Skip to content
English
Kontakt os
  • There are no suggestions because the search field is empty.

Risk and Security

How to Perform Risk Assessments of Your Assets, Processing Activities, and Systems in ComplyCloud

General About Risk Management

ComplyCloud’s risk module allows you to assess the risk of your processing activities, systems, and assets all in one place. This gives you a comprehensive overview of your risk profile. When you click on the Risk and Security tab in ComplyCloud, you gain access to three menus:

  • Risk Assessment of Assets: Here you assess the risk for your systems, processing activities, and other assets. This is the area we will cover in detail in this article.

  • Risk scenarios: Here you can perform risk assessments of specific threat scenarios relevant to your company (for example, 'power outage')

  • Risk settings: Here you can create a catalog of risks and security measures that you can use in your risk assessments.

  • Incident Management: Here you can document and follow up on security incidents.

Note: The Risk Scenario page will only be available if you have access to ComplyCloud’s ISMS solution.

How to Get Started

Add systems or processing activities:

Once you’ve added an IT system or a processing activity under Mapping, you can create a risk assessment under Risk Assessment of Assets by clicking Actions > Add Assets.

Prioritize the Order of Your Risk Assessments

After adding the systems and/or processing activities you wish to assess, you can perform an initial risk assessment to prioritize where to focus your efforts. This is done by selecting the consequence level and likelihood on a scale from 1–5:
(This can also be done directly from the IT system.)

  • Consequence: How serious the consequences would be for the company if the system or processing activity were compromised or failed.

  • Likelihood: How likely it is that the system or processing activity might be compromised.

Perform Your Risk Assessments

For each of your assets, you can add all the threats you see as relevant by clicking Add Threats. For each threat, you should go through the 3-step flow initiated by clicking Assess for each threat.

Step 1: Determine Your Initial Risk

  • Assess the initial consequence score for each threat.

  • Add the initial likelihood of the threat.

  • View your initial risk score.

Note: If you’ve enabled CIA under Risk Settings, you must rate your score based on Confidentiality, Integrity, and Availability (as shown above) The highest score among the three will automatically be used as your consequence score.

Step 2: Add Security Measures

Select measures from the shared security catalog (see under Risk Settings for more info) or create your own.


 

Step 3: Calculate Residual Risk

After adding the measures, perform a final assessment.



Repeat the process for all threats to achieve a complete, documented risk assessment.

Note: The threat with the highest risk score will be considered the asset’s overall risk score.

Risk Settings

Here you can make it easier and more efficient to work with risk management. You can:

  • Enable CIA, so the same method is used to assess threats across all risk assessments.

  • Add security measures that can be used by the entire organization during the risk assessment process.

  • Add threats to a threat catalog that can be reused across your risk assessments.

Tip: The CIA framework stands for Confidentiality, Integrity, and Availability—three core principles of information security that focus on protecting data. Enable this if you want to follow best practices.

 Versioning and Approval of Risk Assessments

You can benefit from sending a risk assessment for review. Once approved, the risk assessment is saved as a new version.

Adding approvers to review assessments will notify them via e-mail and create a task for them. All changes to your risk assessments are saved with complete historical records over time.

Tip:

  • Start with your most critical assets.

  • Repeat assessments regularly to ensure up-to-date risk management.