Risk Assessment Report – 2025
1. Executive Summary
Between 2025-03-01 and 2025-03-15, Clerk.io conducted its annual ISO 27001 risk assessment covering 42 information assets and 68 threat scenarios. A total of 21 risks were identified; 5 rated High, 10 Medium and 6 Low.
No Extreme (score 20-25) risks were discovered.
2. Methodology
The assessment followed the approved risk-assessment-methodology.md, using likelihood/impact scales (1-5) and risk score = L × I. Workshops were held with Engineering, SRE, Product, HR and Legal teams.
3. Key High Risks
| ID | Description | Score | Proposed Treatment |
| R-001 | Credential stuffing against APIs | 16 | Rate-limit, MFA enforcement (see RTP) |
| R-002 | Single-region cloud outage | 20 | Multi-region failover design |
| R-003 | Insider exfiltration | 15 | EDR, DLP, logging improvements |
4. Residual Risk & Acceptance
Implementation of controls in the Risk Treatment Plan is expected to reduce all high risks to ≤8 within the next six months. Acceptance for residual risk R-005 was granted by CEO on 2025-03-28.
5. Conclusion
Clerk.io's risk exposure is within the defined appetite once planned treatments are completed. Progress will be tracked via bi-monthly ISMS reviews.
Prepared by: Information Security Manager
Reviewed by: CTO & CEO
Date: 2025-03-28