📅 Schedule a Claude Cowork Risk Assessment

Most vendor reviews leave security teams with a stack of marketing PDFs and a deadline. This one ends with a written, defensible decision.

• Capability-to-control mapping — every Cowork feature plotted against your NIST CSF, ISO 27001, or SOC 2 control set
• Residual risk register — the five to seven items that don't map cleanly, with severity scoring
• Written acceptance recommendation — a 3-page memo your risk committee can ratify in one meeting
• Compensating controls list — concrete configurations, DLP rules, and policy clauses you can implement in week one
• Audit-ready evidence pack — screenshots, configuration exports, and vendor attestations referenced inline

Tightly scoped, no slideware. We bring the framework, you bring the people who can answer questions in the room.

1. Minutes 0–15 · Scope alignmentConfirm in-scope business units, data classifications, and the control framework of record.
2. Minutes 15–45 · Cowork capability walkthroughLive demo of identity, data handling, audit logging, and admin controls — not a sales pitch.
3. Minutes 45–90 · Control mapping exerciseWe work the matrix together. Green, amber, and red flags called out in real time.
4. Minutes 90–105 · Residual risk discussionDebate the ambers. Document acceptance rationale or compensating controls.
5. Minutes 105–120 · Recommendation draftWe outline the written memo on screen so you see exactly what gets delivered.

A working list — the final mapping is tailored to your framework, but these are the areas we'll address in every engagement.

• Identity & access management — SSO, SCIM, role hierarchies, session policies
• Data handling & residency — where prompts and outputs live, retention windows, regional pinning
• Model training boundaries — contractual and technical guarantees against training on your data
• Audit logging & monitoring — log completeness, SIEM integration, retention period
• Encryption — in transit, at rest, and key management posture
• Third-party subprocessors — current list, change notification, and flow-down obligations
• Incident response — notification SLAs, severity definitions, customer communication channels
• Business continuity & exit — data export formats, deprovisioning timelines, vendor lock-in risk

Minimal prep on your side — but the right artifacts in the room make the difference between a generic review and a decision-grade one.

A short, structured memo — not a 40-page report nobody reads. Designed for a risk committee to approve in a single review cycle.

1. Executive summaryOne paragraph: recommended posture (accept, accept-with-conditions, or defer) and the headline rationale.
2. Scope statementBusiness units, data classes, user populations, and use cases covered.
3. Control mapping summaryTable of in-scope controls with status: satisfied, compensating control required, or residual risk.
4. Residual risks and acceptance rationaleThe honest list — what we can't fully mitigate and why it's acceptable in context.
5. Required compensating controlsSpecific actions, owners, and target dates before go-live.
6. Review cadenceWhen to revisit the decision and the triggers that would force an earlier review.

The workshop is the start of a 10-business-day process. Here's exactly what to expect.

• Day 1–3: Draft recommendation memo circulated for factual review
• Day 4–6: Stakeholder comments incorporated; compensating controls finalized with named owners
• Day 7–8: Final memo issued with appendices — control matrix, evidence references, residual risk register
• Day 9–10: 30-minute readout call with your risk committee, ready for formal approval vote
• Optional follow-on: Implementation support for the compensating controls, scoped separately