Risk Register navigation and workflow
Use the Risk Management module to identify risks from the Risk Library, score them, document treatment, and maintain an auditor-ready risk register. This section covers where to find each step in Secureframe.
Where do I find the risk register and risk assessment in Secureframe?
Open Risk Management from the left navigation, then Risk Register to view assessed risks. Open Risk Library to browse pre-built risks or create custom risks to add to your register.
For the full workflow (Details, Assessment, Treatment, Review), see Risk Management Module.
Where do I complete the annual risk assessment and update the risk register?
From Risk Management → Risk Library, add relevant risks to your register (or create custom risks). Open each risk and complete the four-step workflow: Details (owner, category, tags), Assessment (likelihood and impact), Treatment (accept, transfer, avoid, or mitigate), and Review (confirm and click Complete Assessment).
Export risk history from the risk detail page when auditors request evidence of periodic review.
How do I navigate back to the Risk Evaluation screen to review or edit comments?
Open the risk from Risk Register and use the workflow tabs (Details, Assessment, Treatment, Review) to move between sections.
If the risk is Complete, revert it to Draft before editing notes, scores, or mitigating controls. Completed risks must be in Draft to change treatment or assessment fields.
Can I remove a risk entirely from the Risk Register?
Risks in Draft can be deleted from the register. Completed risks should be reverted to Draft first if you need to remove or substantially change them.
If a risk is no longer applicable, document the rationale in Treatment (for example, risk avoidance) rather than deleting historical records you may need for audit traceability.
How do I edit notes or remove mitigating controls from a risk assessment draft?
Confirm the risk is in Draft status. Open the risk and edit notes in Details or Treatment. Remove or change mitigating controls in the Treatment section and update residual risk justification.
What should I do if I get an error when clicking Complete Assessment?
The Risk Management module requires required fields on the Details page (owner, category, and other validations) before Complete Assessment succeeds. Review each workflow step for missing scores, treatment decisions, or justification text.
If all fields appear complete and the error persists, capture a screenshot of the error and the risk name, then contact [email protected] or Live Chat so Support can investigate.
Where do I upload Incident Response tabletop exercise documentation?
Search Tests for your Incident Response or tabletop-related test (for example, incident response plan test or BC/DR tabletop). Upload meeting notes, attendance, and scenario outcomes as evidence on that test or in the Data Room if your program uses manual upload tests.
For IR plan and playbook questions, see FAQs: Incident response and risk events.
Certification and audit scope
Scoping decisions determine which personnel, systems, and evidence are in scope for your audit or certification. Use these starting points and linked articles for framework-specific detail.
How do I determine what is in scope for my compliance audit?
Scope generally includes personnel, tools, and data flows that handle in-scope information (customer data for SOC 2, ISMS boundaries for ISO 27001, CUI for CMMC, and so on). Confirm scope with your auditor early to avoid scope creep.
Are contractors who access customer data or source code in scope for ISO 27001?
Yes. Contractors with access to customer data, production systems, source code, or who support the ISMS are typically in scope. Staffing-firm contractors may still require your organization to document provisioning, training, and vendor due diligence.
Can a CMMC assessor unilaterally increase assessment scope, cost, or duration during a CRMA spot check?
Assessors work from the agreed assessment scope and asset inventory. They do not unilaterally expand the engagement without a scope or statement-of-work adjustment. CRMA reviews are generally SSP-based, with limited spot checks when documentation is insufficient.
Limited CRMA checks should not materially increase assessment duration or cost. See FAQs: FedRAMP, CMMC, and DFARS for CRMA and assessor guidance.
Should I ignore failing GCP integration tests for projects that are not in my in-scope list?
Document why out-of-scope GCP projects are excluded, narrow the integration to in-scope projects where possible, and use test notes or disable tests that do not apply. Do not leave failing tests unexplained if those projects are truly out of audit scope.
See How to Determine Audit Scope and your GCP integration settings under Monitoring → Integrations.
Can out-of-scope personnel still complete training or policy acknowledgments?
Yes. Out-of-scope personnel can still be assigned training or policies if you choose. Marking someone out of scope affects compliance test populations, not their ability to complete assignments.
