Welcome to amara

This help center guides you through everything amara can do -- whether you're logging in for the first time or fine-tuning your compliance program.

What is amara?

amara stands for Asset Management And Risk Assessment. It's an enterprise GRC (Governance, Risk & Compliance) platform that runs on your own infrastructure. The built-in AI assistant, Ask amara, lets you query your compliance data in plain English -- and your data never leaves your network.

Where should I start?

That depends on your role:

The journey from data to intelligence

amara works in three stages. Each builds on the last:

amara at a glance: core modules, tech stack, and deployment options

What does amara replace?

amara vs OneTrust, Vanta, ServiceNow: on-premise, local AI, NIS2-native at a fraction of cost

Explore the modules

Think of amara's modules like different tools for different jobs. You wouldn't use a hammer to check your smoke alarm -- and you wouldn't use your risk register to manage supplier contracts. Here's what each module does in plain English:

How Modules Connect

This is what makes amara different from a collection of separate tools: everything lives in one database. When you register an asset, it automatically becomes available in risk assessments, supplier links, compliance checks, and AI queries. Here's how the modules build on each other.

Why does this matter to you?

Here's the problem with most GRC tools: they're collections of separate apps stitched together. Your asset list lives in one place, your risk register in another, your compliance scores in a third. When you update an asset's criticality, nothing else changes. You end up copy-pasting data between spreadsheets, manually checking that everything matches, and hoping nothing falls out of sync.

Think of it like a hospital where the X-ray department, the blood lab, and the pharmacy all use separate systems that don't talk to each other. Every time you visit a new specialist, you fill out the same forms again. That's what most GRC platforms feel like.

amara works differently. All 13 modules share one database (48 tables, 89 relationships). When you register a server and score it as "critical," that information automatically flows into risk scoring (higher impact), supplier mapping (which vendors touch this critical server?), compliance assessments (which ISO controls apply?), and AI queries ("tell me about our critical assets"). You enter the data once, and it works everywhere.

The practical benefit? Less duplicate work, fewer errors, and a complete picture instead of fragments. When your auditor asks "which critical assets have unresolved risks from unapproved suppliers?" -- that's a question that crosses three modules. In amara, Ask amara answers it in seconds. In a siloed tool, you'd spend hours cross-referencing spreadsheets.

PostgreSQL core: 48 tables, 89 cross-module links, 8 connected modules with cross-module data sharing

The Data Flow

Key data flows

The shared evidence principle

One assessment effort covers ISO 27001, NIS2, DORA, BSI C5 simultaneously

Recommended build order

1. Admin setup (org settings, users, RBAC)
2. Asset inventory (register, CIA classify)
3. Rapid Assessment (baseline posture)
4. Supplier register (vendor onboarding)
5. Risk register (link to assets)
6. ISO 27001 / NIS2 assessment
7. Document generation (policies)
8. ISP skeleton (49 files)
9. Training assignment
10. Reporting & evidence packages

Platform at a Glance

This page gives you the bird's-eye view -- what amara includes, how it's built, and what makes it different from the dozens of GRC tools you've probably already looked at.

The short version

amara is a GRC platform with 13 integrated modules that all share one database. You register your assets, score your risks, run compliance assessments, generate policy documents, train your team, and manage your suppliers -- all in one place. The built-in AI lets you query everything in natural language. The entire platform runs on your infrastructure (or in German data centres), so your compliance data never leaves your control.

It was built by GRC domain experts with 20+ years of consulting experience. That deep domain expertise is baked into every module, template, and workflow.

What Makes amara Different

Pillar 1: A Unified GRC Hub

48 tables, 89 relationships between them, single PostgreSQL database. No data silos, no ETL, no sync issues. Every module reads and writes to the same source of truth.

Pillar 2: Your Private AI Co-Pilot

33 database functions for exact answers. Semantic search with vector embeddings for document retrieval. Local LLM inference -- data never leaves your infrastructure.

Pillar 3: German-Engineered Data Sovereignty

Hosted in certified German data centres. GDPR-compliant by architecture. BSI C5 compatible. Full air-gap deployment supported.

First-year savings of EUR 59,000-124,000 compared to traditional GRC platforms

What Comes Ready on Day One

Pricing and Modularity

Managed SaaS from EUR 1,500/mo, On-Premise from EUR 600/mo, custom Appliance pricing

Data Flow Explained

Most GRC tools keep data in silos -- your asset list doesn't talk to your risk register, your compliance scores don't feed your reports. In amara, every piece of data you enter flows forward and enriches everything downstream. This page explains how.

Why does data flow matter?

Imagine you're building a house. The architect draws blueprints, the electrician runs wiring, the plumber lays pipes, and the inspector checks everything at the end. If those four people work in isolation -- never sharing plans -- the electrician drills through a water pipe, the plumber blocks a doorway, and the inspector finds problems that should have been caught months earlier.

That's exactly what happens when your GRC data lives in separate tools. You register an asset in one spreadsheet, score risks in another, track compliance in a third, and manage suppliers in a fourth. When someone asks "which of our critical assets have the highest risks from suppliers who are overdue for review?" -- you spend a day cross-referencing four documents and still aren't sure you caught everything.

Data flow is the answer. In amara, when you register a server and rate its confidentiality as "Critical (4)," that score doesn't just sit in the asset register. It flows forward: the risk module picks it up as the default impact score when you create a risk for that server. The compliance module knows which ISO controls apply based on the asset type. The supplier module shows which vendors touch that critical server. And Ask amara can answer questions that span all of these connections instantly.

The result: you enter data once, and it enriches everything else automatically. No copy-pasting, no manual cross-referencing, no stale data in forgotten spreadsheets. This page shows you exactly how that flow works, stage by stage.

Asset management feeds CIA assessment and assessments hub; both feed risk management with inherited scores

The Three Stages of Intelligence

Stage 1: Foundational Intelligence

Assets and suppliers form the base layer. You need to know what you're protecting and who has access before anything else makes sense.

Stage 2: Contextual Intelligence

Risks, compliance assessments, and CIA scores add context. The system knows not just what you have, but how important it is and what threatens it.

Stage 3: Amplified Intelligence

Ask amara, reporting, and evidence packages combine everything into actionable output -- answers to auditor questions, board reports, and remediation roadmaps.

Primary Data Flows

Asset → CIA → Criticality

Protection Class = MAX(Confidentiality, Integrity, Availability). A server scored C:3, I:4, A:2 gets Protection Class = Critical (4).

Asset → Risk (Impact Score)

When you create a risk linked to an asset, the impact field is pre-populated from the asset's CIA-derived criticality.

Supplier → Asset (Approval Gate)

Only Phase 3-approved suppliers can be linked to assets. This is enforced at the database level.

NIS2 Assessment → Compliance Score

Your NIS2 compliance percentage is a live-calculated view across all 40 Article 21 questions.

ISO 27001 → SoA

The Statement of Applicability is auto-generated from your ISO 27001 assessment scores.

Training → Compliance Evidence

Each completed course generates a SHA-256 signed certificate that feeds NIS2 Art. 20 and ISO 27001 Control 6.3 evidence.

Technical Architecture

For technical teams who want to understand what's under the hood. amara runs as a set of Docker containers on your infrastructure -- a Flask backend, PostgreSQL database, local AI model, vector store, and nginx reverse proxy. Nothing phones home. This page covers the full stack, security layers, and resource requirements.

Full architecture: MCP integrations (Azure, Jira, Confluence, Kali) → amara GRC → Ask amara Pro → Local LLM inference → MCP server outbound

Stack Overview

8-Layer Security Architecture

8 security layers: Network firewall → HTTPS/TLS → mTLS gateway → Host hardening → Docker isolation → RBAC → Data layer

Three-Factor Authentication

Factor 1: mTLS certificate (FIPS 140-3 hardware token) + Factor 2: Password (PBKDF2) + Factor 3: TOTP/MFA

AI Architecture

5-stage pipeline: Compliance Gate → Smart Router → Privacy Shield → LLM Inference → Audit Log

Resource Requirements

Deployment Options

amara runs wherever you need it: a mini server under your desk, a rack in your data centre, a cloud VM, or a fully air-gapped appliance with zero internet. Same codebase, same features, same security -- the only difference is where it sits.

Managed SaaS (EUR 1,500/mo) | On-Premise (EUR 600/mo) | Appliance (custom) -- same codebase, all features

Deployment Profiles

Docker Compose Architecture

5 containers: nginx (reverse proxy) → flask-app (11 modules) → postgresql + chromadb + local LLM

Five services in the compose stack:

• amara-app -- Flask application, 11 modules, RBAC
• amara-db -- PostgreSQL 16, JSONB, audit trail
• amara-nginx -- Reverse proxy, TLS 1.3, mTLS
• amara-ai -- Local LLM inference
• amara-chromadb -- Vector store, RAG embeddings

Network Requirements

Outbound only during initial setup (Docker Hub, Hugging Face model download). After setup, amara operates fully offline.

TLS / HTTPS Configuration

TLS 1.3 only. Self-signed certificates via step-ca or bring your own. mTLS optional via FIPS 140-3 hardware tokens.

Backup Strategy

Daily automated backups at 03:00. pg_dump with AES-256 GPG encryption. 750+ snapshots retained. Point-in-time recovery supported.

Quick Start -- 5 Steps to First Value

New to amara? This guide walks you through your first session -- from login to your first AI query. You'll have real data in the system within 30 minutes.

Monday Deploy → Tuesday Configure → Wed-Thu Populate → Friday Go-Live

Your First Login

Here's what you'll see when you log in for the first time, and how to find your way around. amara has a dark-themed interface -- everything is designed so you can find what you need without clicking through endless menus.

The Dashboard Layout

The interface has three main areas:

Left Sidebar -- your command centre

The sidebar is divided into three sections:

• Main Modules (top) -- Asset Management, Assessments, Risk Management, NIS2 Compliance, Supplier Management, Training. Click any to open that module.
• Quick Access (middle) -- Shortcuts to create new items directly: New Asset, New CIA Assessment, New ISO 27001 Assessment, New Rapid Assessment, New NIS2 Assessment, New Risk Assessment, New Supplier. These save clicks when you know what you want to do.
• Resources (bottom) -- Admin Panel, ISP, Ask amara, Document Dialog.

The sidebar collapses to a narrow icon strip if you need more screen space.

Top Bar

The amara logo on the left, a search icon, a language toggle (EN | DE) to switch the interface between English and German, and your user profile on the right.

Main Content Area

The dashboard shows six feature cards in a 3x2 grid -- one for each core module (Asset Management, Assessments, Risk Management, NIS2 Compliance, Supplier Management, Training). Each card has a description and a "+ Module" button. Below, two charts: Module Usage (donut) and Task Completion (line chart tracking progress over time).

Navigation tips

amara is a single-page application -- pages load without full refreshes. A breadcrumb trail at the top (e.g., "Home / Asset Management / Hardware Assets") shows where you are and lets you navigate back. Use the sidebar for module-level navigation, Quick Access for creating new items, and breadcrumbs for going up within a module.

Organisation Setup

Before you do anything else in amara, fill in your organisation details. This isn't just a formality -- these settings power the NIS2 relevance checker, populate your policy documents, and give Ask amara the context it needs to answer company-specific questions.

