Acuity Stream

Published under Risk Management

Tool Identity Card

General information
Basic information to identify the product

Tool name : Acuity STREAM
Vendor name : Acuity Risk Management LLP
Country of origin : United Kingdom

Level of reference of the tool
Details about the coverage or the « originators » of the solution

Coverage : World-wide
Supported by organization, club,... (e.g. as sponsor) : None

Brief description of the product
Give a brief description of the product containing general information, overview of functions â € ¦

  • STREAM is a comprehensive, highly configurable yet simple-to-use software product which automates the complex processes involved in managing compliance with standards and delivering effective risk management. STREAM is a multi-concurrent user, role based software tool, with a central database, used in real-time by risk managers, risk analysts, business stakeholders, control owners, and internal auditors. It is also available as a single user tool for smaller organisations and consultants.
    The STREAM Single User Edition is available as a FREE download from the Acuity website, and includes computer based training resources.
    STREAM provides valuable and meaningful information for senior managers, on the status of compliance across the business with key control standards, and on the level of residual risk measured in relation to defined business appetites. It genuinely integrates compliance with risk management in a business context. It achieves this through an innovative yet simple and logical approach that is easily understood and explained.
    The STREAM user interface is based around clear and simple, hierarchical dashboards which reflect the structure of the business.
    The meaningful dashboards are supplemented by a set of graphical barometers, charts and gauges, which provide clear visibility of the essential compliance and residual risk summary data.
    STREAM delivers all of the requirements of ISO 27001 and BS 25999, and greatly simplifies the maintenance and demonstration of compliance with these and other Management System and risk based standards, including ISO 9001, ISO 14001 and ISO 18001. Additional controls, and indeed entire standards, can be quickly and easily added into STREAM by a privileged user.
    STREAM provides the entire ISMS framework for ISO 27001, including asset identification and business modelling, risk and compliance assessment and residual risk measurement against appetite, risk treatment and improvement planning, trending and security Return on Investment calculation. STREAM covers every part of the Plan Do Check Act international management system model. As a result, STREAM is ideal for organisations seeking to maintain an electronic ISMS, without necessitating extensive paperwork.
    The STREAM platform is effective for a wide range of operational risk management / governance applications including Information Security, Business Continuity, Environmental, Health & Safety, Regulatory Compliance, Corporate Risk, Project and Programme, Quality and Process Management. It is ideal for establishing an Integrated Management System (IMS) to address multiple, related control standards.
    STREAM was designed by subject experts and is developed wholly in the UK.

Supported functionality
Specify the functionality this tool provides.

