Cloud Risk Assessment (CRA) — Template
GCDO-aligned • v1.1
Contents: Document control • Service Overview • Data & Residency • Threat Model • Controls Mapping • Risk Register • Privacy & DPIA • Supplier Due Diligence • Testing & Assurance • Residual Risk & Approvals • Appendices
Document control
| Project / Service | | Version / date | v1.1 / 25 Sep 2025 |
|---|
| Prepared by | | Reviewed by | |
|---|
| Stakeholders | |
|---|
| Distribution | Client/Project | Confidentiality | Internal/Client |
|---|
Service Overview
Describe the service, business purpose, data types, data volumes, key user groups, and links to architecture diagrams.
| Provider / Product | |
|---|
| Business purpose | |
|---|
| Data types | e.g., contact info, logs, telemetry; mark if any sensitive/PII/PDF. |
|---|
| Users / roles | |
|---|
| Architecture | Link to diagram / reference architecture |
|---|
Data & Residency
| Residency / hosting regions | e.g., NZ/AU/EU/US — specify services/regions |
|---|
| Backups & immutability | Controls, frequency, retention; restore test cadence |
|---|
| Encryption | In transit / at rest (algorithms if known), key management |
|---|
| Access controls | MFA, RBAC/least privilege, break‑glass, audit |
|---|
| Logging & monitoring | What’s logged, retention, SIEM/XDR integration |
|---|
| Retention & disposal | Policy period, disposal workflow and evidence |
|---|
Threat Model (summary)
Identity compromise (phish/OAuth)
Misconfiguration / key leakage
Data breach / oversharing
Ransomware / destructive change
Availability / DDoS
Insider misuse
Supplier failure
Customise per service. Include OT/edge considerations where relevant.
Controls Mapping
| Domain | Key controls | Evidence / references |
|---|
| Identity & Access | MFA; Conditional Access; Just‑in‑Time; least privilege | Entra CA policy IDs; break‑glass runbook |
| Data Protection | Encryption; DLP/labels; data minimisation | Retention schedule; DLP policy IDs |
| Logging & Monitoring | Centralised logs; alerting; time sync | SIEM rules; retention config |
| Backup & DR | Immutability; restore tests; RTO/RPO | Test reports; DR plan link |
| Change & Config | IaC/guardrails; change approvals; golden configs | CAB records; config baselines |
| Privacy | DSR workflow; breach thresholds; cross‑border assessment | Privacy Op. Summary; OPC cues |
Risk Register
Score each risk using Impact × Likelihood (5×5). Add treatments and owners; determine residual risk.
| ID | Risk | Threat/Exploit | Impact | Likelihood | Rating | Treatment / Mitigations | Owner | Target date | Status |
|---|
| R‑001 | | | 1–5 | 1–5 | | | | | Open |
Rating guide: 1=Low … 5=Critical. High (≥15) requires executive review and tracked treatment.
Privacy & DPIA
| DPIA required? | Yes/No — triggers: high‑risk processing, cross‑border, special categories, large‑scale monitoring |
|---|
| DSR handling | Point to DSR process; identity verification steps |
|---|
| Breach thresholds | “Likely to cause serious harm” → notify OPC / individuals as appropriate |
|---|
Supplier Due Diligence
| Security posture | Certifications/attestations; audits; breach history |
|---|
| Contractual terms | Confidentiality; incident notice SLAs; sub‑processor flow‑downs; right to audit |
|---|
| Location & transfers | Regions; transfer mechanisms; supplementary measures |
|---|
Testing & Assurance
| Penetration / security tests | Dates and scope; summary results |
|---|
| Restore tests | Dates, scope, RTO/RPO achieved |
|---|
| Control validations | Sampled evidence; log retention checks |
|---|
Residual Risk & Approvals
| Residual risk summary | Low/Medium/High with rationale |
|---|
| Approvals | Project Owner • Security • Privacy • Executive |
|---|
Appendices
- Architecture diagram(s)
- Data flow(s)
- Processor/sub‑processor list
- Agreements & clauses