Required Fields (Do These First)

After Setup: What Changes

• NIS2 Relevance Engine runs automatically -- tells you if your organisation is in scope
• 44 document templates populate with your company data (name, sector, contacts)
• Ask amara becomes company-specific in its answers

Users & 14 RBAC Roles

Not everyone in your organisation needs access to everything. A compliance officer doesn't need to manage backups, and a regular employee doesn't need to see the risk register. amara uses 14 roles to control who can see and do what -- and you can stack multiple roles on a single user.

14 boolean role columns: from Super Admin to Standard User, each mapped to typical job titles

Creating a user account

Required fields: email, full name, department, role assignments (check the relevant boolean flags), and language preference.

The 14 RBAC roles

Deactivating a user

Never delete users -- deactivate them instead. Reassign all ownerships (assets, risks, suppliers) before deactivation. The audit trail preserves all actions by deactivated users.

1-Week Go-Live Plan

Most GRC implementations take months. amara is designed to get you from "we just installed this" to "we have a working ISMS" in 5 business days. Here's the day-by-day plan that's been tested and refined.

Day-by-day onboarding: Deploy → Configure → Populate → Assess → Go Live

Extended 12-week roadmap: Foundation (1-3) → Compliance (4-8) → Remediate (5-10) → Certify (11-12)

Asset Management -- Overview

You can't protect what you don't know you have. Asset Management is where your GRC journey starts -- register every server, application, database, and service your organisation depends on, then classify how critical each one is.

What you'll see

When you click Asset Management in the left sidebar, you'll land on a dashboard with six category cards arranged in a grid: Hardware Assets, Software Assets, Data Assets, Services, Facilities, and View All Assets. Each card has a brief description and a button to view that category. In the top-right corner, you'll see two buttons: "View All Assets" (shows everything in a sortable table) and "+ Add New Asset" (opens the registration form).

Below the cards, two charts give you instant visibility: an Asset Distribution donut chart (breakdown by category) and an Asset Health Status bar chart. Click into any category to see a filterable, sortable table with columns for name, category, owner, criticality level (colour-coded badge), and status.

Why do I need Asset Management?

Think of Asset Management like a home inventory. If your house burned down, could you list everything you owned for the insurance company? Most people can't. It's the same with IT: most organisations can't tell you exactly what hardware, software, and data they have, who's responsible for it, or how critical it is.

That's a problem because:

• You can't protect what you don't know you have. 73% of data breaches involve assets organisations didn't know were critical.
• Auditors will ask. Both ISO 27001 and NIS2 require a documented asset inventory.
• Risk assessments need it. You can't score the impact of losing a server if you don't know the server exists.

How to register your first asset

Let's walk through registering a real asset -- say your production database server:

4-step workflow: Register → CIA Classify → Link (risks, suppliers, ISO) → Review

The 5 asset categories

Asset status lifecycle

How Asset Management connects to other modules

Assets aren't isolated records -- they're the foundation that makes everything else in amara smarter:

• Assets → Risk Management: When you create a risk and link it to an asset, the risk's Impact score is pre-populated from the asset's CIA criticality. A critical asset automatically means a high-impact risk. You don't have to guess.
• Assets → Supplier Management: You can link suppliers to the assets they support. This creates a bidirectional map: "which vendors touch this server?" and "which assets depend on this vendor?" Only approved suppliers (Phase 3) can be linked.
• Assets → Compliance: ISO 27001 Annex A controls are auto-mapped based on asset categories. Your assessment scope is derived from your asset inventory. No inventory = no meaningful assessment.
• Assets → Ask amara: 5 dedicated AI functions let you query assets in plain language: "How many critical assets do we have?", "Show me assets without an owner", "Which assets have no risk assessment?"
• Assets → Reporting: Asset data feeds into executive dashboards, distribution charts, and audit evidence packages.

Registering an Asset

Here's how to add an asset to amara, step by step. The form has 23 fields but most are optional -- you can start with just a name, category, and owner, then fill in details later.

Four phases: Discover (manual/CSV/Azure) → Classify (CIA, owner) → Protect (risks, controls) → Review (annual recertification)

How to create an asset

CIA Classification

Not every asset is equally important. Your public website and your customer database need very different levels of protection. CIA classification helps you figure out which is which -- so you're not wasting resources protecting low-value assets while leaving critical ones exposed.

What is CIA?

CIA stands for three questions you ask about every asset:

• Confidentiality -- "What happens if unauthorised people see this?" A public marketing page? No big deal. Patient medical records? Catastrophic.
• Integrity -- "What happens if someone changes this data without permission?" A draft blog post? Minor. Financial transaction records? You could go to prison.
• Availability -- "What happens if this goes offline?" An archive nobody accesses? Fine. Your payment processing system? Every minute costs money.

You score each dimension from 1 (low) to 4 (critical). The highest score becomes the asset's Protection Class -- this drives which security controls apply, what risk impact score it inherits, and how much attention it deserves.

4-phase approval: Data Entry → Asset Owner Review → Cyber Security Review → Risk Owner Approval (42 fields total)

The CIA triad

Scoring guide

Protection class calculation

Protection Class = MAX(Confidentiality, Integrity, Availability)

Asset Lifecycle

An asset isn't a "set it and forget it" record. It moves through a lifecycle: you discover it, classify how critical it is, link it to risks and controls, and review it annually. amara tracks each phase so nothing gets stale.

Discover → Classify (CIA + owner) → Protect (risks, controls, ISO) → Review (annual recertification)

The four lifecycle phases

Think of the asset lifecycle like onboarding a new employee. First you discover they exist (someone sends a CV). Then you classify their role and skills (interviews, assessments). Then you protect the relationship (contracts, access cards, training). And every year you review whether things are still working (performance review). Assets follow the same pattern.

Phase 1: Discover -- "What do we actually have?"

This is where most organisations get their first surprise. You start registering assets and realise there are servers nobody knew about, SaaS tools someone signed up for with a credit card, or legacy systems that "someone" manages. The discovery phase is about getting everything into one place. You can register assets manually, bulk-import from a CSV (great if you already have an Excel list), or sync from Azure via MCP integration.

At this stage, it's fine if the records are incomplete. A name, a category, and an initial owner are enough to start. You'll fill in the details in the next phase.

Phase 2: Classify -- "How critical is it?"

Now you add depth. The asset owner completes the CIA scoring (Confidentiality, Integrity, Availability -- each scored 1-4). This goes through a 4-phase approval: the person entering data, the asset owner reviewing it, the security team validating it, and the risk owner signing off. That might sound like a lot of steps, but it prevents one person from under-classifying a critical asset. A 42-field CIA form captures everything an auditor would ask about.

Phase 3: Protect -- "What are we doing about it?"

Here's where the asset starts earning its keep. You link risks to it (the impact score auto-populates from the CIA classification). You map suppliers to it (which vendors support this asset?). amara auto-maps relevant ISO 27001 Annex A controls based on the asset category -- a database server gets different controls than a physical facility. If you're running vulnerability scans with Kali, the asset's network details define the scan scope.

Phase 4: Review -- "Is everything still current?"

Assets aren't static. Servers get upgraded, owners change jobs, vendors go bankrupt, and what was "low criticality" last year might be "critical" today because you started storing customer data on it. The annual review is your chance to catch these changes. amara sends automatic reminders 60 days and 30 days before the review is due. If the asset is no longer needed, you decommission it (unlink risks, unlink suppliers, change status to Retired).

Annual asset review workflow

Import & Export

Already have an asset list in a spreadsheet? Good -- you don't need to re-type everything. amara supports CSV import so you can bulk-load your existing inventory. And when auditors or management need data out of amara, you can export anything as PDF, CSV, or JSON.

How to import assets from a spreadsheet

Required CSV Columns

Exporting Data

Asset Module -- Module Connections

Assets aren't isolated records -- they're the glue that connects your entire GRC program. When you register an asset, it becomes instantly queryable by the risk module, supplier module, compliance assessments, and AI. Here's exactly what connects to what.

Assets feed into CIA assessment and compliance assessments; both feed risk management with inherited impact scores

Risk Management -- Overview

This is where you turn "we should probably worry about that" into a measurable, tracked, and auditable risk item. Every risk gets a score, an owner, a treatment plan, and a deadline -- and you can prove it all to an auditor.

What you'll see

When you click Risk Management in the sidebar, you'll see a dashboard with seven workflow cards: Process Guide, Risk Identification, Risk Assessment, Risk Treatment, Risk Acceptance, Risk Register, and Risk Monitoring. Each card represents a step in the risk lifecycle -- click any to dive in. In the top-right corner, "+ New Risk Assessment" lets you create a new risk immediately.

Below the cards, two charts give you a real-time overview: Risk Distribution by Category (donut chart showing the split between Cyber, Operational, Strategic, Reputational, Legal) and Top Risk Areas (horizontal bar chart ranking your biggest risk areas). The sidebar also expands with sub-items: Process Guide, Risk Identification, Risk Assessment, Risk Treatment, Risk Acceptance, Risk Register, and Risk Monitoring -- so you can navigate directly to any workflow step.

The Risk Register view shows all your risks in a sortable table with columns for title, category, score (1-16), treatment status, and owner. The 4x4 Risk Heatmap (visible in Process Guide and reports) plots every risk by Likelihood x Impact -- red squares in the top-right corner mean critical risks needing immediate escalation.

Why do I need Risk Management?

Think of risk management like car insurance -- except instead of just paying for damage after it happens, you're actively preventing the accidents too. Every business faces threats: hackers, hardware failures, employee mistakes, supplier incidents. The question isn't if something will go wrong, it's when -- and whether you'll be ready.

Risk management helps you:

• Spot problems before they cost money. A ransomware attack costs an average of EUR 1.3M. Finding the unpatched server before the attacker does? That costs nothing.
• Make smart budget decisions. Should you spend EUR 50K on a new firewall or EUR 10K on staff training? Your risk register tells you which one reduces more risk.
• Prove you did your homework. If a breach happens, regulators and courts look at whether you had reasonable security measures. A documented risk register is your evidence.

How to create your first risk

Let's create a real risk -- say you've discovered an unpatched server:

4-step lifecycle: Report (anyone) → Analyse (security team) → Decide (risk owner) → Track (ongoing)

The 5 risk categories

The 3-phase risk workflow

How Risk Management connects to other modules

Risks don't exist in a vacuum -- they're woven into every other part of amara:

• Assets → Risks: Every risk can be linked to specific assets. The asset's CIA criticality auto-populates the risk's Impact score. When you mitigate a risk, the linked asset's risk profile improves.
• Risks → Compliance: Gaps found in ISO 27001, NIS2, or Rapid Assessments can automatically generate risk items. One risk assessment satisfies ISO 27001 Clause 6.1, NIS2 Art. 21, DORA Art. 6, and BSI C5 simultaneously.
• Risks → Suppliers: Supplier-related risks (vendor lock-in, data breach via third party) link to the supplier record. When you review a supplier, their linked risks are visible.
• Risks → Reporting: The risk heatmap, treatment burndown, and executive risk summary are all generated from live risk data. One click for a board-ready PDF.
• Risks → Ask amara: 7 dedicated functions: "What are our top 10 risks?", "Any overdue treatments?", "Show risk trend for the last 6 months"

Creating a Risk

Anyone in your organisation can report a risk -- you don't need special permissions or technical knowledge. Just describe what you're worried about, and the security team takes it from there. Here's how the process works from start to finish.