R.A. Method phases supported

  • Risk identification : The user can first define the hierarchical structure of the business in terms of its divisions and functions, directorates and divisions, programmes and projects, functions and teams or any other hierarchical levels. (Generically within STREAM, these hierarchical levels are termed 'Enterprise', 'Workspace' and 'Register'.) The user can then enter business 'assets' into this hierarchical structure. Assets include such objects as the organization itself, critical business processes, staff/teams, mobile/home workers, information in all of its forms, IT systems, networks, third parties, third party connections, services, portable storage devices, and a range of other types - which can be extended by an administrative user if necessary. This enables a risk model to be maintained as new technology becomes available. Assets can be Register specific, Workspace specific (i.e. critical to many Registers) or Enterprise wide (i.e. critical across the business). Automatic Risk Identification Once assets are defined, STREAM automatically identifies the relevant information security risks, and registers these onto a 'drillable' set of hierarchical dashboards which follow the organizational structure. Again, new threat types can be configured into STREAM by the user, as they are identified. Ad-Hoc Risks The user can also enter ad-hoc risks into the system, together with appropriate risk mitigation controls/actions. This allows you to manage information security, asset-based risks together with (for example) business or project risks, within the same management system.
  • Risk analysis : In terms of Risk Analysis, STREAM is highly configurable. All risks can be assessed separately in terms of the classic Confidentiality (C), Integrity (I) and Availability (A) impact types. Also, a privileged user can setup additional types of impact, thereby extending and tailoring STREAM to the needs of the organization. Fundamentally, STREAM enables the user to carry out a business impact and likelihood assessment for each identified risk. Quantitative and Qualitative Business Impact Assessment STREAM can be configured such that the business impact is assessed Quantitatively (e.g. using a financial scale) or Qualitatively (e.g. reputational 'soft' impact scale), or a combination of both. Using the configuration options provided, a privileged user can easily setup a 3x3, 5x5, 9x9 or other 'soft' matrix-style risk assessment method, with appropriate labels such as Very Low ➝ Very High. STREAM can easily be configured to support most organization or sector specific Business Impact schemes, such as the UK Government's IS 1 Scheme (Level 0 - Level 6), and from the confidentiality/disclosure viewpoint can be easily aligned with common information marking schemes, e.g. PROTECT, RESTRICTED and CONFIDENTIAL. Commercial organisations often prefer to use a 'hard' / financial business impact assessment scale, which can be defined in ANY applicable units of currency. The additional advantage of using a financial scale for impact assessment is for Return on Investment calculations. Individual controls can be costed, and the overall reduction in potential losses provided by those controls can be directly measured against their cost of implementation. Business Impact Assistant STREAM provides an optional Business Impact Assistant. Using the BI Assistant, the user can identify the Information Asset(s) that are processed, stored or communicated within a business area. (Preparation of an Information Asset Register is a mandatory first step in any information protection initiative, and is required for ISO 27001 compliance.) The user then assesses the potential worst case impacts for each Information Asset (in terms of confidentiality, integrity and availability). The Assistant then uses this data to automatically assess the Business Impact component of each identified risk. Meaningful Threat Likelihood Assessment There is similar flexibility in configuring the Likelihood/Probability component of each identified risk. Probability can be assessed in actual terms, e.g. 50% chance of the threat occurring per annum, or using a set of defined labels, e.g. Low, Medium, High, ... In the simplest STREAM configuration, the risk-by-risk assessment can be carried out by a suitable business user or risk analyst, directly on the business dashboards / risk registers. Threat Likelihood Assistant STREAM also provides an optional Likelihood Assistant. Using the Likelihood Assistant, each defined risk can be pre-configured with its Average, Above Average and Below Average likelihoods, based on available statistical data (which can then be maintained year on year). With both the Business Impact Assistant and Threat Likelihood Assistant enabled, information security risks can be assessed (and re-assessed periodically) very quickly and easily.
  • Risk evaluation : STREAM takes into account the 3 key factors: Potential Business Impact, Likelihood and also Vulnerability, when calculating the Actual/Residual level for each risk. Risk Metrics STREAM allows a set of Key Risk Indicators (or 'Metrics') to be defined and then measured on an ongoing basis. Metrics are derived from the key controls which must be effective in order to mitigate the various information security risks. Poor metrics indicate vulnerabilities, i.e. weak, ineffective or missing controls. ISO 27001 requires an organisation to identify objective metrics for determining whether or not controls are implemented effectively. STREAM’s Metrics facility addresses this directly. Metrics can be defined for technical, physical, procedural and personnel (soft) factors. They can be updated directly in STREAM by auditors/control owners, or optionally can be pulled by STREAM directly from a range of other technical monitoring, platform management, Anti Virus, vulnerability scanning tools, or other data sources. Through its Metrics facility, STREAM enabled senior management to monitor risks to the business at a high level, taking into account a wide range of valuable data drawn for auditors and technical IT security activities. Real Time Reporting against Risk Appetite Having assessed the risks, STREAM provides extensive, graphical real-time reporting across the business hierarchy, including such views as top ten risks, residual risk summary and risk history reporting showing how the levels of residual risk have changed over time. Simple thresholds can be defined, such that Red, Amber and Green residual risks can be tracked in the system. STREAM also allows a risk appetite to be set for every individual part of the business structure, i.e. per team, if required. To reflect the way that modern day businesses operate, the risk appetite can be reviewed and adjusted in line with changes to the business. In real-time therefore, the level of risk can be tracked, either in absolute terms (e.g. potential losses per annum) or as a percentage of risk appetite. This is essential for compliance with ISO 27001. On all of its reports and dashboards, STREAM automatically aggregates all compliance and risk data up through the business model, such that suitably privileged users can view the levels of compliance and residual risk for one or more Registers, Workspaces or for the whole Enterprise.

