ACI Risk Measure has obtained an ISAE 3402 assurance statement assessing our controls relevant to the services we provide to clients. The statement provides independent confirmation, verified by Grant Thornton, that our services and quantitative assessment platform are supported by a controlled, documented, and auditable framework.
One infrastructure. Two delivery models.
We work with clients in two ways: Through a managed service and through larger bespoke risk assessments. The ISAE 3402 statement covers both. What they share is the same underlying infrastructure – the same platform, the same controlled processes, and the same standard of documentation.
Central to this infrastructure is qAp, our platform for structured, quantitative risk assessment. Our services are delivered through a structured framework supported by our platform, a tested and documented methodology, and consistent operating procedures. The ISAE 3402 statement assesses both our company and the processes surrounding the use of qAp.
Independently verified. Annually audited.
ISAE 3402 is an internationally recognised standard that verifies if an organisation’s internal controls are suitably designed. The statement obtained by ACI Risk Measure is a Type 1 report, confirming the design and existence of our controls at the point of assessment. This is the recognised starting point for independent assurance under the ISAE 3402 standard.
For us, it represents an important milestone. ACI Risk Measure is a cyber risk management company, focused on measuring what matters and providing decision support for organisations managing cyber risk. qAp forms the infrastructure that makes this a structured, repeatable, and independently verifiable assessment.
European cloud — built for regulated markets
qAp operates on European cloud infrastructure. As risk managers ourselves, this was an important choice for us. For our clients, this is particularly relevant for organisations operating under regulatory frameworks such as DORA and NIS2, where governance, documentation, and control over outsourced services are subject to increased regulatory scrutiny.
Talk to us about structured cyber risk quantification
Our managed service is designed for organisations that need continuous and structured cyber risk quantification, without the need to build and maintain an in-house capability.
