A security risk assessment identifies, assesses, and implements essential security controls in your company's applications. It aims to find areas within your organization that need additional or more robust security and reduce risk within your company. Vanta's ISO Compliant Risk Management page shows what risk exists within your organization and the tasks that must be completed to improve your security posture. Once you have identified and included risks for your company, they can be managed from the Risk Management tab. Here, you can review all of the risks that have been identified for your business. For risks with a risk score above an acceptable threshold, you can review and describe the risk treatment plan that will lower the likelihood and impact of the risk on your business.
Risk Management Overview
The Risk Management overview allows you to view the current and residual scores for your risk scenarios.
Guided Tours
The guided tour widget on the Risk Register tab will walk you through each step to getting started with Risk management within Vanta. Select View guided tours in the banner, then select Show Me how to take the tour
Identifying Your Company's Risk Scenarios
Risk Register
You can review all the risks identified for your business from the Risk Register tab. For each risk, review and describe the risk treatment plan
Creating a Risk Scenario
You can also create custom risk scenarios from the risk register page by selecting + Scenario.
Risk scenarios can be created in 3 ways:
Manually
Via Library
Via Import (.csv, .xlsx)
Creating a Manual Risk Scenario
Complete the pop-up modal with
Description: Describe the actual or potential risk to your company's people, facilities, technology, and data
Category: The category of risk
Likelihood: how likely an intentional or accidental incident will occur based on this risk.
Impact: how much the exploitation of this risk would harm your organization's ability to continue to operate
Notes (optional): Describe actions you are already taking that may mitigate or negate this risk. This field can be left blank if no existing actions apply here
Select Create Risk scenario
Marking a risk scenario as sensitive will make it visible/editable to admins only
Uploading a Scenario via Import
Choose the +Add scenario button
Select Via Import
Upload the file using the risk scenario template
Risk Scenario Required | This describes an actual or potential risk to your organization's people, processes, technology, data, and facilities. |
Risk ID | The unique ID of the risk. Used to reference and update existing risks. We will auto-generate one if you don't specify it. |
Inherent Likelihood | Select a score that represents how likely an intentional or accidental incident will occur based on this risk. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Inherent Impact | Select a score that represents how much the exploitation of this risk would harm your organization's ability to continue to operate. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Residual Likelihood | Select a score that represents how likely an intentional or accidental incident will occur based on this risk. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Residual Impact | Select a score that represents how much the exploitation of this risk would harm your organization's ability to continue to operate. The whole number must be in the range of 1 to 5. You can adjust your range in the risk management settings. |
Note | Additional context about the risk scenario and why it has a specific impact and likelihood scores. |
Risk Treatment | Indicate how your leadership team wants to address an identified risk. Please note: not all risks need to be addressed immediately (or at all). The value must be one of the supported options. |
Categories | A comma-separated list of categories this risk scenario belongs to. You can reference the current category options in your Risk Management settings and/or enter new values. |
Owner | The person responsible for tracking and mitigating this risk scenario. This should be the email address of a valid Vanta user. |
Risk Type (CIA) | Risk Type (CIA) classifies risks using the Confidentiality, Integrity, and Availability (CIA) triad. |
Additional notes | A place to enter additional notes about this risk scenario The value must be "text" |
Extra column | Place more info in this column The value must be "text" |
Cost | Estimate the cost of a risk scenario The value must be "integer" |
Impact | Estimate the cost of a risk scenario The value must be "integer" |
Equipment Needed | What equipment is required to mitigate this risk The value must be "text" |
Controls | The controls this risk is associated with. You need to provide a list of comma-separated control IDs. |
Select Import
Adding Scenarios from the Risk Library
The Risk library contains detailed risk scenarios that can be quickly added to your Risk Register
This can be done through the Risk Library Tab or the + Add Scenario button
From the Risk Library tab, prebuilt risk scenarios can be added or removed from your Risk register
Reviewing Risk Scenarios
Assigning Owners
Risks added to the register will need to be reviewed and approved. Owners can be assigned by clicking the Edit next to the word Unassigned
This person is responsible for approving and tracking the completion of any treatment actions for this risk. They will be notified of this assignment if their notifications are turned on.
Admins can assign themselves as the owner of a risk scenario
Review the Risk
Click into the risk you would like to review, complete the required information from the side modal
Define how you would like to mitigate the risk
Accept: Decide to live with the risk and take no further actions
Transfer: Move risk outside your organization's responsibilities, e.g., get cyber liability insurance
Mitigate: Identify controls to put in place or tasks to be done that will reduce the risk score.
Avoid: Fix the risk and underlying vulnerabilities to remove them entirely from your environment.
Create a task that details your actions to mitigate the risk by selecting Create Task. Add a due date and assign the task to the appropriate person
Include any controls related to the risk scenario. Vanta can suggest controls if you toggle the Recommended only to on
Estimate Residual Score
Residual risk is the leftover risk after applying security controls and process improvements. A rough estimate is fine.
Archive a Risk / Restart
Archived risk scenarios won't show up in any new snapshots you generate in the future. All the tasks related to this risk scenario will be removed. You can unarchive the risk scenario anytime in the future, and the tasks will be restored.
Select the options menu(the three dots on the far right-hand side) from the risk
Selecting Archive will archive the risk
Selecting Mark as sensitive will ensure only admins can see and edit the risk
Creating Custom Risk Management Categories
Under Settings, Scroll to Custom Categories
Select Add to create a custom category
Enter the category name and select Add Category
The new custom category will be available to leverage for risk scenarios by editing the risk scenario and using the category dropdown
Creating a Risk Snapshot
Snapshot records your risk assessment at a given point in time. It allows you to track and share your risk assessment progress with auditors.
From the Risk Register page, select Share, followed by Create snapshot
You can choose to include All Risks or Approved Only risk scenarios, and if this snapshot can be viewed by Auditors.
Share Settings can be updated at anytime by viewing the Snapshot
Viewing Saved Snapshots
Saved snapshots can be viewed from the Snapshots page
Click on a specific snapshot to Download or Delete a snapshot from the top right-hand corner
Generate a Risk Assessment report
Create a risk assessment report Vanta platform, to showcase the security posture of your company to team members outside of the Vanta platform
From the Risk Register page, select Share followed by Generate Risk Assessment report
Select Export to save as a PDF