Other phases

  • Vulnerability Assessment: As control owners or auditors assess how effectively the information security controls are deployed, STREAM automatically updates the levels of residual risk across the business hierarchy (see Risk Treatment below). Weak or missing controls are examples of one type of 'Vulnerability'. As described above, vulnerabilities resulting from weak or missing controls can be objectively monitored using defined Metrics. STREAM also enables risk analysts to record and assess further vulnerabilities in terms of particular factors about an organization that make it more (or less) vulnerable to particular types of risk. For example, large employee numbers might make an organizational more vulnerable to Information Loss. As another example, the proximity of a site to a river might make the site more vulnerable to flooding. Finally, a network connection which is a Single Point of Failure could make the organization more vulnerable to Loss of Connectivity. Such Vulnerabilities can be identified, assessed and addressed within STREAM as appropriate.
  • Asset inventory & evaluation: As described earlier, users are able to define assets that are relevant to their local business processes. More privileged users are able to define assets that support multiple business areas. This results in a central inventory of all assets, organised in terms of the business hierarchy. Information Assets are entered into a separate inventory, and are used as the basis for business impact assessments. Assets can be entered directly into STREAM through the user interface, and can also be imported easily from other data sources, e.g. Excel.

R.M. Method phases supported

  • Risk assessment: As described above, STREAM fully supports the assessment of risks. The product can be configured to support the organisation’s preferred approaches for business impact and likelihood assessment. If a more granular approach is preferred, each risk can by assessed individually. If a more automated approach is preferred, risk assessment can be carried out simply by identifying Information Assets and carrying out a high level business impact assessment for each. This approach is used widely within UK Government departments and also in commercial organisations that prefer an Information based approach to risk management.
  • Risk treatment : When risks are identified by STREAM, based on the assets that are linked to the business hierarchy (see Risk Identification, above), STREAM automatically selects the key controls and metrics that are important for each risk. These risk-relevant controls / metrics are clearly displayed on the STREAM dashboards. As the metrics are assessed (and the risks 'treated'), the residual risk levels can be determined and displayed by STREAM. Essentially, STREAM assesses the degree to which each risk is treated, taking into account the status of all the controls that contribute to addressing those risks. The mapping between controls/metrics and risks is built-into STREAM, but can be reviewed and if desired, adjusted, by a privileged STREAM user. It is through this same interface that new controls/metrics can be linked into the STREAM risk model. Each of the controls/metrics for a particular risk is configured with its relative importance. In determining how well a risk is treated, STREAM therefore places greater emphasis on the more important controls/metrics. The comprehensive risk treatment configuration also enables dependencies to be made between different controls. This is because a weakness in one control may mean that another control’s effectiveness is affected. Although hidden from the normal user, these weightings and dependencies are essential in ensuring that the risk treatment component of STREAM provides realistic results.
  • Risk acceptance : To comply with ISO 27001, senior managers need to have clear visibility of the levels of residual risk across the business. STREAM enables a Risk Appetite to be established for each distinct part of the business hierarchy. Furthermore, the manner in which these risk appetites are determined and expressed is highly flexible within STREAM, to ensure that they are realistic and meaningful to management. As risks, controls and metrics are assessed (and reviewed from time to time), the level of residual risk for each part of the business is calculated in real-time, with respect to the relevant Risk Appetite. This unique feature of STREAM provides precisely the information needed by senior management to: • Provide assurance that controls are sufficiently effective given the risk profile and Risk Appetite of the business • Ascertain which aspects of compliance with Standards needs to be improved to address unacceptable risks. Managers can then mark risks as ‘Accepted’ and record appropriate business justification for the acceptance.
  • Risk Communication: Integrated into the design of STREAM are all of the reports and dashboards needed by key business stakeholders, managers, auditors, risk analysts, control owners. Relevant information on compliance with standards, and levels of residual risk, are communicated effectively through the STREAM interface. If required, key information can also be easily exported from STREAM and processed further using Microsoft Office applications, most commonly Microsoft Excel. Access to all reports and dashboards within STREAM can be controlled precisely using the integrated User Management facility.

Other phases

  • Return on Investment: STREAM can hold within its database all of the information that it needs to determine the operational Return On Investment provided by a control or metric. This information includes: • the financial cost of operating the control on an ongoing basis (provided by the user) • the assessed effectiveness and maturity of the control • any other controls that are depended on for effective operation of the control being investigated • all of the risks that the control helps to mitigate • the level of risk reduction that the control is capable of providing against each risk, if deployed in a fully effective manner. Simply by selecting the control/metric on the ROI report within STREAM, managers are able to make important decisions regarding the risk justification for potentially expensive controls. The ability to calculate the Return On Investment of information security controls has famously eluded information security professionals for a number of years. Due to the manner in which STREAM fully integrates compliance with risk management, the ability to calculate and report on ROI in this simple way is inherent in the design of the tool.

Other functionality

  • Incident Reporting and Incident Management: STREAM provides a full ‘Event Management’ function. This allows users to record Near Misses and actual Incidents, and link these events into the business hierarchy. Events can also be impact assessed and linked to the relevant risks and controls. There is full Event reporting within STREAM including Historical Events, average impact per event, numbers of events by event type, etc.
  • User Management: All of the configuration options within STREAM are hidden from the normal user and only available to the STREAM Risk Administrator role. The use of roles within STREAM keeps the application simple for general users, and also provides the basis for the flexible user access control settings, which can be used to ensure that every user can only access those parts of the business risk and compliance data that are necessary for their role in the organization. User Management features are essential in a compliance and risk management tool deployed for even the simplest organisations. In all organisations, there are common facilities, e.g. sites, systems and services which support multiple parts of the business hierarchy. It is important that the controls which are applicable to these ‘common assets’ are only assessed once, and only by appropriate staff, such that the treatment of risks is reported accurately across the business.
  • Business Impact Assistant: As described under ‘Risk Analysis’, a configurable Business Impact Assistant allows the way in which business impacts are assessed to be fully tailored to meet the needs of the organisation.
  • Threat Likelihood Assessment: As described under ‘Risk Analysis’, a configurable Threat Likelihood Assistant allows the way in which threats are assessed to be fully tailored to meet the needs of the organisation. The Business Impact and Likelihood Assistants can work together to provide a STREAM configuration which is very simple / high level, or very granular, as appropriate to suit the level of skill of the STREAM users.
  • Control Assessment Assistant: Within STREAM, suitably privileged users can assess the controls directly on the business dashboards, i.e. on a risk by risk basis. Alternatively, ‘Control Owners’ and Auditors can be enabled to log in to the system and use a separate Control Assessment / Gap Analysis module, which presents applicable controls using the section structure of the relevant control standard(s). STREAM provides great flexibility in terms of how controls are assessed. Controls can be assessed using a simple percentage deployment slider. Alternatively, most organisations prefer to set up one or more factors that are important to consider when assessing controls, including for example: • the adequacy of the supporting documentation for the control • clarity of responsibility (particularly where controls are wholly or partially outsourced to a third party or internal service provider) • adequacy of the control’s implementation • adequacy of evidence supporting the control • assessment of overall effectiveness of the control. STREAM is pre-configured with a weighted default control assessment scheme, which takes into account the above factors. If desired, a privileged user can change these factors, the available ‘answers’ in each area, and the various weightings. This results in an approach for assessing control deployment which is optimally objective, as required for compliance with ISO 27001 and similar Standards.
  • Metrics / Key Risk Indicators: STREAM allows a set of objective ‘metrics’ to be defined and monitored/measured on an ongoing basis. Also termed Key Risk Indicators (KRIs) or Key Performance Indicators (KPIs), STREAM’s Metrics provide the often missing link between detailed, operational security data generated by a wide variety of real-time tools and the ability to interpret this data at a business risk level. Metrics are used to indicate the effectiveness of the ISO 27001 controls based on objective measurements, and are also used to indicate residual risk levels. STREAM can optionally pull Metrics data periodically from a variety of data sources, including other databases and real-time scanning tools.
  • Improvement / Action Tracking: In addition to using the Control Assessment features to assess controls, users can also raise actions where improvements are needed. Actions can be given target dates, assigned to appropriate owners and tracked centrally by senior management.
  • Control Standards development: Although many organisations start their Information Security Management System (ISMS) development using the 133 suggested controls in ISO 27001, it is often necessary to add further controls as required by the particular business processes within the scope of the ISMS. STREAM allows a suitably privileged user to maintain the control set, using the built-in editing facilities. New controls or entire control standards can also be easily imported from Excel. Also, it is possible to add more detailed controls where the ISO 27001 are regarded as too high level. In this way, control owners then need to provide more information on how their controls are deployed, in order to improve compliance and treat the risks further. STREAM provides unmatched facilities for central management of a control set. This is essential when multiple standards are used, or where the applicable standards need to evolve over time.
  • Statement of Applicability: STREAM can produce a Statement Of Applicability for any part of a business hierarchy, to support the requirements of ISO 27001 and similar Management System standards. Controls that have been identified as ‘Not-Applicable’ are automatically highlighted, together with the supporting justification.
  • Import / Export interface with Microsoft Office, e.g. Microsoft Excel : STREAM is able to exchange information with Microsoft Excel, which extends the reporting options. Various special reports are included for ISO 27001, including automatic Statement of Applicability, and Risk Treatment Plan.
  • Control Assessment Questionnaires : Questionnaires can be created from STREAM, for completion offline, and then the data imported back into STREAM automatically. This facility is ideal for obtaining control status information from third parties, internal departments and others with responsibility for delivering controls who do not have access to the online STREAM system.

