Risk Assessment

Created by Venkat Pothamsetty, Modified on Mon, 25 Aug at 12:16 PM by Venkat Pothamsetty

SquareX ISO/IEC 27001 Risk Assessment — All Low Ratings

Date: 2025-08-25
Prepared from Sprinto evidence export (88 controls).

1. Purpose & Scope

This assessment summarizes information security risks for SquareX aligned to ISO/IEC 27001:2022 clause 6.1.2. It is derived from the Sprinto control evidence export provided by SquareX (88 controls total). Scope includes organizational and technical controls supporting SquareX’s production environment and supporting processes.

2. Methodology

Per request, all identified risks in this version are set to Low likelihood and Low impact. We retain a qualitative Likelihood × Impact model on a 5-point scale (Very Low=1, Low=2, Medium=3, High=4, Very High=5).
Risk Score = Likelihood × Impact = 2 × 2 = 4 for all items in this draft.

3. Control Assurance Snapshot

Review completed: 74
Ready for audit: 14
Information requested: 0

4. Prioritization

All items are rated Low/Low; no item is prioritized above the others in this draft. Treatment should still be tracked to closure.

5. Risk Register (from “Ready for audit” items, all set to Low/Low)

Control	Title	Risk Statement	Likelihood	Impact	Risk Score	Treatment Plan
SDC 13	Publishing Cybersecurity & Privacy Documentation	Potential control gap in “Publishing Cybersecurity & Privacy Documentation” noted from Sprinto export.	Low	Low	4	Finalize documentation, obtain approvals, and communicate; record evidence.
SDC 14	Conspicuous Link To Privacy Notice	Potential control gap in “Conspicuous Link To Privacy Notice” noted from Sprinto export.	Low	Low	4	Validate publication and versioning; perform legal review.
SDC 15	Automated Reporting	Potential control gap in “Automated Reporting” noted from Sprinto export.	Low	Low	4	Complete control implementation evidence and run effectiveness review.
SDC 16	Incident Reporting Assistance	Potential control gap in “Incident Reporting Assistance” noted from Sprinto export.	Low	Low	4	Complete control implementation evidence and run effectiveness review.
SDC 18	Risk Framing	Potential control gap in “Risk Framing” noted from Sprinto export.	Low	Low	4	Complete risk assessment artifacts and management review.
SDC 25	Periodic Review & Update of Policies	Potential control gap in “Periodic Review & Update of Policies” noted from Sprinto export.	Low	Low	4	Finalize documentation, obtain approvals, and communicate; record evidence.
SDC 26	Management Review of Org Chart	Potential control gap in “Management Review of Org Chart” noted from Sprinto export.	Low	Low	4	Complete control implementation evidence and run effectiveness review.
SDC 27	Management Review of Risks	Potential control gap in “Management Review of Risks” noted from Sprinto export.	Low	Low	4	Complete risk assessment artifacts and management review.
SDC 29	Management Review of Third-Party Risk	Potential control gap in “Management Review of Third-Party Risk” noted from Sprinto export.	Low	Low	4	Complete risk assessment artifacts and management review.
SDC 30	Subservice organization evaluation	Potential control gap in “Subservice organization evaluation” noted from Sprinto export.	Low	Low	4	Complete control implementation evidence and run effectiveness review.
SDC 154	Asset Ownership Assignment	Potential control gap in “Asset Ownership Assignment” noted from Sprinto export.	Low	Low	4	Complete control implementation evidence and run effectiveness review.
SDC 389	Updates During Installations / Changes	Potential control gap in “Updates During Installations / Changes” noted from Sprinto export.	Low	Low	4	Complete control implementation evidence and run effectiveness review.
SDC 42	User Privileges Reviews	Potential control gap in “User Privileges Reviews” noted from Sprinto export.	Low	Low	4	Complete control implementation evidence and run effectiveness review.
SDC 106	Encryption Policy & Procedure	Potential control gap in “Encryption Policy & Procedure” noted from Sprinto export.	Low	Low	4	Finalize documentation, obtain approvals, and communicate; record evidence.