Owner: CISO
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC3.1–CC3.4 (risk identification and analysis); ISO/IEC 27001 §6.1.2 / §6.1.3 / §8.2. Implements the Risk Management Policy.
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: SOC 2 CC3.1–CC3.4 (risk identification and analysis); ISO/IEC 27001 §6.1.2 / §6.1.3 / §8.2. Implements the Risk Management Policy.
Cadence
- Full assessment — annually, completed by April 30 each year so that outputs feed the May 8 policy-review cycle.
- Triggered re-assessment — on any of: a new product offering that changes the data-bearing surface; a material change to architecture, vendor footprint, or customer commitments; a Severity 1 incident; a regulatory development that changes scope (new state privacy law in effect, new federal framework adoption); a customer-contract obligation that introduces a new control commitment; a change in Neuroscale’s EU AI Act role or tiering — e.g., a feature becoming a high-risk Annex III system, Neuroscale acting as a provider placing a system on the EU market, or the application of a new EU AI Act obligation (Art. 50 transparency from Aug 2, 2026; high-risk obligations on their phased application date).
- Quarterly check-ins — the Risk Register is reviewed at each ISMS Management Review; the full assessment is not re-run quarterly, but new and overdue risks are surfaced and re-scored.
Participants
- Owner: CISO.
- Required interview subjects: CTO, General Counsel, CHRO, CFO, Engineering leads, Customer Success lead, Privacy Officer.
- Reviewers / approvers: CEO and CTO sign off on the residual risk acceptance for any risk scored High or Critical at the end of the assessment.
Process
1. Scope (1 week)
CISO confirms the scope of the assessment — the systems, data flows, vendor relationships, jurisdictions, and customer contracts in effect at the time of assessment. The Controls Inventory, Vendor Inventory, Records of Processing, and Standard Access Matrix are the canonical scope artifacts.2. Identify (2 weeks)
CISO conducts structured interviews with the participants listed above and walks each domain below to surface threats and vulnerabilities:| Domain | Sources |
|---|---|
| Access / identity | Access Control Policy, Access Reviews procedure, Vanta access-review history |
| Application & infrastructure | Secure Development Policy, Operations Security Policy, the most recent penetration-test report where available (first engagement: Horizon3, 2026), Vulnerability Management findings |
| Data / privacy | Data Management Policy, Records of Processing, GDPR Art. 30 records, state-privacy mapping |
| Vendors | Third-Party Management Policy, Vendor Inventory, prior-year vendor-review notes |
| People | Human Resources Security Policy, training completion data, prior-year incidents involving personnel |
| Business continuity / DR | Business Continuity & DR Policy, RTO/RPO Matrix, DR & Backup-Restore Test results |
| AI / ML | AI Acceptable Use Policy, AI Model Registry, Re-identification Audit procedure results, AI bias-audit procedure results |
| Regulatory / contractual | GC walk through customer contracts with new security/privacy obligations and any new statutory exposure |
3. Analyze (1 week)
For each identified risk, the CISO assigns:- Likelihood — Very Low / Low / Medium / High / Very High.
- Impact — Very Low / Low / Medium / High / Very High, considering customer impact, regulatory exposure, financial impact, and reputational exposure independently and taking the worst case.
- Inherent score —
likelihood × impacton the 5×5 matrix in the Risk Management Policy. - Existing controls — drawn from the Controls Inventory.
- Residual score — the inherent score adjusted for the effectiveness of existing controls.
4. Treat (1 week)
For each risk above the acceptance threshold, the CISO proposes a treatment — mitigate / transfer / avoid / accept — with an owner, target date, and the residual-score target after treatment.- Mitigate treatments become Linear epics with their own breakdown into action items.
- Transfer treatments (insurance, contractual) require GC sign-off and are recorded in the Vendor Inventory where they involve a third party.
- Avoid treatments require CEO sign-off (since they may involve product or commercial-strategy decisions).
- Accept treatments at High or Critical residual score require CEO and CTO sign-off in writing.
5. Document (1 week)
The CISO produces the Annual Risk Assessment Report with:- Scope statement and as-of date.
- Identified-risk inventory with likelihood, impact, inherent, controls, residual.
- Treatment plan with owner and target date for each above-threshold risk.
- Sign-off panel — CEO, CTO, CISO, General Counsel — for the assessment as a whole and for any accepted residual High/Critical risks.
- Changes since the prior year’s assessment.
/registers/annual-risk-assessment/<YYYY>.mdx and linked from the Controls Inventory. The updated Risk Register lives in the controls inventory and is the source of truth for the per-risk treatment status that is walked at each ISMS Management Review.
Evidence
The following are retained in the SharePoint evidence library used for SOC 2 / ISO 27001 audits:- The signed Annual Risk Assessment Report.
- Interview notes / structured questionnaires (sanitized as needed for privilege).
- Risk Register diff against the prior year.
- Treatment-plan artifacts (Linear epic IDs).
- Sign-off panel (CEO, CTO, CISO, GC).
Escalation
Any risk identified at Critical residual score is escalated to the CEO at the time of identification, without waiting for the assessment to complete. The General Counsel additionally escalates anything that triggers a notice or reporting obligation under applicable law (regulator notice, customer-contract notice, breach-style reporting) at the time of identification.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 15, 2026 | Initial version — implements Risk Management Policy, SOC 2 CC3.1–CC3.4, ISO 27001 §6.1.2 / §6.1.3 / §8.2 | Cameron Wolfe | Ishan Jadhwani |