Information processed

  • Control Standards: The current set of controls with which compliance is to be demonstrated.
  • Metrics / KRIs / KPIs: Objective measures of control effectiveness and residual risk.
  • Threats / Risk Types : The various causes of incidents are held within STREAM, together with their characteristics, e.g. typical likelihood statistics and impact profiles. All of this setup data can be reviewed, updated and extended at any time.
  • Asset Classes: An unlimited number of asset types can be configured into STREAM, e.g. site, system, network, third party, mobile device. Controls, threats and metrics can be made applicable to these classes. The asset classes can be updated to meet the needs of the organisation.
  • Dependencies: Dependencies between controls and metrics.
  • Business models: Representation of the organisation structure, for compliance and risk reporting purposes.
  • Assets: Business assets supporting the processing, storage and communication of information.
  • Risk Assessments: Business Impact and Likelihood assessments for Information types and for each risk.
  • Control Assessments: Assessments of the maturity and effectiveness of each control, as applicable to each relevant asset.
  • Metrics Assessments: Objective measures, typically entered as percentages (e.g. % platforms with up to date patch level)
  • Action Plans: Information on planned improvements, including scheduling and ownership.
  • Residual Risk: The real-time calculated level of residual risk for each individual risk, aggregated up through the business hierarchy and measured with respect to management defined Risk Appetites.
  • Events: Data on Near Misses and Incidents.
  • Users: Data relating to all risk owners, control owners, business owners, etc. together with their role(s) and user access privileges when using STREAM.
  • Historic Data: All of the above information types are automatically held within the STREAM database and historic time slices are saved, to enable trend reporting. It is also possible to ‘visit’ a previous time slice, for example during an audit, to explore the particular compliance and risk issues at some point in the past.