Step 1: Submit a risk (any user)

Step 2: Score the risk (Risk Manager)

The Risk Manager (or security team) takes the submitted risk and scores it. This is where gut feeling becomes a measurable number.

Setting the Likelihood (1-4)

Ask yourself: "How often could this realistically happen?"

• 1 -- Rare: Once in 10+ years. A meteor hitting your data centre. It's theoretically possible but you wouldn't bet on it.
• 2 -- Unlikely: Could happen within a few years. A major vendor going bankrupt. It happens to others, but hasn't happened to you.
• 3 -- Likely: Expected within the next year. An employee clicking a phishing link. Statistically, it's going to happen.
• 4 -- Almost Certain: Could happen any day. An unpatched server with a known exploit being targeted. The question is when, not if.

Setting the Impact (1-4)

If a risk is linked to an asset, the impact field is pre-populated from the asset's CIA criticality. This is a smart default -- a critical asset automatically means a high-impact risk. You can override it, but think carefully before lowering it.

If there's no linked asset, ask: "If this risk materialises, what's the worst realistic outcome?"

• 1 -- Minor: Small inconvenience. A test server goes down for an hour. Cost under EUR 1,000.
• 2 -- Moderate: Noticeable disruption. Email outage for half a day. Cost EUR 1,000-10,000.
• 3 -- Major: Significant damage. Customer data exposed, regulatory attention. Cost EUR 10,000-100,000.
• 4 -- Catastrophic: Business-threatening. Major data breach, front-page news, massive fines. Cost EUR 100,000+.

Risk Score = Likelihood x Impact. The result (1-16) lands on the heatmap and determines the urgency of treatment. See 4x4 Heatmap Scoring for the full matrix.

Choosing a treatment strategy

For every risk, pick one of four strategies:

• Mitigate (~65% of risks) -- reduce the likelihood or impact. "We'll patch the server within 72 hours."
• Transfer (~15%) -- shift the risk to someone else. "We'll buy cyber insurance for this scenario."
• Avoid (~10%) -- remove the risk source entirely. "We'll decommission the legacy system."
• Accept (~10%) -- acknowledge and monitor. "The cost of fixing this exceeds the potential loss." Requires explicit approval for High/Critical risks.

Then assign a treatment owner (who's responsible for executing) and a deadline. amara will send automatic alerts at 14, 7, and 1 day before the deadline.

Step 3: Approve (Risk Owner / CISO)

The Risk Owner or CISO is the final checkpoint before a risk enters the active register. Here's what they review and sign off on:

• Verify the score is reasonable. Is Likelihood: 3 justified? Is the impact consistent with the linked asset's CIA rating? If the score seems inflated or deflated, the approver can send it back with comments.
• Confirm the treatment strategy makes sense. Mitigating a risk that costs EUR 200 to fix by buying EUR 10,000 in insurance doesn't add up. The approver checks that the response is proportional.
• Set budget and resources. The approver allocates budget for the treatment (e.g., EUR 5,000 for a new firewall rule) and confirms the treatment owner has the capacity to execute.
• Approve the deadline. Is 90 days realistic for this treatment? Or does the risk score demand faster action?

Once approved, the risk is fully active: it appears on the heatmap, the treatment owner gets notified, deadline alerts are scheduled, and it becomes visible in reports and AI queries.

4x4 Risk Heatmap Scoring

Every risk in amara gets a score from 1 to 16. The idea is simple: how likely is this to happen, and how bad would it be if it did? Multiply those two numbers and you get a score that tells you exactly how much attention this risk deserves.

How risk scoring works

For each risk, you answer two questions:

• Likelihood (1-4): How probable is this? 1 = Rare (might happen once in 10 years), 2 = Unlikely (could happen within a few years), 3 = Likely (expected within the next year), 4 = Almost Certain (could happen any day).
• Impact (1-4): If it happens, how bad? 1 = Minor (minor inconvenience, easily recovered), 2 = Moderate (some disruption, manageable cost), 3 = Major (significant damage, regulatory attention), 4 = Catastrophic (business-threatening, data breach, massive fines).

Risk Score = Likelihood x Impact. A "Likely" (3) risk with "Major" (3) impact scores 9 (Medium). An "Almost Certain" (4) risk with "Catastrophic" (4) impact scores 16 (Critical -- drop everything and deal with this now).

When you link a risk to an asset, the Impact score is pre-populated from the asset's CIA criticality. A critical asset (CIA = 4) automatically starts with Impact = 4, because losing a critical asset is by definition catastrophic. You can override this, but it's a smart default.

4x4 likelihood vs impact matrix: scores 1-16 colour-coded Low / Medium / High / Critical

Severity scale: Low (1-4) | Medium (5-9) | High (10-15) | Critical (16)

The risk matrix

Score interpretation

Residual risk

Residual = Inherent - Treatment Effect. After applying controls, re-score the risk. The delta between inherent and residual demonstrates your risk reduction.

Treatment Plans

Identifying a risk is only half the job. The other half is deciding what to do about it and then actually following through. amara tracks four treatment strategies -- mitigate, transfer, avoid, or accept -- from the moment you make the decision through to final verification.

The 4 ways to handle a risk

For every risk, you have exactly four options. There's no fifth -- every risk management framework in the world uses these same four strategies:

• Mitigate -- Reduce the likelihood or impact. This is what you do most of the time (~65% of risks). Example: patch the server, add MFA, encrypt the database, train the staff.
• Transfer -- Shift the risk to someone else (~15%). Example: buy cyber insurance, outsource hosting to a provider with better security, use a managed security service.
• Avoid -- Remove the risk entirely (~10%). Example: stop using the risky software, decommission the legacy system, exit a market where the regulatory risk is too high.
• Accept -- Acknowledge the risk and live with it (~10%). Example: the cost of mitigation exceeds the potential loss, or the risk is so unlikely it's not worth acting on. Important: accepted risks with High or Critical scores need explicit board-level approval -- you can't quietly accept a major risk.

The key insight: "do nothing" is not an option. Every risk must have a documented treatment decision with an owner and a deadline. This is what auditors check.

The 4 treatment strategies in detail

Treatment lifecycle

Deadline alerting

Automatic alerts at 14 days, 7 days, 1 day, and on deadline. Overdue treatments are flagged in red on dashboards and reports.

Risk Module Connections

Risks don't exist in isolation -- they're connected to assets, suppliers, compliance frameworks, and reports. This page shows you exactly how the risk module talks to everything else in amara, so you understand why filling in one module makes every other module smarter.

One risk simultaneously satisfies ISO 27001, NIS2, DORA, and BSI C5 requirements

What Feeds Into Risks

From Asset Manager (Impact Score)

When you link a risk to an asset, the impact field is pre-populated from the asset's CIA-derived protection class.

From CIA Assessment (Derived Criticality)

The 42-field CIA assessment provides granular criticality that flows into risk impact scoring.

From NIS2 / ISO 27001 Assessments

Compliance gaps are automatically flagged as potential risk items for the risk register.

What Risk Data Feeds Into

Into Reporting

Risk heatmap, treatment burndown, executive summary -- all auto-generated from live data.

Into Evidence Packages

Risk register with treatment status is a mandatory component of ISO 27001 and NIS2 audit packages.

Into Ask amara

7 dedicated risk functions: count risks, list by category, score distribution, overdue treatments, highest risks, risk trends, risk-asset mapping.

Compliance -- Overview

If your organisation needs to comply with NIS2, ISO 27001, BSI C5, or all three -- this is where you manage it. The key insight: one assessment in amara creates evidence that satisfies multiple frameworks simultaneously. No duplicate work.

Why do I need compliance management?

Think of compliance like building codes for cybersecurity. Just as buildings must meet safety standards to protect the people inside, businesses that handle sensitive data or provide essential services must meet cybersecurity standards. The difference? Building code violations get you a fine. Cybersecurity violations under NIS2 can cost you EUR 10 million.

But compliance isn't just about avoiding fines. It's about:

• Winning contracts. More and more clients require ISO 27001 or NIS2 compliance before they'll work with you.
• Actually being more secure. The frameworks exist because they work. Following them means fewer incidents.
• Having proof. When something goes wrong (and it will), documented compliance shows you did your due diligence.

The 5 assessment types -- and why you'd run each one

amara has 5 different assessments. That might sound like a lot, but each serves a very different purpose. Think of it like medical checkups: a quick blood pressure reading, a full physical, an eye exam, and a specialist visit are all "checkups" -- but you wouldn't use one to replace the other.

1. Rapid Assessment -- "How secure are we, overall?"

Your general health check. 16 questions, ~60 minutes, covering 10 security domains. You answer Yes / Partial / No and get a colour-coded heatmap showing where you're strong and where you have gaps. Run this first if you've never done a security assessment. It gives you a baseline and tells you where to focus.

2. ISO 27001 Assessment -- "Are we ready for certification?"

Your full physical exam. Go through all 93 security controls and score each on a maturity scale (0 = nothing in place, 5 = optimised). When you're done, amara auto-generates the Statement of Applicability (SoA) -- the first document every auditor asks for. Run this when you're pursuing ISO 27001 certification or clients require it.

3. NIS2 Assessment -- "Does EU cybersecurity law apply to us?"

A two-part specialist exam. Part 1: the Relevance Checker uses your org details to determine if NIS2 applies -- takes 5 minutes. Part 2: 40 questions across 10 mandatory Article 21 security domains. Your compliance score updates live as you answer. Run this if you might be affected by NIS2 (28,000+ German orgs are).

4. BSI C5 Assessment -- "Does our cloud meet German standards?"

A specialist exam for cloud providers. 17 criteria groups covering physical security to portability. If you provide cloud services to German customers -- especially government or enterprise -- C5 attestation is increasingly expected. Run this if you're a cloud provider in Germany.

5. CIA Assessment -- "How critical is this specific asset?"

This one's different. The first four assess your organisation. CIA assesses a single asset. For each asset, score three dimensions: Confidentiality (what if someone sees this?), Integrity (what if someone changes it?), Availability (what if it goes offline?). Scores 1-4, highest becomes the Protection Class. Has a 4-phase approval workflow (data entry, asset owner, security team, risk owner) so no one person can under-classify something.

How they work together

These assessments are layers, not alternatives. A typical journey:

1. Rapid Assessment -- overall baseline (Day 1)
2. CIA Assessments -- classify your individual assets (Week 1)
3. NIS2 Relevance Check -- does EU law apply? (Day 1, 5 minutes)
4. ISO 27001 or NIS2 Full Assessment -- framework-specific compliance (Weeks 2-4)
5. BSI C5 -- if you're a cloud provider (Weeks 3-6)

The beautiful part: evidence from one assessment automatically feeds the others. A risk assessment done for ISO 27001 also satisfies NIS2 Article 21, DORA Article 6, and BSI C5 Domain 2. No duplicate work.

Quick decision guide

How assessments work in amara

All assessments follow the same pattern:

NIS2 (up to EUR 10M fines, 28K+ DE orgs) | ISO 27001 (93 controls) | DSGVO/GDPR (up to EUR 20M) | DORA (EU finance)

The four frameworks

The shared evidence model

Without amara: 4 separate efforts. With amara: 1 assessment satisfies all frameworks simultaneously

The 5 Assessment Types

amara includes 5 different types of security assessments. Each one answers a different question about your organisation's security. This page explains what they are, when to use them, and how they work together.

