Owner: CISO
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC3.1–CC3.4 (risk identification and analysis); ISO/IEC 27001 §6.1.2 / §6.1.3 / §8.2. Implements the Risk Management Policy.
This procedure operationalizes the Risk Management Policy. It is the canonical operating record for SOC 2 CC3.1 / CC3.2 / CC3.3 / CC3.4 (risk identification and analysis) and ISO/IEC 27001 §6.1.2 / §6.1.3 / §8.2 (information-security risk assessment and treatment).

Cadence

  • Full assessment — annually, completed by April 30 each year so that outputs feed the May 8 policy-review cycle.
  • Triggered re-assessment — on any of: a new product offering that changes the data-bearing surface; a material change to architecture, vendor footprint, or customer commitments; a Severity 1 incident; a regulatory development that changes scope (new state privacy law in effect, new federal framework adoption); a customer-contract obligation that introduces a new control commitment; a change in Neuroscale’s EU AI Act role or tiering — e.g., a feature becoming a high-risk Annex III system, Neuroscale acting as a provider placing a system on the EU market, or the application of a new EU AI Act obligation (Art. 50 transparency from Aug 2, 2026; high-risk obligations on their phased application date).
  • Quarterly check-ins — the Risk Register is reviewed at each ISMS Management Review; the full assessment is not re-run quarterly, but new and overdue risks are surfaced and re-scored.

Participants

  • Owner: CISO.
  • Required interview subjects: CTO, General Counsel, CHRO, CFO, Engineering leads, Customer Success lead, Privacy Officer.
  • Reviewers / approvers: CEO and CTO sign off on the residual risk acceptance for any risk scored High or Critical at the end of the assessment.

Process

1. Scope (1 week)

CISO confirms the scope of the assessment — the systems, data flows, vendor relationships, jurisdictions, and customer contracts in effect at the time of assessment. The Controls Inventory, Vendor Inventory, Records of Processing, and Standard Access Matrix are the canonical scope artifacts.

2. Identify (2 weeks)

CISO conducts structured interviews with the participants listed above and walks each domain below to surface threats and vulnerabilities:
DomainSources
Access / identityAccess Control Policy, Access Reviews procedure, Vanta access-review history
Application & infrastructureSecure Development Policy, Operations Security Policy, the most recent penetration-test report where available (first engagement: Horizon3, 2026), Vulnerability Management findings
Data / privacyData Management Policy, Records of Processing, GDPR Art. 30 records, state-privacy mapping
VendorsThird-Party Management Policy, Vendor Inventory, prior-year vendor-review notes
PeopleHuman Resources Security Policy, training completion data, prior-year incidents involving personnel
Business continuity / DRBusiness Continuity & DR Policy, RTO/RPO Matrix, DR & Backup-Restore Test results
AI / MLAI Acceptable Use Policy, AI Model Registry, Re-identification Audit procedure results, AI bias-audit procedure results
Regulatory / contractualGC walk through customer contracts with new security/privacy obligations and any new statutory exposure
External inputs: prior-year audit findings (SOC 2, customer security reviews), industry threat reports relevant to Neuroscale’s stack, CISA advisories tagged to in-use products.

3. Analyze (1 week)

For each identified risk, the CISO assigns:
  • Likelihood — Very Low / Low / Medium / High / Very High.
  • Impact — Very Low / Low / Medium / High / Very High, considering customer impact, regulatory exposure, financial impact, and reputational exposure independently and taking the worst case.
  • Inherent scorelikelihood × impact on the 5×5 matrix in the Risk Management Policy.
  • Existing controls — drawn from the Controls Inventory.
  • Residual score — the inherent score adjusted for the effectiveness of existing controls.
The 5×5 matrix and the residual-score thresholds are the ones defined in the Risk Management Policy. Where this procedure and the policy ever appear to disagree, the policy controls.

4. Treat (1 week)

For each risk above the acceptance threshold, the CISO proposes a treatment — mitigate / transfer / avoid / accept — with an owner, target date, and the residual-score target after treatment.
  • Mitigate treatments become Linear epics with their own breakdown into action items.
  • Transfer treatments (insurance, contractual) require GC sign-off and are recorded in the Vendor Inventory where they involve a third party.
  • Avoid treatments require CEO sign-off (since they may involve product or commercial-strategy decisions).
  • Accept treatments at High or Critical residual score require CEO and CTO sign-off in writing.

5. Document (1 week)

The CISO produces the Annual Risk Assessment Report with:
  • Scope statement and as-of date.
  • Identified-risk inventory with likelihood, impact, inherent, controls, residual.
  • Treatment plan with owner and target date for each above-threshold risk.
  • Sign-off panel — CEO, CTO, CISO, General Counsel — for the assessment as a whole and for any accepted residual High/Critical risks.
  • Changes since the prior year’s assessment.
The report is committed to /registers/annual-risk-assessment/<YYYY>.mdx and linked from the Controls Inventory. The updated Risk Register lives in the controls inventory and is the source of truth for the per-risk treatment status that is walked at each ISMS Management Review.

Evidence

The following are retained in the SharePoint evidence library used for SOC 2 / ISO 27001 audits:
  • The signed Annual Risk Assessment Report.
  • Interview notes / structured questionnaires (sanitized as needed for privilege).
  • Risk Register diff against the prior year.
  • Treatment-plan artifacts (Linear epic IDs).
  • Sign-off panel (CEO, CTO, CISO, GC).
Records are retained for at least 7 years per the Records Retention Schedule.

Escalation

Any risk identified at Critical residual score is escalated to the CEO at the time of identification, without waiting for the assessment to complete. The General Counsel additionally escalates anything that triggers a notice or reporting obligation under applicable law (regulator notice, customer-contract notice, breach-style reporting) at the time of identification.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 15, 2026Initial version — implements Risk Management Policy, SOC 2 CC3.1–CC3.4, ISO 27001 §6.1.2 / §6.1.3 / §8.2Cameron WolfeIshan Jadhwani