---
layout: handbook-page-toc
title: "RM.1.05 - Risk Management Policy"
---

## On this page
{:.no_toc .hidden-md .hidden-lg}

- TOC
{:toc .hidden-md .hidden-lg}

# RM.1.05 - Risk Management Policy

## Control Statement

A formal risk management program is documented within the risk management policy as well as the Employee Handbook and are available to both internal and external system users.

## Context

GitLab has established and maintained a risk management program which includes a formal [Risk Management Policy](handbook/engineering/security/risk-management.html#risk-management-policy) that is documented in the Handbook and available to both internal and external system users. The risk management policy is reviewed on an annual basis and any changes or updates needed to be made to the policy are made accordingly. 

## Scope

This control is applicable to the GitLab organization as a whole.

## Ownership

* Control Owner: `Security Compliance`
* Process owner(s):
  * Security Compliance
  * Internal Audit

## Guidance

All GitLab employees are subject to the risk management policies. Security Compliance is the ultimate owner of the risk management process as a whole and gathers inputs from other various risk assessment related activities that occur throughout GitLab, such as vendor security reviews or fraud risk assessments performed by the Internal Audit function.

## Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Risk Management Policy control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/-/issues/1709).

### Policy Reference
*  [Risk Management Policy](handbook/engineering/security/risk-management.html#risk-management-policy)

## Framework Mapping

* SOC2 CC
  * CC3.2
  * CC5.1
  * CC5.2