Why do I need assessments?

Think of security assessments like medical checkups. You wouldn't skip your annual physical just because you "feel fine" -- and you wouldn't expect a blood pressure reading to catch a broken bone. Different assessments test different things, and together they give you a complete picture of your security health.

Without assessments, you're guessing. With them, you have measurable scores, documented evidence, and prioritised action plans. When an auditor asks "how secure are you?", you can answer with numbers instead of opinions.

The 5 types at a glance

Understanding the difference

The first thing to understand: assessments 1, 3, 4, and 5 evaluate your organisation. Assessment 2 (CIA) evaluates a single asset. They're fundamentally different tools.

Rapid Assessment -- your general health check

This is where everyone should start. You answer 16 yes/partial/no questions across 10 security domains (access control, data protection, incident response, etc.). In about 60 minutes, you get a colour-coded heatmap showing exactly where you're strong and where you have gaps. Think of it as a blood pressure reading for your security -- quick, gives you a baseline, and tells you if something needs deeper investigation.

Run this: On your first day with amara. Then quarterly to track improvement.

CIA Classification -- how critical is each asset?

For every asset you register (a server, a database, a SaaS application), you need to answer three questions: What if someone sees it who shouldn't? (Confidentiality) What if someone changes it without permission? (Integrity) What if it goes offline? (Availability). Each gets a score from 1-4. The highest score becomes the asset's Protection Class, which drives what security controls apply and what risk impact it inherits.

This assessment has a 4-phase approval workflow -- the submitter, asset owner, security team, and risk owner all sign off. No single person can under-classify a critical asset.

Run this: Every time you register a new asset. Review annually.

ISO 27001 -- the international gold standard

ISO 27001 defines 93 specific security controls that auditors check you against. You score each control from 0 (nothing in place) to 5 (optimised/best practice). When you're done, amara auto-generates the Statement of Applicability (SoA) -- the first document every ISO auditor asks for. Think of this as a full physical exam -- thorough, takes time, but gives you a complete picture and a certification that opens doors.

Run this: When pursuing ISO 27001 certification or when clients require it.

NIS2 -- the EU cybersecurity directive

NIS2 is a two-part assessment. Part 1 is the Relevance Checker: it uses your organisation's sector, size, and revenue to determine if the EU NIS2 directive applies to you (takes 5 minutes). Part 2 is the Compliance Assessment: 40 questions across 10 mandatory security domains from Article 21. Your compliance score updates live as you answer. Fines reach EUR 10M, and management is personally liable.

Run this: If you're in one of 18 critical sectors with 50+ employees or EUR 10M+ revenue.

BSI C5 -- German cloud security

BSI C5 is specifically for cloud service providers operating in Germany. It covers 17 criteria groups at two levels (Basic and Enhanced). Think of it as "ISO 27001 for cloud" with German-specific requirements. Almost no other GRC tool includes native C5 assessment -- it's a DACH market differentiator.

Run this: If you provide cloud services to German customers, especially government or enterprise.

How they work together

These assessments aren't competitors -- they're layers. A typical journey looks like this:

The beautiful part: evidence you create in one assessment automatically feeds the others. A risk assessment done for ISO 27001 also satisfies NIS2 Article 21, DORA Article 6, and BSI C5 Domain 2. You never redo the work.

All assessments follow the same 4-step workflow: Scope → Assess → Review → Report

Every assessment, same workflow

No matter which assessment you run, the process is always the same:

Quick decision guide

Rapid Assessment

Not sure where you stand on security? The Rapid Assessment gives you a baseline in about 60 minutes. It's the fastest way to answer the question every CISO gets asked: "How secure are we, really?"

What is a Rapid Assessment?

Think of it as a health check for your organisation's security posture. Instead of spending weeks going through hundreds of ISO controls, the Rapid Assessment samples 16 questions from a bank of 160, spread across 10 security domains (things like access control, data protection, incident response, business continuity). For each question, you answer Yes (fully implemented), Partial (work in progress), or No (not addressed).

When you're done, amara gives you a colour-coded heatmap showing exactly where you're strong (green) and where you have gaps (red). The whole thing takes about 60 minutes -- and you walk away with a clear, prioritised picture of what needs attention first.

When should I run one?

• Day one with amara -- it's the recommended first step. Get a baseline before diving into specific frameworks.
• Before an ISO or NIS2 assessment -- the Rapid Assessment identifies your weakest domains so you know where to focus.
• After a major change -- new office, new system, post-incident. Re-run to see how your posture has shifted.
• Quarterly check-ins -- track improvement over time. amara shows trend charts comparing your current score to previous runs.

How to run your first Rapid Assessment

Navigate to Assessments → Rapid Assessment (or use Quick Access → New Rapid Assessment in the sidebar). Click Start New Assessment, and you'll be presented with 16 questions, one at a time. For each question, pick Yes / Partial / No and optionally upload evidence (a screenshot, a policy document, a config file). You don't need evidence to complete the assessment -- but it helps later when auditors ask "how do you know?"

When you finish, amara generates 5 reports automatically: an executive summary, a domain breakdown radar chart, a gap analysis, a remediation roadmap, and a trend comparison (if you've run previous assessments).

4 assessment types, 4-step workflow: Scope → Assess → Review → Report

The 10 security domains

Scoring

Scoring: Yes (1.0) / Partial (0.5) / No (0.0). Five report types generated per assessment

6-tier maturity: Incomplete (0-22%) → Initial → Repeatable → Defined (target) → Managed → Optimised (100%)

ISO 27001:2022

ISO 27001 is the international gold standard for information security management. If your clients require it (and increasingly they do), this is where you manage the entire certification journey.

What is ISO 27001?

ISO 27001 is a globally recognised standard that proves your organisation takes information security seriously. It defines 93 specific security controls (called "Annex A controls") grouped into four categories: Organisational (37 controls covering policies, roles, supplier relations), People (8 controls covering screening, awareness, remote work), Physical (14 controls covering facilities, equipment, cabling), and Technological (34 controls covering access control, encryption, logging).

To get certified, an external auditor checks that you've implemented these controls to an acceptable maturity level. The key document they ask for first is the Statement of Applicability (SoA) -- a table showing which of the 93 controls apply to you, how mature your implementation is, and why you've excluded any that don't apply.

Why does it matter?

Practically: you lose contracts without it. More and more clients (especially in enterprise and government) require ISO 27001 certification as a condition for doing business. Beyond that, it forces you to build a proper Information Security Management System (ISMS) -- which means you're actually more secure, not just compliant on paper.

How amara helps

amara maps all 93 controls with maturity scoring from 0 (ad-hoc) to 5 (optimised). You work through each control, score your current implementation, upload evidence, and note remediation plans for gaps. When you're done, amara auto-generates the SoA -- the document that would normally take a consultant days to compile. Your assessment data also feeds the risk module, so compliance gaps automatically become risk items with owners and deadlines.

The 4 control categories (Annex A)

CMMI maturity levels

Running an ISO 27001 assessment

NIS2 Compliance

NIS2 is the EU cybersecurity directive that's keeping CISOs up at night. If it applies to you, there's no opt-out -- and management is personally liable.

What is NIS2?

NIS2 (Network and Information Security Directive 2, EU 2022/2555) is an EU law that requires organisations in critical sectors to implement specific cybersecurity measures. It replaces the original NIS Directive and dramatically expands the scope: in Germany alone, 28,000+ organisations are now affected, up from about 2,000 under the old rules.

The law covers 18 sectors across two tiers: 11 "essential" sectors (energy, transport, banking, health, water, digital infrastructure, ICT services, public admin, space) and 7 "important" sectors (postal, waste, chemicals, food, manufacturing, digital providers, research). If you're in one of these sectors AND meet the size threshold (50+ employees or EUR 10M+ revenue), you're likely in scope.

Why should I care?

Three reasons:

• The fines are real. Up to EUR 10M or 2% of global revenue for essential entities. EUR 7M or 1.4% for important entities.
• Management is personally liable. Article 20 makes board members and executives personally responsible for ensuring cybersecurity measures are in place. This isn't an IT problem anymore -- it's a board-level obligation.
• Incident reporting deadlines are tight. 24 hours for an early warning. 72 hours for a full notification. 30 days for a final report. If you don't have the processes in place, you won't make these deadlines.

How amara helps with NIS2

amara walks you through a 3-phase process:

Phase 1: Relevance Assessment → Phase 2: Gap Assessment (40Q, 10 domains) → Phase 3: Remediation Planning

Phase 1: Are you in scope?

Phase 2: 40 Article 21 Questions

BSI C5 Compliance

If you provide cloud services in Germany, BSI C5 is the trust badge your customers look for. Almost no other GRC platform includes native C5 assessment -- amara does.

What is BSI C5?

BSI C5 (Cloud Computing Compliance Criteria Catalogue) is a standard created by Germany's Federal Office for Information Security (BSI). It defines security requirements specifically for cloud service providers. Think of it as "ISO 27001 for cloud" -- but with German-specific requirements around data residency, transparency, and accountability.

The standard covers 17 criteria groups ranging from organisation security and physical security to incident response, portability, and transparency. Each group has specific controls at two levels: Basic (minimum requirements) and Enhanced (for sensitive workloads).

Who needs BSI C5?

• Cloud service providers in Germany -- C5 attestation is increasingly expected by enterprise and government customers.
• Organisations using cloud services -- if your cloud provider has C5 attestation, it simplifies your own compliance. If they don't, you need to assess them yourself.
• Public sector suppliers -- German government agencies often require C5 for cloud procurement.
• Anyone who wants to stand out in the German market -- C5 is a trust differentiator that competitors without it can't match.

How to run a BSI C5 assessment in amara

17 BSI C5 criteria groups: OIS, SP, PS, AM, PHY, OPS, IAM, CRY, COS, SSO, COM, BCM, IRP, SIM, SDV, POR, TRK

Who Needs BSI C5

• Cloud service providers operating in Germany
• Organisations using cloud services for critical data
• Public sector entities and their suppliers
• Any organisation seeking to demonstrate cloud security maturity

C5 in amara: 17 Criteria Groups

Statement of Applicability (SoA)

The SoA is the single most important document in an ISO 27001 audit. It's a table that says "here are all 93 controls, here's which ones apply to us, here's how mature our implementation is, and here's why we've excluded any." Auditors ask for it first. amara generates it automatically from your assessment scores -- no manual compilation needed.

What the SoA Contains

• All 93 Annex A controls listed with applicability status
• Current maturity level (0-5) for each control
• Justification for any excluded controls
• Remediation plans for controls below target

What does an SoA actually look like?

If you've never seen a Statement of Applicability, here's a concrete example. Each of the 93 controls gets a row like this:

When amara generates the SoA, it fills in the maturity level, implementation status, and evidence references automatically from your assessment scores and uploaded evidence. You don't compile this manually -- you just review and approve. For a typical 93-control SoA, this saves days of work.

How amara Generates the SoA

Supplier Management -- Overview

Your security is only as strong as your weakest vendor. Before a supplier gets access to your systems, they go through a structured 3-phase approval. amara scores their criticality, tracks their certifications, and blocks unapproved vendors from linking to your assets.