Date of the first edition, date and number of actual version

Date of first release : April 2007 - Version 1.0.0 (Note: Acuity's earlier Proof of Concept product (STORM) has been available and in use since December 2005)
Date and identification of the last version : March 2011 - Version 1.6.11

Useful links
Link for further information

Official web site :
User group web site : N/A
Relevant web site : N/A

List the available languages that the tool supports

Languages available : English, Dutch, Russian (Note: STREAM uses a language independent software architecture. Each User Interface ‘term’ is held in a Language Resource File. The O/S language is detected, and the relevant language file is selected and used. To date, we have included English, Dutch and Russian languages, but further language variants can be quickly and easily included.)

Pricing and licensing models
Specify the price for the product (as provided by the company on December 2005)

All STREAM editions provide full functionality, and all functions are integrated into the product itself.


  • Price: STREAM SU (Single User) Edition Product can be downloaded from our website Free of Charge
  • Maintenance: Optional Support Subscription is available, providing warranties, Help Desk, upgrades, and data migration. Please contact Acuity via our website at

Not Free

  • Price: STREAM Enterprise Edition: Price On Application.
  • Maintenance: Please contact Acuity for further information and to discuss your Concurrent User needs.

Sectors with free availability or discounted price : N/A

Trial before purchase
Details regarding the evaluation period of the tool

CD or download available : Free download from Acuity website
Identification required :
Trial period : Perpetual license

Tool architecture
Specify the technologies used in this tool

  • Database: SQL Server 2005, STREAM Single User Editions include SQL Server 2005 Express, which is automatically installed and configured on the user’s PC.
  • Application Server: Integrated into STREAM, STREAM Enterprise Edition can be installed on a central Microsoft Windows application server, and made available to multiple, concurrent users across an organisation’s networks or VPNs
  • Client: Integrated into STREAM, In the STREAM Enterprise Edition, a light-weight client is stored centrally in a shared folder and automatically installed on first use by authorised users.
  • Virtualisation: STREAM can be deployed via Citrix, Microsoft AppV or other Dynamic Desktop / virtualisation method.

Page top


Target public
Defines the most appropriate type of communities for this tool

  • Government, agencies
  • Large scale companies
  • SME

Specific sector : Applicable to all sectors. STREAM has been deployed in Government, Finance, Banking, Insurance, Manufacturing, Oil and Gas, Telecoms and Service sectors

Information concerning the spread of this tool

General information : World-wide in many different organizations
Used inside EU countries : N/A
Used outside EU countries : N/A

Level of detail
Specify the target kind of people for this tool based on its functionality

Management : STREAM was designed to engage senior management by providing clear visibility of essential risk and compliance information in a form that is meaningful to the business, and expressed in relation to business defined risk appetites.
Operational : Operational staff can assess controls for which they are responsible, and provide information into the system relevant to the identification, assessment and treatment of risks. - Unlike many other risk management tools, STREAM calculates residual risk levels in real-time. Changes affecting risk levels include: - effectiveness of controls - security metrics - changing views on potential business impact - threat likelihood levels - Management appetite for risk.
Technical : Technical staff can provide key information into STREAM relating to the technical infrastructure which underpins the processing, storage and communication of business information. STREAM can be interfaced with a range of technical tools which measure various aspects of security performance.

Compliance to IT Standards
List the national or international standard this tool is compliant with

