GRC-02: Risk Management Program

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-08: Policy Impact on Risk Assessments, GRM-10: Risk Assessments, GRM-11: Risk Management Framework.

Control Statement

Establish a formal, documented, and leadership-sponsored Enterprise Risk Management (ERM) program that includes policies and procedures for identification, evaluation, ownership, treatment, and acceptance of cloud security and privacy risks.

Implementation Guidance

The enterprise risk management (ERM) program should consider—and not be limited to—cloud-related information security and data privacy risks. The program should include risk management elements such as risk identification, risk assessment, risk treatment, and risk reporting. Management of each business area should consist of the implementation of the applicable ERM program policies and procedures. The ERM program should also feature a formal statement of risk appetite and may include creating and maintaining a risk register that reflects the likelihood of occurrence, potential business impacts, risk levels, and proposed mitigation actions for each risk.

Auditing Guidance

  1. Examine the policy and/or procedures related to the Enterprise Risk Management (ERM) program to determine whether the organization has developed a comprehensive strategy to manage risk to organizational operations and assets, and individuals.
  2. Review ERM documentation, processes, and supporting evidence to confirm if the ERM program includes provisions for cloud security and privacy risk.
  3. Examine measure(s) that evaluate(s) the organization's compliance with the risk management policy and determine if the measure(s) address(es) implementation of the policy/control requirement(s) as stipulated in the policy level.
  4. Obtain and examine supporting evidence to determine if the office or individual responsible reviews the information and, if issues were identified, if they were investigated and remediated appropriately.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.