How it Works
This article explains how Sprinto enables organisations to register, assess, treat, and monitor risks to meet security compliance requirements.
Step 1: Register Risks
You can add risks in Sprinto using any of the following methods:
Sprinto Risk Library: Choose from a curated list of industry-standard risks.
Manual Registration: Define custom risks tailored to your organisation.
Bulk Upload: Use the CSV upload option to import multiple risks at once.
Each risk includes detailed metadata such as risk category, owner, source, CIA classification, and scoring parameters.
⚠️ Risks added through bulk upload or manual entry must undergo scoring to become complete.
Step 2: Score Risks
For each registered risk, enter the following parameters:
Likelihood: Probability of occurrence before mitigation.
Impact: Severity if the risk occurs.
Residual Likelihood & Impact: Values after mitigation.
Sprinto calculates both inherent risk and residual risk scores based on these parameters. The risk remains in Incomplete status until this step is completed.
Step 3: Map Controls
Controls are mitigation measures mapped to each risk. You can:
Manually select controls relevant to your risk.
Use Sprinto AI to get smart control suggestions.
Controls are mapped to compliance frameworks like SOC 2, ISO 27001, or GDPR.
💡 You can review each control’s applicability and associated framework before mapping.
Step 4: Define Treatment Plan
Each risk requires a treatment approach:
Accept: Acknowledge the risk and accept its residual score.
Transfer: Shift risk responsibility (e.g. outsourcing, insurance).
Further Mitigate: Plan additional actions to lower the residual score.
Avoid: Eliminate the risk by discontinuing related activities.
Sprinto lets you assign a treatment reason and add optional notes.
Step 5: Create Treatment Tasks
For risks that require action, you can create Risk Treatment Tasks:
Assign tasks to Security Hub admins.
Set due dates and descriptions.
Attach evidence or add notes.
Once a task is marked complete, its status updates to Passing.
Step 6: Perform Risk Assessment
Risk assessments must be conducted periodically (at least once a year). You can:
Assess in-app using the risk register.
Upload assessment reports from external systems.
During the assessment:
Review each risk’s parameters.
Register new risks if needed.
Update control mappings and treatment plans.
Step 7: Review by Senior Management
Once the risk assessment is completed, senior management must review it:
Access the pending review card under Security Hub > Review.
Review all risks and assessment details.
Acknowledge the assessment to complete the process.
This sets the risk assessment system check to Passing.
Last updated