Skip to content

Appcircle Risk Assessment Policy

Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)

Purpose

This policy defines Appcircle's approach to identifying, assessing, and treating information security risks. A consistent risk assessment process ensures that security controls are prioritised based on the actual risks facing Appcircle's systems, data, and operations, and that risk decisions are made with appropriate oversight and documentation.

Scope

This policy applies to:

  • All information systems, services, and processes operated by Appcircle.
  • All personnel responsible for managing or operating information assets.
  • Third-party services that process or store Appcircle or customer data, where applicable.

Risk assessment approach

Appcircle uses a risk-based approach to information security, consistent with ISO/IEC 27001 and aligned with SOC 2 requirements. Risk assessments are conducted to identify threats and vulnerabilities to Appcircle's information assets, assess the likelihood and potential impact of each risk, and determine appropriate treatment actions.

Risk assessment process

1. Asset identification

The assessment begins by identifying the information assets within scope, including systems, data stores, processes, and third-party dependencies.

2. Threat and vulnerability identification

For each asset, relevant threats (e.g., unauthorised access, data loss, service disruption) and associated vulnerabilities are identified based on the asset's characteristics, exposure, and operational context.

3. Risk evaluation

Each identified risk is evaluated based on:

  • Likelihood: The probability of the threat being realised, considering existing controls.
  • Impact: The potential harm to Appcircle, its customers, or its operations if the risk materialises.

Risks are assigned a severity level (e.g., Critical, High, Medium, Low) to support prioritisation.

4. Risk treatment

For each identified risk, one of the following treatment options is selected:

  • Mitigate: Implement controls to reduce likelihood or impact to an acceptable level.
  • Accept: Formally document and accept the risk where the cost of treatment outweighs the benefit, or where the residual risk is within tolerance.
  • Transfer: Transfer the risk to a third party (e.g., through insurance or contractual arrangements).
  • Avoid: Discontinue the activity or system that gives rise to the risk.

Treatment decisions and residual risks are documented in the risk register.

5. Risk register

Appcircle maintains a risk register that records identified risks, their assessed severity, treatment decisions, assigned owners, and review status. The risk register is reviewed as part of the annual risk assessment cycle and updated when significant changes occur.

Risk appetite

Appcircle accepts a low tolerance for risks that could result in:

  • Unauthorised access to or disclosure of customer data.
  • Material disruption to production services.
  • Regulatory non-compliance or significant reputational harm.

Higher residual risk may be accepted for lower-severity findings where compensating controls are documented and approved.

Assessment cadence

  • A full risk assessment is conducted at least annually.
  • Ad hoc assessments are triggered by significant changes, including new systems, major architecture changes, new regulatory requirements, or post-incident reviews.

Roles and responsibilities

  • Engineering Management (Policy Owner): Accountable for this policy; approves risk treatment decisions and risk acceptance; reviews and signs off on the risk register.
  • Engineering / Platform / Operations: Conducts risk assessments; maintains the risk register; implements approved treatment actions; escalates unresolved risks.
  • All personnel: Report newly identified risks or vulnerabilities to Engineering Management.

Regulatory alignment

This policy supports compliance with:

  • SOC 2 (Trust Services Criteria — Risk Assessment, Common Criteria)
  • ISO/IEC 27001:2022 (Clause 6.1 — Actions to address risks and opportunities; A.5.7 Threat intelligence)
  • GDPR (Article 32 — Security of processing; Article 35 — Data protection impact assessments where applicable)
  • KVKK (Article 12 — Data security obligations)

Exceptions

Exceptions to this policy must be:

  • Documented with justification, scope, duration, and compensating controls.
  • Approved by the policy owner or an authorised delegate.
  • Reviewed before expiry and retired when no longer required.

Policy review and updates

This policy is reviewed at least annually and when significant changes occur to Appcircle's systems, operations, or regulatory environment.

Note

This public policy describes Appcircle's risk assessment approach at a high level. The internal risk register, detailed risk scoring methodology, and risk treatment plans are maintained separately and may be shared under appropriate agreements when required.

  • Information Security Policy
  • Vulnerability Management Policy
  • Change Management Policy
  • Incident Response Plan
  • Business Continuity and Disaster Recovery Policy
  • Vendor Management Policy
  • Asset Management and Data Classification Policy