  • ISO 27000 series - Licensed by BSI
  • ISO 25999 - Licensed by BSI
  • ISO 25777 - Licensed by BSI
  • ISF Standard of Good Practice (SoGP) - Licensed by the Information Security Forum (ISF). An IP licensing agreement has been signed between Acuity Risk Management and the Information Security Forum. Under the agreement, Acuity has developed a special version of STREAM, which is the first ISF Compliant Product and embeds the ISF Standard of Good Practice for Information Security along with ISF Benchmarking Questionnaires, ISF Threat / Incident List and ISF Business Impact Reference Table (BIRT). Users of STREAM are able to view, control and manage their compliance in real time against the Standard of Good Practice. Users that are ISF Members (or those that purchase the ISF Benchmark Service) are also be able to participate in the ISF Benchmark using STREAM. The potential benefits of this agreement for ISF Members using this version of STREAM include: • real-time, at-a-glance dashboards and reports to show compliance with the ISF Standard of Good Practice • simultaneous reporting of compliance against multiple standards • faster compilation and submission of ISF Benchmark Questionnaires.
  • Any other control standards can be imported into STREAM by the user, e.g. PCI DSS, COBIT, ITIL, CRAMM, ISO 9000, PRINCE, ISO 14000, Lexcel... ( Note: For some Standards, the user organisation must ensure that it has permission to process the material within a database product.)

Tool helps towards a certification
Specify whether the tool helps the company toward a certification according to a standard

  • ISO 27001, BS 25999, PCI DSS, Any Management System standard. STREAM was designed to meet all of the requirements of ISO 27001 for the establishment and operation of an Information Security Management System (ISMS) based on the Internationally recognised Plan Do Check Act (PDCA) model. The PDCA principles apply equally to other ‘Management System’ standards.

Information about possible training courses for this tool

  • Course: - Basic User Training - Basic Administrator Training - Custom Setup Training. No previous knowledge of compliance or Risk Management required.
  • Expenses: Provided free-to-download, with the product.

Page top

Users viewpoint

Skills needed
Specify the skills needed to use and maintain the solution

  • To install, use and maintain : Basic PC use only. STREAM includes simple installation instructions, and is a fully automated process.

Tool Support
Specify the kind of support the company provides for this product

Support : Telephone Help Desk: During normal UK office hours ¿ available to Gold Subscribers, Email: Available to Silver and Gold Subscribers, Partner Support: Acuity’s authorised Partners will also provide local support to STREAM users.

Organization processes integration
Describe user roles this tool supports

Supported Roles

  • N/A

Intergration in Organization activities

  • Role: STREAM Administrator - Function: Configure users, roles and user access permissions
  • Role: Risk Administrator - Function: Configure STREAM preferences and settings
  • Role: Risk Analyst - Function: Enter information on business structure, business assets and business dependencies. Carry out risk assessments (business impact and likelihood) typically based on information obtained from business manager interviews
  • Role: Business Stakeholder - Function: Access to dashboards and report (typically Read Only)
  • Role: Business Manager - Function: Access to dashboards and reports, with permission to review and update risk assessments (business impact and likelihood) and business area specific control assessments
  • Role: Control Owner / Auditor - Function: Carry out control assessments for designated sets of controls within the control standard(s)
  • Role: Event User - Function: Record and assess Near Misses and actual Incidents, for designated parts of the business hierarchy

Interoperability with other tools
Specify available interfaces or other ways of integration with other tools


  • Active Directory : Windows profile determine privileges to install STREAM client (on first use)
  • Open Database Connection (ODBC) : For integration with Microsoft Excel and other Microsoft Office applications
  • Terminal Services / Remote Desktop : STREAM can be installed on a central Windows Server and supports concurrent user access using Terminal Services Clients

Sector adapted knowledge databases supported
Name and describe the sector adapted databases that this tool provides

  • Any available control set or risk list can be incorporated into the STREAM database by a Risk Administrator user. Acuity also provides STREAM consultancy and STREAM profile development services, as required.

Flexibility of tool's database
Can the database be customized and adapted to client requirements?

  • SQL Server 2005 STREAM Database: All aspects of STREAM are fully configurable, through simple to use administration menus within the application interface. STREAM supports a multi-lingual interface design. Please check with Acuity whether your preferred language is already supported. It is straightforward for us to include additional language sets. Although a range of reports is available within STREAM’s user interface, data can be easily exported from the STREAM database and processed further in Microsoft Excel (for example), to provide for customised output needs.

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more