---
layout: handbook-page-toc
title: "RM.3.01 - Remediation Tracking Control Guidance"
---

## On this page
{:.no_toc .hidden-md .hidden-lg}

- TOC
{:toc .hidden-md .hidden-lg}

# RM.3.01 - Remediation Tracking

## Control Statement

Management prepares a remediation plan to formally manage the resolution of findings identified in risk assessment activities.

## Context

Risk assessments find and prioritize risks, but that information and insight is only useful if it's acted on. This control aims to ensure the risks we find in risk assessments are appropriately acted on and remediation efforts are seen to their full completion.

## Scope

This control applies to all risk assessments and their respective risk findings.

## Ownership

* Control Owner: `Security Compliance`
* Process owner(s):
    * System Owners
    * Data Protection Officers
    * Security Compliance

## Additional control information and project tracking

Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the [Remediation Tracking control issue](https://gitlab.com/gitlab-com/gl-security/compliance/compliance/issues/871).

Examples of evidence an auditor might request to satisfy this control:

* Copy of the risk tracking and remediation process.
* Copy of the risk registry.
* Sample risk remediation issues.

### Policy Reference

* [Risk Remediation and Tracking](/handbook/engineering/security/#risk-remediation-and-tracking)

## Framework Mapping

* SOC2 CC
  * CC4.2
  * CC5.1
  * CC5.2