Why do I need Supplier Management?

Think of your suppliers like doors into your building. Each one is a potential entry point -- not just for the services they provide, but for the risks they carry. A cloud provider with weak encryption, an IT contractor with admin access to your network, a software vendor with poor update practices -- any of these can become your security incident.

What you'll see

The Supplier Management module shows a list of all registered vendors with their category, criticality level, approval status, and next review date. Colour-coded badges make it easy to spot issues: APPROVED means active and reviewed, IN REVIEW means assessment in progress, OVERDUE means the annual review is past due.

How supplier onboarding works

When you add a new supplier, they go through three phases before they can be linked to your assets:

3-phase lifecycle: Onboard (34 fields) → Score (8-factor criticality) → Approve (3-phase workflow)

The 6 supplier categories

The 5 access dimensions

For each supplier, you rate what kind of access they have to your organisation. This feeds directly into the criticality scoring:

• Application access -- Can they log into your software systems? (CRM, ERP, email)
• Device access -- Can they touch your hardware? (servers, laptops, network equipment)
• Facility access -- Can they enter your buildings? (offices, server rooms, data centres)
• Network access -- Can they connect to your network? (VPN, direct connection, API access)
• Physical asset access -- Can they handle your physical equipment? (installation, maintenance, repair)

A supplier with all five = very high risk. A supplier with none = low risk. Most fall somewhere in between.

How Supplier Management connects to other modules

• Suppliers ↔ Assets: Bidirectional linking shows which vendors support which assets, and which assets depend on which vendors. Approval gate is enforced -- unapproved suppliers can't link to assets.
• Suppliers → Risk Management: Supplier incidents become risk items. Geographic risk and subprocessor chains feed into the risk register. If a critical supplier is overdue for review, that's a risk.
• Suppliers → NIS2: Article 21(d) requires supply chain security management. Every supplier you onboard through amara's 3-phase process automatically creates compliance evidence.
• Suppliers → Ask amara: 6 dedicated functions: "Which suppliers are overdue?", "Show critical suppliers", "Which suppliers access our critical assets?"

Adding a Supplier

Adding a new supplier to amara means building a complete picture of the relationship: who they are, what services they provide, what data they'll touch, what access they need, and what security certifications they hold. Here's a walkthrough of the 34-field form, section by section.

Step-by-step walkthrough

Let's walk through adding a real supplier -- say your cloud hosting provider, "CloudHost GmbH."

The 34 supplier fields -- section by section

Section 1: Identity (6 fields)

This is the "who are they?" section.

• Supplier Name* -- the name you know them by. "CloudHost GmbH" -- be specific enough that there's no confusion with similar vendors.
• Legal Entity* -- their full legal name as it appears on contracts. "CloudHost Solutions GmbH, HRB 12345."
• Country* -- where are they headquartered? This matters for GDPR data transfer rules. An EU-based vendor is simpler than a US-based one.
• Industry -- their industry sector. Helps with risk context (a cloud provider vs. an office supplies vendor carry very different risk profiles).
• Category* -- choose from Software, IT Services, Cloud, Hardware, Consulting, or Other. CloudHost would be "Cloud."
• Status -- auto-set to "Draft" when you create the record.

Section 2: Service & SLA (6 fields)

This captures the business relationship.

• Service Description* -- what exactly do they provide? "Dedicated server hosting for production database and application servers, including managed backup and DDoS protection."
• SLA Level -- what uptime do they guarantee? 99.9%? 99.99%? This feeds into your availability risk calculations.
• Contract Start/End -- when does the agreement run? amara will alert you before contracts expire so you can plan renewals or transitions.
• Renewal Terms -- auto-renew or manual? Notice period? Important for exit planning.
• Contract Value -- annual cost. This feeds into the financial exposure factor of criticality scoring. A EUR 500/month hosting provider vs. a EUR 50,000/month cloud platform represent very different financial risks.

Section 3: Data Processing (6 fields)

If this supplier processes any data on your behalf, this section is critical for GDPR compliance.

• Data Types Processed* -- what kind of data do they handle? Customer PII, financial records, employee data, health data? Be specific -- this directly affects criticality scoring.
• Processing Purpose -- why are they processing it? "Hosting and storage of production databases containing customer orders and personal data."
• Transfer Mechanism -- how does data move to them? Direct database replication, API, file upload, VPN tunnel?
• DPA Status* -- do you have a signed Data Processing Agreement? Required under GDPR Art. 28 if they process personal data. Options: Signed, Pending, Not Required.
• Sub-processors -- do they use sub-processors? If CloudHost uses AWS underneath, that's a sub-processor chain you need to track.
• Data Location -- where is the data physically stored? Germany, EU, US? This affects GDPR transfer rules and your geographic risk score.

Section 4: Access (5 fields)

For each type of access, answer Yes or No. The more "Yes" answers, the higher the risk. Think of each as a door into your organisation:

• Application Access -- can they log into your software? (admin panels, monitoring dashboards)
• Device Access -- can they touch your hardware? (server maintenance, equipment repairs)
• Facility Access -- can they enter your buildings? (data centre visits, on-site support)
• Network Access -- can they connect to your network? (VPN, direct connection, API endpoints)
• Physical Asset Access -- can they handle your physical equipment? (installation, decommissioning)

Section 5: Security & Compliance (6 fields)

This section tells you how seriously the supplier takes security. A vendor with ISO 27001 and recent pen tests is a very different risk profile from one with no certifications.

• ISO 27001 Certified -- Yes/No plus certificate expiry date. This is the gold standard -- if they have it, your due diligence is simpler.
• SOC 2 Report -- common for US-based cloud providers. Type II is more valuable than Type I.
• Pen Test Date -- when was their last penetration test? Anything older than 12 months is a flag.
• Insurance -- do they have cyber liability insurance? This transfers some of your risk.
• Security Contact -- who do you call if there's an incident? Name and direct contact details.
• Incident Response SLA -- how quickly must they notify you of a security incident? NIS2 requires you to report within 24 hours -- so your supplier needs to notify you well before that.

Section 6: Linked Assets

This section is read-only until the supplier reaches Phase 3 (Approved). Once approved, you can link assets to this supplier, creating a bidirectional dependency map: "which assets depend on CloudHost?" and "which vendors support our production database server?"

8-Factor Criticality Scoring

Not all suppliers are equally risky. Your office coffee supplier and your cloud hosting provider need very different levels of scrutiny. amara's 8-factor scoring engine quantifies that difference so you know where to focus your due diligence.

How criticality scoring works

For each supplier, amara scores 8 risk factors on a 1-4 scale. The scores are weighted and combined into a total criticality rating from 1 to 32. This determines how much oversight the supplier needs:

• Low (1-10): Standard monitoring, annual review. Your office supplies vendor probably falls here.
• Medium (11-20): Enhanced monitoring, semi-annual review. A payroll software provider might be here.
• High (21-28): Active management, quarterly review, pen test required. Your cloud hosting provider likely scores here.
• Critical (29-32): Continuous monitoring, dedicated risk owner, board visibility. Think: the single vendor running your core infrastructure with no alternatives.

The beauty of this system: it's objective and repeatable. Two people scoring the same supplier should get similar results, because the criteria are specific and measurable. No more "I think they're fine" gut feelings.

The 8 factors

Criticality result

Supplier Lifecycle Management

Suppliers aren't a one-time checkbox. Certifications expire, contracts renew, people change, and security postures shift. amara tracks the complete vendor lifecycle so you never miss a review date or lose track of who has access to what.

The 5 Lifecycle Stages

Annual Reassessment

Supplier approval isn't a one-time event. Companies change: they get acquired, lose certifications, suffer breaches, or shift their data centres to different countries. What was a low-risk vendor last year might be a high-risk one today. That's why every approved supplier goes through an annual reassessment.

How the reassessment works

amara sends automatic reminders to the supplier manager:

• 60 days before due date: "Heads up -- CloudHost GmbH reassessment is coming up." This gives you time to request updated certifications from the supplier.
• 30 days before: "CloudHost GmbH reassessment due in 30 days. Start gathering updated documentation."
• On the due date: "CloudHost GmbH reassessment is due today." Status changes to REVIEW DUE.
• If overdue: Status changes to OVERDUE. This appears on dashboards, in reports, and in Ask amara queries. An overdue supplier review is flagged as a compliance gap in NIS2 Art. 21(d).

What you review during reassessment

Decommissioning a Supplier

3-Phase Supplier Approval

No shortcuts here -- a supplier must pass through 3 approval phases before they can touch your assets. This isn't bureaucracy for its own sake; it's how you satisfy NIS2 Article 21(d) supply chain requirements and make sure nobody slips through without proper vetting.

Phase 1: Onboard (34 fields, DRAFT) → Phase 2: Score (8-factor, IN REVIEW) → Phase 3: Approve (risk owner, APPROVED)

Why three phases instead of one?

Think of it like hiring an employee. You wouldn't let someone start work just because HR received their CV (Phase 1). The hiring manager needs to interview them and check their skills (Phase 2). And someone with authority needs to approve the hire and set a start date (Phase 3). Supplier approval follows the same logic -- each phase catches different types of problems.

The 3 approval phases in detail

Phase 1: Profile Review (Supplier Manager)

Goal: "Do we have a complete picture of who this vendor is?"

The supplier manager verifies that all 34 fields are filled in accurately. Here's what they're checking:

• Is the legal entity name correct and verifiable?
• Do we have a signed DPA if they process personal data?
• Are the access dimensions (application, network, facility, device, physical) accurately described?
• Have they disclosed their sub-processors?
• Is the contract value and SLA documented?

Common rejection reasons: Missing DPA for a data processor. Incomplete service description. No security contact provided. Unknown data location.

If everything checks out, the supplier manager clicks Approve Phase 1. Status changes to "Phase 2 -- In Review" and the security team is notified.

Phase 2: Security Assessment (Security Team)

Goal: "How risky is this vendor, exactly?"

The security team runs the 8-factor criticality scoring. This is where the numbers come in:

• They score each of the 8 factors (dependency, data sensitivity, access scope, linked asset CIA, financial exposure, geographic risk, certifications, subprocessor chain) from 1-4.
• They verify certifications: Is the ISO 27001 certificate real and current? When was the last pen test? Is their SOC 2 report Type I or Type II?
• They assess the technical risk: Does this vendor need VPN access to our network? Can they access production data? Do they have admin privileges?

Common rejection reasons: Criticality score too high for the business justification. Expired certifications. No pen test in over 12 months. Excessive access scope for the service provided.

After scoring, the security team clicks Approve Phase 2. Status changes to "Phase 3 -- Pending Approval."

Phase 3: Final Approval (Risk Owner / CISO)

Goal: "Knowing the full picture, do we accept this vendor relationship?"

The Risk Owner or CISO reviews everything: the complete profile, the criticality score, the security team's notes, and any flagged concerns. They make the final call:

• Approve: Supplier is activated. Annual review date is set automatically based on criticality (12 months for Low/Medium, 6 months for High, 3 months for Critical). The supplier can now be linked to assets. NIS2 Art. 21(d) supply chain evidence is created.
• Request changes: Send back with specific concerns. "Require updated pen test results before approval." The supplier drops back to the appropriate phase.
• Reject: Supplier is not approved. Documented with reasoning. Cannot be linked to any assets.

