Hello ISC2 Community,
I am 2 weeks into a new role leading Information Security with the initial goal of gaining SOC 2 certification. This is a small 200+ private company with lots of work to do, developing policies, procedures, etc. Question, is there a good Risk Assessment tool I could gain access to and use internally? Would like to start internally prior to spending $$$ with a 3rd party.
Welcome feedback and guidance.
There are some open source tools which can be helpfull. Most probably you could also get away with excel spreedsheet (just google for templates as there are tones of them).
It's not much more work to build a risk management solution on your own (except for the hours you'll put into defining the structure) then it is with a commercial product. I always joke/cry that you can get commercial software nothing but a song and dance, but then you will spend the next 3 years and 4 FTEs making it actually work for your company. Caveat emptor!
You can use a self-assesment based on ISO 27002 measures.(114)
Your first work, is to defined your perimiter and the exlusions.
Use the commitment of your management and security policie
The CIS RAM (https://learn.cisecurity.org/cis-ram) helped me get through risks assessment hurdles in the past. Last year I used this tool to get an organization ISO 27001 certified, and at my old organization it was useful in fulfilling the requirements of our SOC 2 audit.