Ambassify takes a proactive and structured approach to managing information security risks. We continuously identify, evaluate, and address risks to protect your data and maintain the trust you place in our platform.

Risk Assessment Methodology

Our risk assessment follows internationally recognized frameworks to ensure consistency and rigor.

  • Standards-based Approach - Our methodology is based on ISO 27005 and ISO 31000, adapted to our operational context
  • Likelihood and Impact Scoring - Each risk is evaluated using a defined scoring matrix that considers both the probability of occurrence and the potential impact
  • Broad Coverage - Risk categories span internal issues, external threats, stakeholder needs, and third-party dependencies
  • Consistent Criteria - Clear and repeatable criteria ensure risks are assessed objectively across the organization

Risk Treatment

Every identified risk receives a deliberate response based on its severity and context.

  • Four Treatment Options - Risks are addressed through mitigation, acceptance, transfer, or avoidance depending on the circumstances
  • Treatment Plans - Risks above acceptable thresholds receive documented treatment plans with specific actions
  • CISO Approval - High-risk items require explicit CISO approval and active mitigation before they can be accepted
  • Residual Risk Tracking - Remaining risk after treatment is documented and monitored over time

Continuous Assessment

Risk management is not a one-time activity. We maintain ongoing visibility into our risk landscape.

  • Annual Assessment - A formal, comprehensive risk assessment is performed at least once per year
  • Semi-annual Reviews - Additional review sessions are held twice per year to address emerging threats and changes in the environment
  • Living Risk Register - The risk register is maintained and updated as conditions, threats, or business context change

Corrective Actions

When issues are found, we act quickly and systematically to resolve them.

  • Tracking - Non-conformities identified through audits, incidents, or reviews are formally tracked
  • Clear Ownership - Each corrective action is assigned to a responsible owner with a defined timeline for resolution
  • Root Cause Analysis - Underlying causes are analyzed to prevent the same issue from recurring
  • Verification - Completed actions are verified for effectiveness before closure

Statement of Applicability

Our security controls are mapped to recognized international standards.

  • ISO 27001 Alignment - Controls are mapped to ISO 27001 Annex A requirements to ensure comprehensive coverage
  • Justified Controls - Each control is documented with a clear justification for its inclusion or exclusion
  • Regular Review - The Statement of Applicability is reviewed periodically to ensure controls remain appropriate, effective, and aligned with current risks