Supplier Module -- Module Connections

Your suppliers don't exist in a vacuum -- they touch your assets, create risks, affect your compliance posture, and can be queried by the AI. Here's how the supplier module connects to the rest of amara.

Document Dialog -- Overview

Writing policy documents from scratch costs EUR 22,000-44,000 in consultant fees. amara ships with 44 ready-to-use ISO 27001 templates containing ~1,500 dynamic fields. Answer structured questions, and the AI generates your policies in minutes -- version-controlled and audit-ready.

Why do I need policy documents?

Security policies are like an employee handbook for cybersecurity. They set the rules everyone follows, and they're your legal protection when things go wrong. Without documented policies:

• Auditors fail you. ISO 27001 and NIS2 both require written security policies. No documents = no certification.
• Insurance claims get denied. Many cyber insurance policies require documented security measures.
• Employees guess. Without clear rules, people make their own decisions -- and they're usually wrong.
• You're legally exposed. In a lawsuit after a breach, "we didn't have a policy for that" is the worst possible answer.

The problem? Writing professional security policies from scratch typically costs EUR 22,000-44,000 in consultant fees, and takes weeks. amara generates them in minutes from templates built by a GRC veteran with 20+ years of audit experience.

How it works in practice

Let's say you need an Access Control Policy for your ISO 27001 certification:

Select template → AI generates (~1,500 fields auto-filled) → Review (versioned) → Approve (locked, distributed, added to RAG)

The document lifecycle

The FIELD and BLOCK marker system

How Document Dialog connects to other modules

• Documents ↔ Ask amara: This is the dual-purpose magic. Every approved policy document is automatically indexed in the AI's knowledge base (RAG). When someone asks "What does our password policy say about remote access?", Ask amara finds the answer in your actual approved document -- not a generic internet response.
• Documents → Compliance: Approved policies serve as direct evidence for ISO 27001 Annex A.5.1, NIS2 Art. 21(a), and BSI C5 SP-01. The evidence package pulls them automatically.
• Documents ← Assessments: When you run an ISO 27001 assessment and score low on a control, amara recommends which policy template to generate to close that gap.
• Documents → Reporting: Document status (current, due for review, overdue) feeds into compliance dashboards and audit evidence packages.

44 Policy Templates

44 templates, all mapped to ISO 27001:2022 controls. Each is pre-written by a GRC veteran with 20+ years of audit experience, ready for AI generation with your organisation's data.

How to choose your first template

Don't try to generate all 44 at once. Here's a practical starting order:

1. Information Security Policy -- the master document. Everything else references it. Generate this first.
2. Access Control Policy and Password Policy -- immediate, practical impact. Employees can start following these right away.
3. Incident Response Plan -- you need this before something goes wrong, not after.
4. Whatever your ISO assessment flagged -- if you scored low on a control, amara recommends the template that addresses it.

Full template catalogue

Information Security Governance (8)

Information Security Policy, ISMS Manual, Risk Management Policy, Data Classification Policy, Acceptable Use Policy, Security Organisation, Management Commitment, Policy Review Schedule.

Access Control & Identity (6)

Access Control Policy, Password Policy, User Access Management, Privileged Access, Remote Access, MFA Policy.

Human Resources Security (4)

Pre-Employment Screening, Security Awareness Training, Disciplinary Process, Termination & Change.

Physical & Environmental Security (4)

Physical Security Policy, Secure Areas, Equipment Security, Clear Desk / Clear Screen.

Operations Security (6)

Change Management, Capacity Management, Malware Protection, Backup Policy, Logging & Monitoring, Technical Vulnerability Management.

Incident Management (4)

Incident Response Plan, Incident Classification, Forensic Investigation, Lessons Learned.

Business Continuity (4)

BCP Policy, Disaster Recovery Plan, Backup & Recovery, Crisis Communication.

Data Protection & Cryptography (4)

Data Protection Policy, Encryption Policy, Key Management, Data Retention & Disposal.

Network & System Security (4)

Network Security Policy, Firewall Management, Wireless Security, System Hardening.

Generating a Document

Step-by-step guide to generating your first policy document from a template.

4-step workflow: Select → Generate (AI fills ~1,500 fields) → Review (version-tracked) → Approve (locked)

Troubleshooting common issues

If your generated document doesn't look right, here's what to check:

Version Control

Auditors love one thing above all: proof that you can show exactly who changed what, when, and why. In amara, every time you save a document, a new immutable version is created. You can never lose a previous version, and you can always compare any two side by side.

How versioning works

Every time you save a document, amara creates a new version with a timestamp, author ID, and change summary. Previous versions are never overwritten.

Version states

Diff view

Compare any two versions side by side. Green = added, Red = removed, Yellow = changed.

7-year retention

All document versions are retained for 7 years minimum, meeting ISO 27001 and GDPR record-keeping requirements.

ISP Generator

If ISO 27001 is your destination, the Information Security Policy is your roadmap. It's the master document that defines how your organisation approaches security -- from who's responsible for what, to how you handle incidents, to what encryption standards you use. amara auto-generates the entire ISP skeleton (49 files) from your organisation data, so you're not starting from a blank page.

How to generate your ISP

What's in the ISP?

Think of the ISP as your organisation's security constitution. It's not one document -- it's 49 interconnected files that together define everything about how your organisation handles information security. From "who's responsible for security?" to "how do we encrypt data?" to "what happens when there's a breach?" -- it's all here.

When amara generates the ISP, it pulls your company name, sector, contacts, and other org settings from the database and weaves them into every document. You're not filling in templates -- the system is generating a customised policy framework for your specific organisation.

ISP structure

Review Cycles

A policy that nobody reviews for two years isn't a policy -- it's a liability. Auditors check when your documents were last reviewed, and "we forgot" isn't an answer they accept. amara sends automatic reminders and tracks review status so no document falls through the cracks.

Review Cycle Options

Review Workflow

Dashboard visibility

Your document dashboard shows the review status of every policy at a glance:

• Overdue -- review date has passed. This is a compliance finding waiting to happen. Address these first.
• Due within 30 days -- coming up soon. Plan your review time now.
• Current -- reviewed and up to date. Nothing to do until the next cycle.

Training University -- Overview

NIS2 Article 20 makes management personally liable for cybersecurity training. amara includes a complete training platform with 20 role-based courses, from board-level governance awareness to specialist penetration testing skills. Each course has 24 knowledge cards and 24 quizzes, with SHA-256 signed certificates that serve as direct compliance evidence.

How training works for you

If you're a learner

When your admin assigns you a role (e.g., "Operations" or "CISO"), the relevant courses are automatically assigned to your account. Open Training from the sidebar and you'll see your assigned courses with progress bars. Each course follows the same pattern:

1. 24 Knowledge Cards -- visual, role-specific learning content. Read through them at your own pace.
2. 24 Quizzes -- 5 questions per quiz. You need 70% to pass each one. If you score below 65%, amara suggests re-reading specific cards before retrying.
3. Certificate -- once you pass all quizzes, a SHA-256 signed certificate is issued automatically. It's valid for 12 months and serves as compliance evidence for NIS2 Art. 20 and ISO 27001 Control 6.3.

If you're a training admin

You can assign courses individually or in bulk (by department, by role, or for all new employees). The admin dashboard shows overall completion rates, overdue users, failed quiz questions (to identify knowledge gaps), and certificates expiring in the next 90 days.

ENISA ECSF framework: 12 specialist + 2 executive + 6 functional roles, with NIS2 Art. 21 C7 compliance

The Three Training Tiers

Specialist Tier (12 Roles)

ENISA ECSF framework: CISO, Cyber Incident Responder, Cyber Legal/Policy/Compliance, Cyber Threat Intelligence Specialist, Cybersecurity Architect, Cybersecurity Auditor, Cybersecurity Educator, Cybersecurity Implementer, Cybersecurity Researcher, Digital Forensics Investigator, Penetration Tester, Vulnerability Manager.

Executive Tier (2 Roles)

Board of Directors (NIS2 Art. 20 governance liability) and Management (operational security oversight).

Functional Tier (6 Roles)

Operations (mandatory baseline for all staff), HR, Finance, Development, Legal, Procurement.

Admin assigns role → mandatory courses auto-assigned → 24 knowledge cards + 24 quizzes → certificate issued (12-month validity)

How Training connects to other modules

• Training → NIS2: Training completion is a mandatory domain in NIS2 (Article 20 for management, Article 21 C7 for staff). Your training records feed directly into the NIS2 compliance score. 100% completion in EXEC_BOARD and EXEC_MGMT is essentially a prerequisite for NIS2 compliance.
• Training → ISO 27001: Control 6.3 (Information Security Awareness, Education and Training) requires documented training evidence. Certificates issued by amara satisfy this requirement directly.
• Training → Reporting: Training completion rates appear in executive dashboards and audit evidence packages. The admin analytics show completion by role, overdue users, and expiring certificates.
• Training → Ask amara: 4 dedicated functions: "Who hasn't completed training?", "Show expiring certificates", "What's our EXEC_BOARD completion rate?"

Course Catalogue -- 20 Courses

All 20 courses follow the same proven structure: learn with visual Knowledge Cards, then prove your understanding with quizzes. Here's the full catalogue organised by the three training tiers.

Why role-based training?

A one-size-fits-all security training is a waste of everyone's time. Your CISO doesn't need "how to spot a phishing email" and your receptionist doesn't need "advanced penetration testing methodology." amara's training is based on the ENISA European Cybersecurity Skills Framework (ECSF) -- the EU's official framework for cybersecurity roles and competences.

Each role gets courses tailored to their responsibilities. A developer learns about secure coding and dependency management. A board member learns about governance liability and strategic oversight. A procurement officer learns about supplier contract security clauses. Everyone gets what's relevant to their job -- and nothing they don't need.

The three training tiers

Specialist Tier (12 courses) -- for cybersecurity professionals. Based directly on ENISA ECSF role definitions. Think: CISO, incident responder, penetration tester, security architect.

Executive Tier (2 courses) -- for board members and management. Focused on governance, liability, and strategic decision-making. These exist because NIS2 Article 20 makes executives personally liable.

Functional Tier (6 courses) -- for everyone else, tailored by department. Operations (mandatory baseline for all staff), HR, Finance, Development, Legal, Procurement. Each focuses on the security aspects most relevant to that function.

Tier 1: ECSF Specialist Courses (12)

Tier 2: Executive Governance (2)

Tier 3: All-Staff Awareness (6)

Knowledge Cards & Quizzes

Training in amara isn't a boring slideshow. Each course uses visual Knowledge Cards (think flashcards with depth) to teach concepts, followed by quizzes to make sure the knowledge sticks. The system adapts -- if you're struggling, it suggests specific cards to re-read.

Knowledge Card Format

Think of knowledge cards like flashcards with depth. Each card teaches one concept, in a way that's specific to your role. A CISO card about incident response covers governance and liability. A developer card about incident response covers secure logging and evidence preservation. Same topic, different angle.

