Risk management activities are prioritized based on an assigned residual risk rating as defined in the risk management policy.
The purpose of this control is to ensure that risk treatment activities are carried out in accordance to assigned risk ratings defined in the
This control applies to all security risks identified in GitLab's environment as part of the annual risk assessment process or ad-hoc through other means.
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Service Risk Rating Assignment control issue.
Examples of evidence an auditor might request to satisfy this control: