Resolve Sprinto Check for Periodic Risk Assessment

Sprinto raises this check when it detects that your organisation has not performed a recent risk assessment or has not updated the Risk Register with new or reviewed risks.

Regular risk assessments are a mandatory compliance requirement across frameworks like:

• ISO 27001 (Clauses 6.1.2, A.6.1.2)

• SOC 2 (CC3.1, CC3.2)

• HIPAA Security Rule

• GDPR Article 32

Why this check matters

Risk assessments help organisations:

• Identify emerging threats and vulnerabilities

• Evaluate impact and likelihood

• Prioritise mitigation efforts

• Maintain continuous compliance

Without a recent assessment, your organisation may be unable to demonstrate proactive risk governance.

Resolution Steps

✅ 1. Review Existing Risks

• Go to Risk Register in Sprinto

• Review open, accepted, and mitigated risks

• Check the last modified date for each risk

✅ 2. Update or Add New Risks

• If outdated, update severity, impact, likelihood, and description fields

• Add new risks that reflect changes in your:

  • Systems or architecture

  • Regulatory requirements

  • Supplier/vendor base

  • Business operations

✅ 3. Perform a New Assessment (if required)

• Conduct a fresh risk assessment workshop or internal audit

• Document the methodology (ISO 27005, NIST, etc.)

• Capture outcomes in Sprinto’s Risk Register

✅ 4. Assign Risk Owners

• Ensure every risk has an assigned risk owner

• Update status: Accepted, Mitigated, In Progress, etc.

✅ 5. Upload Evidence

• Acceptable forms:

  • Updated risk register (within Sprinto)

  • PDF export of the risk assessment summary

  • Screenshots showing updated risks with timestamps

Evidence Guidelines