Acuity Risk Management Limited

STREAM Cyber Risk Platform

Hosting of STREAM Cyber Risk Platform on dedicated cloud infrastructure. STREAM is also available as on-premises software. Please contact Acuity Risk Management for details.


  • Risk-based compliance with GDPR, ISO 27001 and other frameworks
  • Risk registers, heat maps, loss exceedance, history, what-if analysis
  • Threat and vulnerability management, continuous compliance, incident and audit management
  • Quantitative and qualitative risk assessments, return on security investment
  • Integrated action management with alerting, reminders and workflow
  • Enterprise risk management, including operational, vendor, HSSE and BCM risk
  • Rich set of dashboards and reports with extensive custom reporting
  • Highly flexible with quick and easy configuration and deployment
  • Connectors to vulnerability scanners and import/export with other systems
  • Intuitive and easy to use with free on-line training


  • Reduced risk of fines and other impacts from data breaches
  • Greater assurance of compliance with GDPR and other regulations
  • Mitigation of damages in the event of a breach
  • Reduced costs of compliance and audit
  • Efficiencies arising from an integrated approach to risk management
  • Enables business development through risk-informed decision making
  • Clear accountability for actions and risk acceptance
  • Greater engagement with the Board on cyber security and risk
  • Reduced risk of under or over spend on cyber security
  • Reputational benefits from a professional approach to risk and compliance


£46 to £110 per user per month

Service documents


G-Cloud 11

Service ID

6 1 5 7 8 1 9 8 1 8 5 8 0 6 5


Acuity Risk Management Limited

Jonny hay

+44 20 7297 2411

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints The STREAM service consists of a rich client running on the application server and distributed over the network via a virtualisation platform Ericom Connect ('Ericom').
System requirements Ericom: HTML5-capable browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support is between 09.00 to 17.30 Monday to Friday
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support is integrated within the Acuity STREAM Cyber Risk Platform subscription and includes help desk, error correction and software upgrades. Each buyer has a technical account manager assigned.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Initial setup with power user accounts for designated customer contacts >> Handover email to designated contacts with instructions for first login and further user creation >> Optional run-through of the system over the phone >> Further resources available self-service (online training videos, user manual and other written material)
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The customer should request a backup of their SQL Server database from our support desk. The database backup (a BAK file) will be made available to the customer via a secure file transfer method.
End-of-contract process Provided 60 days' notice is given prior to contract termination, no additional costs are incurred at the end of the contract. Failure to provide 60 days' notice prior to termination commits the buyer to another year's subscription.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service No difference -mobile access through web browser
Service interface Yes
Description of service interface The service interface is provided by Ericom AccessNow™, a proprietary line of HTML5 remote desktop protocol (RDP) clients which provide web browser-based access to Windows applications running on Windows Server hosts. In this implementation of the Ericom interface, the pool of virtiualised Windows applications making up the service are presented to users as icons on the Ericom portal. After authentication, end-users can see the icons and click these to launch the applications, which from this point onwards behave as they would in normal Windows desktop environments.
Accessibility standards None or don’t know
Description of accessibility N/a
Accessibility testing N/a
Customisation available Yes
Description of customisation STREAM is a flexible solution which can be configured by the user through the user interface, with supporting productivity utilities for bulk upload of control frameworks, threat catalogues, assets and legacy data. Customers can quickly and easily automate their preferred risk management and compliance processes in STREAM.
The following can be customised as standard:
- The business model for organising and reporting on compliance and risk status
- The asset model for organising assets, linking them to the business model and reporting
- Mappings between information assets and supporting assets
- Catalogues of threats and control frameworks with linkages to each other
- Mappings between control frameworks allowing a ‘measure once’ - ‘report multiple times’ approach
- Multiple schemes for qualitatively and quantitatively assessing different types of risk and different control frameworks
- Unlimited configurable event types, such as incidents, near-misses, vulnerabilities, threat intelligence, issues and opportunities
- Unlimited configurable fields for assets, risks, controls, event types and actions
- Auto-scheduling of dates for next assessment and acceptance
- Settings for colour thresholds, display of reports and attributes for documents, actions and events
- Custom Reports allowing an administrator to configure unlimited tabular reports by selecting from available database fields.


Independence of resources Acuity Cloud base infrastructure consists of a multi-tenanted virtual Microsoft Active Directory (AD) domain using AD Organisational Units (OU) to isolate tenants. A multi-tenanted virtual SQL Server farm back-end provides hosting for the STREAM databases. Applications servers are dedicated to individual clients and provide access to the STREAM application, related applications and file-sharing. Group Policy and other techniques are used to harden application server security and prevent access to administrative functions.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users may export the data in the CSV format using the "Export" button available in the STREAM user interface as standard or in the XLS format using special STREAM utilities which may be setup on request.
Data export formats
  • CSV
  • Other
Other data export formats XLS
Data import formats
  • CSV
  • Other
Other data import formats XLS

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Legacy SSL and TLS (under version 1.2)
Data protection within supplier network Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability Hosting portal availability: 99.9%;

STREAM application faults classified into priority Level as follows: Critical (severe business impact): Initial Response - 30 minutes, Target Resolution- 4 hours ; High (high business impact): Initial Response - 1 hour, Target Resolution- 8 hours ; Medium (moderate business impact affecting only non-business critical applications or business processes): Initial Response - 1 hour, Target Resolution- 72 hours ; Low (limited business impact affecting only non-business critical applications or business processes): Initial Response - 2 hours, Target Resolution- 240 hours ; Response times apply during UK Business Hours Mon-Fri 09:00-17:30.

No refunds provided on failure to meet SLA but service subscription time may be extended as appropriate, after review with customer.
Approach to resilience The Private Cloud is hosted on multiple hardware clusters with automatic failover. The Base Infrastructure is distributed across independent hardware clusters to provide continuity in the event of a single entire cluster failure.
All individual hardware components used to build clusters and other infrastructure are completely fault-tolerant including servers, storage, switches and other devices. Fault-tolerant features include but not limited to hardware RAID, dual PSU, dual CPU and multiple RAM. Bench stock is retained for hardware back up.
All hardware clusters have multiple independent paths of connectivity and power.
Outage reporting We send Reason For Outage (RFO) reports by email as part of our incident management process.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Self-service User Management interface provided for management of user accounts on service. Access to User Management restricted to designated users and managed through dedicated Active Directory groups.

Configuration of STREAM application contents and logic managed from within the application and subject to user permissions.

Support channels: email, phone.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Hosting Supplier Handstand: Accredited by BMTRADA; 4D-Datacentre: Accredited by NQA
ISO/IEC 27001 accreditation date 18/07/18; 20/05/19
What the ISO/IEC 27001 doesn’t cover STREAM back office adminstration
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • PCI:DSS security compliant data centre
  • Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We follow ISO27001 principles
Information security policies and processes We follow ISO27001 principles

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Changes managed as service requests on internal ticketing system. Service request tickets are linked to the appropriate asset(s) in the configuration management database (CMDB) and tracked until implementation and documentation.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Physical host and virtual machine operating system critical and security patches will be applied within 30 days of release. Other patches will be applied within 90 days of release. We subscribe to all the well-known vulnerability feeds and Microsoft update alerts.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Intrusion detection system (IDS) is in place on our firewall clusters and server-based IDS on the host machines. Email or SMS alerts are sent when suspicious activity is detected on monitored systems. We also take into account incident reports from end-users or staff members when they suggest any unusual activity. As soon as suspicious activity is detected, we login to investigate the affected systems as a matter of priority and take action where required.
Incident management type Supplier-defined controls
Incident management approach Incidents are defined as occurrences of events with potential to compromise information security on the host infrastructure. Information security incidents are logged as soon as detected and tracked until adequate resolution and closure.

Incident management workflow: detection > logging > containment > remediation > root-cause analysis > security review > planning of improvements and preventive actions to protect against recurrence > incident closure.

When appropriate, a Reason for Outage report (RFO) is generated and sent to users by email.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £46 to £110 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial A free desktop trial version of the STREAM software is offered and installed on a single device. This provides identical functionality to the cloud software service.
Link to free trial

Service documents

Return to top ↑