# SOC 2 Risk Assessment > Conduct a structured risk assessment aligned to AICPA Trust Services Criteria. Identifies risks per TSC category using a 5x5 likelihood-impact matrix, maps risks to specific TSC criteria (CC/A/PI/C/P), identifies control gaps, validates residual risk scoring, and produces a risk register with treatment plan. Feeds into gap analysis, control narratives, and policy generation. Tags: Compliance, Security, SOC 2, Risk Assessment, AICPA, Trust Services Criteria, GRC ## Example Prompts - Conduct a risk assessment for our SOC 2 Type II engagement - Identify risks across all Trust Services Criteria categories - Map our risks to specific TSC criteria and identify control gaps - Build a risk register with treatment plan for SOC 2 readiness URL: https://rakenne.app/skills/soc2-risk-assessment/index.md Try this skill: https://rakenne.app/a/?skill=soc2-risk-assessment ## Overview Conduct a structured risk assessment aligned to AICPA Trust Services Criteria. Identifies risks per TSC category using a 5x5 likelihood-impact matrix, maps risks to specific TSC criteria (CC/A/PI/C/P), identifies control gaps, validates residual risk scoring, and produces a risk register with treatment plan. Feeds into gap analysis, control narratives, and policy generation. A risk assessment is the foundation of a SOC 2 control environment. Without identifying what can go wrong and how likely/severe it is, control selection is arbitrary and auditors will question the basis for your control environment. This skill produces three artifacts — methodology, risk register, and treatment plan — that all subsequent skills reference. ## Getting Started Add your source materials to the project workspace — organization profile, existing risk registers, security assessments, and incident history — then activate the *SOC 2 Risk Assessment* skill. The agent will guide you through methodology definition, risk identification across 12 TSC domains, scoring, control mapping, and treatment decisions. ## Example Conversation Below is an example of how a typical risk assessment session unfolds. The agent systematically identifies risks by TSC domain, scores them using a 5x5 matrix, and validates using three built-in tools. > **You:** Conduct the risk assessment for our SOC 2 Type II engagement. We're in scope for Security (CC) and Availability (A). Our organization profile is already in the workspace. > > **Agent:** I've loaded the organization profile — DataVault Technologies, B2B SaaS, AWS infrastructure, 120 employees, Security + Availability in scope. I'll start by establishing the risk methodology, then systematically identify risks across all relevant TSC domains. > > I've defined the 5×5 methodology: Likelihood (Rare to Almost Certain), Impact (Insignificant to Catastrophic), risk score = L × I, appetite threshold = 12, immediate action threshold = 20. Treatment options: Treat, Accept, Avoid, Transfer. > > Now identifying risks across the 10 applicable TSC domains (CC1–CC9 + A1). I've identified 13 risks. Let me run the validation suite. > > *[Runs risk_to_tsc_mapper]* All 13 risks map to valid TSC criteria. However, 2 in-scope criteria have no associated risk: CC4.2 (evaluating and communicating deficiencies) and A1.3 (recovery). These are blind spots — I'll add risks for them. > > **You:** Good catch. We actually had an incident last year where a DR test was skipped during a team transition. Add that as context for the A1.3 risk. > > **Agent:** I've added 2 more risks (15 total) and incorporated the historical DR incident as context for RISK-AV-003. Now running the control gap identifier. > > *[Runs control_gap_identifier]* Found 3 criteria where risks exist but no controls are mapped: CC3.4 (fraud risk considerations), CC8.1 (change management for infrastructure), and A1.2 (capacity planning). These need controls assigned before the risk register is complete. > > After mapping controls, I've run the residual risk validator. *[Runs residual_risk_validator]* All entries pass — residual ≤ inherent for every risk, all 12 risks above appetite have treatment decisions, and the 2 accepted risks (both Low severity) have documented rationale. > > I've saved the Risk Assessment Methodology, Risk Register, and Risk Treatment Plan to the output directory. Dashboard updated: 15 total risks, distribution is 2 Critical / 5 High / 6 Medium / 2 Low, treatment coverage 100%. ## Sample Output Excerpt Below is a representative excerpt from the risk register, showing the structured format with TSC mapping, inherent/residual scoring, and treatment decisions. --- ### Risk Register (excerpt) | ID | Risk Title | TSC Criteria | Threat | L | I | Inherent | Treatment | Controls | Residual | |:---:|:---|:---|:---|:---:|:---:|:---:|:---|:---|:---:| | RISK-AC-001 | Unauthorized access to customer documents | CC6.1, CC6.3 | External attacker, insider threat | 3 | 5 | 15 | Treat | MFA via Okta, RBAC, quarterly access review | 6 | | RISK-SO-001 | Production system compromise via misconfiguration | CC7.1, CC7.2 | Cloud misconfiguration | 4 | 4 | 16 | Treat | IaC, config scanning, security groups audit | 8 | | RISK-CM-001 | Unauthorized or untested changes deployed | CC8.1 | Developer error, process bypass | 3 | 4 | 12 | Treat | PR reviews, CI gates, automated rollback | 4 | | RISK-AV-001 | Extended platform outage exceeding SLA | A1.1, A1.2 | Infrastructure failure, DDoS | 3 | 5 | 15 | Treat | Multi-AZ, auto-scaling, DDoS protection | 6 | | RISK-AV-003 | Inability to recover from disaster | A1.3 | DR process failure | 3 | 5 | 15 | Treat | Automated DR testing, documented runbooks | 6 | | RISK-GO-002 | Deficiency evaluation gaps | CC4.2 | Process immaturity | 2 | 3 | 6 | Accept | Quarterly deficiency review process | 4 | ### Risk Treatment Plan (excerpt) | Risk ID | Decision | Specific Actions | Owner | Target Date | |:---:|:---|:---|:---|:---| | RISK-AC-001 | Treat | Enforce MFA for all users, implement quarterly access reviews, deploy session timeout | Sarah Chen (CISO) | 30 Sep 2025 | | RISK-AV-003 | Treat | Complete DR test, automate DR scheduling, document runbooks | Michael Torres (CTO) | 31 Aug 2025 | | RISK-GO-002 | Accept | Risk accepted — low inherent score (6), quarterly review process in place | Sarah Chen (CISO) | N/A | ## Built-in Validation The skill includes three validation tools that check the risk register for TSC alignment, control coverage, and scoring consistency. The agent runs all three after completing the register and iterates until all checks pass. ### What the validators check **Risk-to-TSC Mapper:** | Check Category | What It Validates | Severity | |---|---|---| | TSC criterion mapping | Every risk maps to at least one valid TSC criterion ID | ERROR if missing or invalid | | Criterion ID validity | All referenced criteria match AICPA TSC 2017 identifiers | ERROR if invalid | | Coverage blind spots | In-scope TSC criteria with no associated risk | WARNING per unmapped criterion | | Category distribution | Risk count per TSC category (CC, A, PI, C, P) | INFO | **Control Gap Identifier:** | Check Category | What It Validates | Severity | |---|---|---| | Uncontrolled risks | TSC criteria with identified risks but no mapped controls | ERROR per gap | | Over-controlled criteria | TSC criteria with controls but no identified risks | WARNING (potential waste) | | Priority recommendations | Gaps ranked by inherent risk score for remediation priority | INFO | **Residual Risk Validator:** | Check Category | What It Validates | Severity | |---|---|---| | Scoring consistency | Residual risk ≤ inherent risk for every entry | ERROR if violated | | Treatment decisions | All risks above appetite have a treatment decision | ERROR if missing | | Acceptance rationale | Accepted risks have documented rationale | WARNING if missing | | Transfer mechanism | Transferred risks specify the mechanism (insurance, contract) | WARNING if missing | ### Example validation output ``` ======================================================================== SOC 2 Risk Assessment — TSC Mapping Validation ======================================================================== Risks analyzed: 15 Valid TSC mappings: 15/15 Coverage by category: [CC] Security: 11 risks across CC1–CC9 ✓ [A] Availability: 4 risks across A1.1–A1.3 ✓ Blind spots (in-scope criteria with no risk): (none — all in-scope criteria covered) Result: PASS ======================================================================== ``` ``` ======================================================================== SOC 2 Risk Assessment — Control Gap Analysis ======================================================================== Gaps (risks without mapped controls): (none — all risks have at least one control) Over-controlled criteria: [INFO] CC2.1 has 3 controls but only 1 associated risk — consider whether all controls are necessary Result: PASS ======================================================================== ``` The agent runs all three validators automatically after completing the risk register and surfaces findings inline, so you always know exactly what gaps remain before the register is structurally complete. --- Back to [Skill Library](https://rakenne.app/skills/index.md)