approved risk assessment spreadsheet template stored in your compliance repository. Populate the scope tab with current in-scope systems and services, then list identified risks in the risk register tab.
For each risk, complete likelihood, impact, control mapping, and residual risk fields, and add remediation actions where required. Save the finalized file with the assessment year in the filename and obtain documented management approval via email or signature.
Common Audit Findings
- Risk assessment not performed annually
- This occurs when teams do not track assessment cadence or ownership. Prevent it by scheduling the assessment as an annual compliance task with a clear owner and due date.
- Incomplete risk identification
- Risks are often missed when business or system changes are not considered. Prevent this by reviewing recent changes and involving cross-functional stakeholders during risk identification.
- No documented residual risk evaluation
- Auditors flag assessments that list risks but do not evaluate residual risk. Ensure likelihood and impact are reassessed after controls are considered.
- Lack of management approval
- Risk assessments without evidence of management review do not meet CC3 expectations. Always capture dated approval from an executive or authorized manager.