Each card contains:

• Title and card number -- e.g., "Card 12: Incident Classification Frameworks"
• Difficulty level -- Foundation, Intermediate, or Advanced. Cards build on each other.
• Prerequisites -- which earlier cards you should have read first (e.g., "Requires Card 8: Threat Landscape Overview")
• Core content -- 300-500 words with role-specific examples. A CISO card uses board-level language; a developer card uses code examples.
• Visual aids -- diagrams, decision trees, or comparison tables where they help.
• Key takeaway -- one sentence summarising the card. Perfect for quick revision.

Quiz Format

After every set of knowledge cards, you face a quiz. Here's how they work:

• 5 questions per quiz, 24 quizzes per course -- that's 120 questions total, covering every knowledge card.
• Question types: Single-select (pick one correct answer) and multi-select (pick all that apply). Multi-select questions are harder because partial credit isn't awarded -- you need all correct answers.
• 70% pass threshold per quiz -- you need at least 3.5 out of 5 (so 4 correct answers) to pass.
• Retry with rotation: If you fail, you can retake the quiz, but the questions rotate from a larger pool. You can't just memorise the answers -- you need to understand the concepts.

Example quiz question

Here's a real example from the CISO course, Quiz 12 (Incident Response):

Questions are designed to test practical knowledge, not trivia. They focus on "what would you do in this situation?" rather than "what year was this regulation published?"

Adaptive Difficulty

If you score below 65% on a quiz, amara doesn't just tell you "try again." It analyses which questions you got wrong, maps them back to the knowledge cards that cover those topics, and says something like: "You missed questions about incident classification and reporting timelines. We recommend re-reading Cards 11-13 before retrying."

This targeted guidance means you're not re-reading the entire course -- just the parts you need to strengthen. Most people pass on the second attempt after reviewing the suggested cards.

Certification & Competency Records

When someone completes a training course, amara issues a tamper-proof certificate. It's not just a nice PDF -- it's cryptographically signed so nobody can fake it, and it serves as direct evidence for NIS2 Article 20 and ISO 27001 Control 6.3 audits.

Certificate Data Fields

Re-Certification

Certificates expire after 12 months. 30-day advance notice sent. User must retake the course to re-certify.

Training Analytics (Admin)

As a training admin, you need to answer one question quickly: "Is everyone trained, and can I prove it?" This dashboard gives you that answer -- completion rates by role, overdue users, expiring certificates, and the ability to assign courses in bulk.

Dashboard Views

Organisation Overview

This is your "are we compliant?" view. When you open Training Analytics, you'll see:

• Overall completion rate -- a single percentage showing how much of your assigned training is done. You'll see this as a large number at the top of the dashboard (e.g., "78% Complete") with a progress ring. Green means on track, yellow means falling behind, red means significant overdue training.
• Role-based breakdown -- a horizontal bar chart showing completion per training tier. You can quickly spot if your Executive tier is lagging (which is a NIS2 Art. 20 risk) or if a specific department hasn't started their courses.
• Overdue users -- a list of people who have assigned courses past their deadline. Sorted by how overdue they are. You can click any user to see their specific courses and send them a reminder directly.
• Expiry pipeline (next 90 days) -- certificates that are about to expire. This is your early warning system. If 15 certificates expire next month, you need those people to retake their courses before the certificates lapse. Particularly critical for EXEC_BOARD and EXEC_MGMT certificates -- if those expire, you have a NIS2 compliance gap.

Course-Level Analytics

Drill into any specific course to see:

• Enrolment vs. completion funnel -- how many people are assigned, how many started, how many finished? A big drop between "started" and "completed" suggests the course might be too difficult or too long.
• Failed questions analysis -- which specific quiz questions are people getting wrong most often? This is gold for identifying knowledge gaps. If 60% of people fail the question about incident reporting deadlines, that's a topic that needs reinforcement -- maybe through a company-wide briefing or an additional knowledge card.
• Score distribution per quiz -- a histogram showing the spread of scores. If most people score 90%+, the quiz might be too easy. If there's a bimodal distribution (some get 90%, others get 40%), you might have an engagement problem with part of the audience.
• Average completion time -- how long are people taking? This helps you plan: if the CISO course averages 6 hours, you know to block that time for new CISOs.

Individual User View

Click any user to see their complete training profile:

• All assigned courses with status (Not Started, In Progress %, Completed, Expired)
• Quiz scores per course -- broken down by quiz (Quiz 1: 85%, Quiz 2: 70%, etc.)
• Certificate IDs -- the unique, SHA-256 signed certificate identifiers for completed courses
• Re-certification dates -- when each certificate expires and whether renewal is in progress

This view is what you'll pull up when an auditor asks "show me that your CISO has completed cybersecurity governance training." One click, full evidence.

Compliance Reporting Integration

Training data doesn't just live in the Training module -- it feeds directly into compliance evidence:

• NIS2 Domain 7 (Cyber Hygiene & Training): Your NIS2 compliance score for Article 21 C7 is directly calculated from training completion rates. 100% completion in relevant courses = full marks on this domain. Incomplete training = a compliance gap that shows up in your NIS2 assessment.
• ISO 27001 Control 6.3: Training certificates are automatically included in audit evidence packages. The auditor gets a list of all users, their assigned courses, completion dates, scores, and certificate IDs -- without you compiling anything manually.
• Management Reports: The board-ready training compliance dashboard shows completion rates at a glance, with red/yellow/green status per department. This is included in the Executive GRC Summary report and can be generated as a standalone PDF for HR reviews.

Ask amara -- Your GRC Co-pilot

Instead of navigating dashboards and exporting reports, just ask a question. "What are my top 10 risks?" "Which suppliers access critical systems?" Ask amara queries your actual data and gives you grounded answers in seconds -- and your data never leaves your server.

How to use Ask amara

Click Ask amara under Resources in the left sidebar. You'll see a clean chat interface with the greeting "Hello! I'm amara -- How can I help you today?" At the bottom, there's an input box labelled "Message amara..." with a send button. Type your question in natural language (English or German) and press Enter or click the arrow.

Your messages appear on the right side, amara's responses on the left. Below the input, a small disclaimer reminds you to "verify important information" -- because while amara is 98% accurate, you should always double-check critical decisions.

Try these queries right now

Here are real queries you can try, ordered from simple to complex:

Why Ask amara answers are different from ChatGPT

When you ask "How many critical assets do we have?", Ask amara doesn't guess -- it runs a real database query against your asset register and returns the exact number. When you ask about policies, it searches your actual approved documents, not the internet. Every answer is grounded in your data.

How the AI decides what to do with your question

Ask amara uses a 3-tier system to route your question to the fastest, most accurate answer:

Query pipeline: Compliance Gate → Smart Router → Privacy Shield → LLM + Audit

Full architecture: MCP integrations → amara GRC → Ask amara Pro → Local LLM → MCP server outbound

What you can ask

4-Tier Query Routing

When you ask amara a question, it doesn't just throw everything at an AI model. It figures out the fastest, most accurate way to answer you. Simple counting questions get instant database answers. Policy questions search your documents. Complex analysis goes to the local AI. Here's how the routing works under the hood.

Tier 1: Database (33 functions, ~0 cost) → Tier 2: RAG (vector search, ~0 cost) → Tier 3: Local LLM → Tier 4: Cloud opt-in

The 4 intelligence tiers

~70% of queries resolve at Tier 1 or 2 (instant, zero cost).

How the router decides: a behind-the-scenes look

When you type a question, the Smart Router doesn't use AI to classify your query -- that would add latency. Instead, it uses a fast keyword-matching system with 233 patterns. Here's how the decision flows:

Tier 1 decision: "Can I answer this from the database?"

The router scans your query for keywords like "how many," "count," "list," "show me," "top," "overdue," combined with module terms like "assets," "risks," "suppliers," "training." If a pattern matches, the router picks one of the 33 pre-built SQL functions. No AI is involved at all -- it's a direct database query, which is why it's instant and 100% accurate.

Example: "How many critical assets do we have?" matches a keyword pattern and routes to the appropriate database function. Result appears in ~20 milliseconds.

Tier 2 decision: "Is this about policy content?"

If no database pattern matches, the router checks for policy-related keywords: "policy," "says," "what does," "according to," "procedure for." If detected, it sends the query to the vector database for semantic search against your approved documents. The embedding model converts your question into a high-dimensional vector and finds the most similar passages in your document library.

Example: "What does our access control policy say about remote work?" has no database function for this -- but the vector search finds the relevant section in your approved Access Control Policy and returns the actual text with page references.

Tier 3 decision: "This needs reasoning"

If neither Tier 1 nor Tier 2 can handle it, the query goes to the local LLM. This handles analysis, drafting, comparison, and "help me think about" queries. The LLM receives your question plus relevant context from the database and documents, so its answers are grounded in your actual data.

Example: "Draft a risk treatment plan for our unpatched server vulnerability" requires the LLM to look at your specific risk, the linked asset, current controls, and your org context to generate a meaningful plan.

Tier 4 decision: "This is beyond local capability"

The cloud tier is only used when explicitly opted in. It handles queries that exceed the local model's context window or require more sophisticated reasoning (multi-step analysis, long-form report generation, cross-quarter trend analysis). You'll see a consent dialog before any data is sent externally.

How to write better queries

The routing system is designed to work with natural language, but a few tips help you get faster, better answers:

• For instant answers, be specific: "How many active hardware assets do we have?" routes to Tier 1 instantly. "Tell me about our hardware" is vaguer and might route to Tier 3.
• For policy questions, name the document: "What does our Access Control Policy say about remote work?" is faster than "What are our remote work rules?" because the first query narrows the RAG search.
• For analysis, give context: "Compare our NIS2 compliance score from Q1 to Q2 and identify the three biggest improvements" gives the LLM clear instructions.

What You Can Ask -- By Module

Ask amara has 33 pre-built database queries covering every module. The AI never writes raw SQL -- it picks from a curated, tested set. That's why the accuracy is 98% with zero hallucinations. Here's what you can ask, organised by module.

Assets (5 queries)

Risks (7 queries)

Suppliers (6 queries)

Compliance (5 queries)

Training (4 queries)

Documents (4 queries)

Reporting (2 queries)

Privacy Shield & Data Sovereignty

For many organisations -- hospitals, government agencies, defence contractors, anyone handling classified data -- sending compliance information to a cloud API simply isn't an option. amara is built from the ground up so your data never has to leave your building.

What does "data sovereignty" actually mean here?

It means three things: (1) The AI model runs on your hardware -- no API calls to OpenAI, Google, or anyone else. (2) The vector database for document search is local. (3) Every query and response is logged in your own audit trail. When you ask amara "What are my top risks?", the question, the database query, and the answer all happen inside your infrastructure. Nothing phones home.

4 classification tiers: Public → Internal → Confidential → Restricted (each with ISO controls mapped)

What "Privacy Shield" means

1. Local-first AI: The LLM runs on your hardware. No API calls for Tier 1-3.
2. PII scrubbing: Multi-layer PII detection pipeline scrubs personal data before any cloud query.
3. Consent per query: Tier 4 cloud queries require explicit user consent each time.
4. Full audit trail: Every AI interaction is logged -- query, response, tier used, data accessed.

GDPR Compliance

With local AI: no DPA needed, no DPIA required, no Art. 46 international transfers. Your data stays in your infrastructure.

Air-Gap Deployment

Docker images loaded via removable media. Pre-downloaded models. Zero network dependency after initial setup.

