Risk Assessment Report – 2025
1. Executive Summary
Between 2025-03-01 and 2025-03-15, Clerk.io conducted its annual ISO 27001 risk assessment covering 42 information assets and 68 threat scenarios. A total of 21 risks were identified; 5 rated High, 10 Medium and 6 Low.
No Extreme (score 20-25) risks were discovered.
2. Methodology
The assessment followed the approved risk-assessment-methodology.md, using likelihood/impact scales (1-5) and risk score = L × I. Workshops were held with Engineering, SRE, Product, HR and Legal teams.
3. Key High Risks
| ID | Description | Score | Proposed Treatment |
| R-001 | Credential stuffing against APIs | 16 | Rate limiting, bot/automation detection, breached-password checks, anomaly-based protections; keep MFA for employee/admin endpoints and promote SSO for customers |
| R-002 | Single-region cloud outage | 20 | Automate restore and infra provisioning (Terraform/Ansible); strengthen backups and documented cross-region restore drills using replicated data (eu-central-1 -> eu-west-1) |
| R-003 | Insider exfiltration | 15 | EDR, DLP, logging improvements |
4. Residual Risk & Acceptance
Implementation of controls in the Risk Treatment Plan is expected to reduce all high risks to ≤8 within the next six months. Acceptance for residual risk R-005 was granted by CEO on 2025-03-28.
5. Conclusion
Clerk.io's risk exposure is within the defined appetite once planned treatments are completed. Progress will be tracked via bi-monthly ISMS reviews.
Prepared by: Information Security Manager Reviewed by: Head of Product & CEO Date: 2025-03-28