You're an SMB and need to perform a risk assessment but you don't have the money or resources for those fancy GRC tools like RSA Archer or Logic Manager? Don't fret! Excel comes to the rescue. Introducing Excel GRC. Describe you risk and get your risk register and risk mapping automagically generated thanks to the power of Excel macros.
The Excel sheet comes with a sample risk assessment. read the sample risk assessment and you'll understand how Excel GRC works.
All the inputs are done in the assessment tab. For each risk, provide:
- A risk id (any text)
- The impacted asset and the asset owner.
- A scenario (something bad could happen to this asset)
- Consequences if the scenario actually happens
- You CIA evaluation.
Now evaluate the likelihood and the impact. The risk level will be automatically computed.
If you already have some compensating controls, list them here.
Then:
- Decide what you want to do with the risk: Accept, Avoid, Mitigate, Transfer.
- Give a status to your risk: Open, In Progress, Close.
- Detail the plan, if any.
And that's it! If you want to add more risks, copy paste the last 22 lines up to the black line and paste right after.
- Your risk register is automatically filled in the Risk tab.
- Your risk mapping is automatically filled in the Map tab.
Note: This is Excel. Excel is the tool of the Devil. Don't rely too much on Excel.