Base vs. Pro AI Mode

amara gives you a choice: keep everything 100% local (Base mode -- your data never leaves your server), or opt into cloud AI for harder questions (Pro mode -- higher quality, but queries go to an external API). Most organisations start with Base and never need Pro.

When to use which mode

Base mode is the default and handles the vast majority of queries. It runs a local AI model on your hardware -- no internet needed, no API costs, no data leaving your building. For questions like "how many critical assets?", "show my top risks", or "what does our password policy say?" -- Base mode gives you 98% accuracy at zero cost.

Pro mode adds a cloud AI (like GPT-4o or Claude) for queries that need more sophisticated reasoning: multi-step analysis, comparing trends across quarters, drafting complex treatment plans, or generating detailed executive summaries. It's better for open-ended "help me think about this" questions. But it means your query goes to an external API, so you need a Data Processing Agreement under GDPR Article 28.

The practical advice: start with Base. If you find yourself wishing the answers were more nuanced or detailed, try Pro for those specific queries. You can switch modes at any time -- it's not a permanent choice.

Comparison

Reporting -- Overview

When your board asks "where do we stand on compliance?" or an auditor asks "show me your evidence" -- this is where you go. One-click PDF reports, complete audit evidence packages, and live dashboards. What used to take 40 hours of preparation now takes 40 seconds.

How to generate a report

Open Reporting from the sidebar. You'll see 28 pre-built report templates organised by audience (board, CISO, auditor, operational). Here's how to generate one:

18 report routes, 28 templates, 44 charts, 1-click PDF export

Who Uses Reports and When

28 Report Templates

28 report templates, each pre-formatted with your logo and branding, generated from live data. Pick a template, set a date range, click Generate.

Which reports should I start with?

You don't need all 28. Here are the 5 most useful reports for different situations:

All 28 templates by category

Executive reports (4)

For board members and C-level. High-level summaries with charts, no technical detail: GRC Executive Summary, Board Risk Report, Compliance Dashboard, KPI Scorecard.

Risk reports (5)

For CISOs and risk managers. Risk distribution, treatment tracking, trend analysis: Risk Register, Risk Heatmap, Treatment Progress, Residual Risk Summary, Risk Trend Analysis.

Compliance reports (7)

For compliance officers and auditors. Framework-specific scores and gap analysis: Rapid Assessment Report, ISO 27001 Gap Analysis, NIS2 Compliance Report, BSI C5 Status, SoA Document, Cross-Framework Summary, Remediation Roadmap.

Asset reports (3)

For IT asset managers. Inventory, classification, and lifecycle status: Asset Register, CIA Classification Summary, Asset Lifecycle Report.

Supplier reports (3)

For procurement and vendor managers. Vendor risk landscape: Supplier Register, Criticality Matrix, Approval Status Report.

Training reports (3)

For HR and training admins. Compliance status per person: Completion Dashboard, Certificate Register, Overdue Training Report.

Cross-module reports (3)

For auditors and annual reviews. Everything in one package: Full Audit Evidence Package, Data Flow Report, Annual Review Summary.

Audit Evidence Packages

The night before an audit, most people panic. With amara, you click one button and get a complete, structured evidence package -- assessment results, approved policies, risk register, training certificates, supplier records, and full audit trail -- all in a ZIP file ready to hand over.

Why evidence packages matter

An audit isn't about whether you think you're secure. It's about whether you can prove it. The auditor will ask: "Show me your risk register. Show me who approved this policy. Show me that your board completed cybersecurity training. Show me your supplier security assessments." Without documented evidence, all your hard work counts for nothing.

Traditional approach: spend 2-3 weeks gathering screenshots, exporting spreadsheets, chasing sign-offs, and compiling everything into a folder structure. With amara: click Generate Evidence Package, wait 30 seconds, download a ZIP file. Everything is already there because you've been working in the system all along.

ISO 27001 Package includes

• Statement of Applicability (93 controls)
• Risk register with treatment status
• All approved policy documents
• Training completion certificates
• Asset register with CIA classifications
• Supplier register with approval status
• Complete audit trail export

NIS2 Package includes

• Relevance assessment result
• Article 21 compliance scores (40 questions)
• Risk register (Art. 21/1)
• Incident response plan (Art. 23)
• Supply chain evidence (Art. 21/d)
• Management training records (Art. 20)

Generating an Evidence Package

Charts & Visualisations

Numbers in tables are hard to read. Charts tell the story instantly. amara includes risk heatmaps, compliance radar charts, training completion bars, asset distribution donuts, and more -- all interactive and exportable for your presentations.

Available Chart Types

Each chart is designed to answer a specific question at a glance. Here's what you'll see and when each one is most useful:

Risk Heatmap (4x4 matrix)

The heatmap is probably the most powerful single chart in amara. It plots every risk on a Likelihood (y-axis) x Impact (x-axis) grid. Each cell is colour-coded: green (Low, 1-4), yellow (Medium, 5-9), orange (High, 10-15), red (Critical, 16). You can see at a glance where your risks cluster. If you have a pile of dots in the top-right corner (high likelihood, high impact), you know exactly where to focus. Hover over any cell to see the specific risks in that score range.

Best for: Board presentations ("here's our risk landscape"), CISO reviews ("where should I focus this quarter?"), and auditor meetings ("here's proof we prioritise risk treatment").

Compliance Score Trend (time-series line)

A line chart showing your compliance score over 12 months for each framework (ISO 27001, NIS2, Rapid Assessment). The x-axis is time, the y-axis is percentage. Multiple lines let you compare frameworks side by side. An upward trend proves you're improving -- which is exactly what auditors and boards want to see.

Best for: Monthly board reports, tracking improvement after remediation efforts, demonstrating ROI of your GRC program.

Asset Distribution (donut chart)

A donut chart breaking down your assets by category (Hardware, Software, Data, Services, Facilities). The centre shows the total count. Each slice is clickable -- click "Software" and you'll jump to the filtered asset list. Useful for spotting imbalances: if 80% of your assets are hardware but you've only registered 2 data assets, you're probably missing some.

Best for: Asset inventory reviews, completeness checks, management overviews.

Supplier Approval Funnel (funnel chart)

Shows how many suppliers are at each approval stage: Draft, Phase 1 Review, Phase 2 Review, Phase 3 Pending, Approved. A healthy funnel flows smoothly from top to bottom. If suppliers are piling up in Phase 2, your security team might be a bottleneck.

Best for: Supplier management dashboards, identifying process bottlenecks, quarterly supplier reviews.

Training Completion (horizontal bar)

Each bar represents a training tier or department, showing the percentage completed vs. assigned. The bars are colour-coded: green (80%+), yellow (50-79%), red (below 50%). A quick scan tells you which groups need attention. If the Executive tier bar is red, that's a NIS2 Art. 20 liability issue.

Best for: Training admin dashboard, HR reviews, NIS2 preparation ("are all executives trained?").

NIS2 Domain Radar (radar/spider chart)

A 10-pointed radar chart with one axis per NIS2 Article 21 domain (Risk Analysis, Incident Handling, Business Continuity, Supply Chain, etc.). Your scores form a shape -- ideally a full, even polygon. Dents in the shape show your weakest domains at a glance. Comparing two overlaid shapes (this quarter vs. last quarter) shows exactly where you've improved.

Best for: NIS2 gap analysis, identifying your weakest compliance domains, tracking improvement over time.

Risk Treatment Burndown (burndown chart)

Like a project burndown chart but for risk treatments. The x-axis is time, the y-axis is the number of open treatment items. The line should trend downward as treatments are completed. If the line flattens or goes up, treatments are being created faster than they're being resolved -- a sign you need more resources or shorter deadlines.

Best for: Weekly CISO reviews, sprint-style risk remediation tracking, demonstrating progress to management.

Exporting Charts

All charts can be exported in three formats:

• PNG -- pixel-based image, best for embedding in PowerPoint presentations and email. Resolution is 2x for sharp display on retina screens.
• SVG -- vector format, scales to any size without quality loss. Best for print reports and PDF generation. This is what amara uses internally for report PDFs.
• CSV -- raw data behind the chart, for when you want to create your own visualisation in Excel or another tool. Includes all data points, labels, and timestamps.

To export, hover over any chart and click the download icon in the top-right corner. Choose your format and the file downloads immediately.

Export Formats

Different audiences need different formats. Board members want a polished PDF. Your data analyst wants a CSV. Your SIEM integration wants JSON. amara exports in all of them -- and you can schedule automated exports so they land in your inbox without you lifting a finger.

Format Overview

PDF Export Details

Org logo on every page, searchable text, PDF/A-1b for long-term archiving. Watermark and confidentiality labels configurable.

Automated Exports

Instead of manually generating reports every week, you can schedule them to run automatically. Set it up once, and the right report lands in the right inbox at the right time. Here's how:

Setting up a scheduled export

Common automated export setups

Admin Panel -- Overview

This is the control room for your amara instance. Set up your organisation, create user accounts, assign roles, monitor the audit trail, and manage backups. If you're setting up amara for the first time, start with Organisation Settings -- it powers everything else.

First-time setup checklist

If you're the admin setting up a fresh amara instance, do these in order:

Production stack: reverse proxy → application server → database + vector store + local LLM

What's in the Admin Panel

14 RBAC Roles -- Reference

This is the full reference for all 14 RBAC roles. Each role is a simple on/off toggle on the user record. Stack multiple roles to create the exact permission set each person needs -- a CISO might need 6 roles, while a regular employee just needs Training.

14 boolean role columns mapped to job titles: Super Admin, Read Only, Asset Mgmt, Supplier, NIS2, Assessments, ISO, CIA, C5, Risk, Documents, Rapid, Training, Training Admin

How is this different from Users & Roles?

The Users & Roles page explains how to create users and gives you an overview of the 14 roles. This page is the deep reference -- when you need to decide exactly which combination of roles to give someone, or when you want to understand what each role specifically permits and denies.

What each role actually controls

Each role is a boolean toggle (on/off) on the user record. When a role is on, that user can access the corresponding module's features. Here's what each role specifically permits:

Recommended role assignments

Here are tested role combinations for common job titles. Remember: roles are additive -- more roles = more access. When in doubt, start with fewer roles and add more as needed.

Organisation Settings

This is the reference for every setting in the Organisation panel. If you're wondering "what does this field actually do?" -- you're in the right place. Each setting is listed with where it's used and why it matters.

Settings Reference

NIS2 Relevance Engine

After setting sector, employee count, revenue, and balance sheet, amara auto-calculates a NIS2 relevance confidence score (0-100%), entity type (Essential/Important/Not in scope), and provides reasoning.

Audit Trail

Everything that happens in amara is logged -- every record created, every field changed, every login, every AI query. The audit trail is immutable (nobody can delete or edit log entries, not even admins) and retained for 7 years. When an auditor asks "who approved this risk on March 15th?", you have the answer in seconds.

What gets logged

Accessing the audit trail

Filter by module, date range, user, action type, or record ID. Full-text search across all log entries.

Exporting

Backup & Restore

Your GRC data is too important to lose. amara runs daily encrypted backups automatically at 03:00, keeps 750+ snapshots (~2 years), and supports point-in-time recovery. If the worst happens, you can restore to any point in time. Only Super Admins can access this.

Backup configuration

Manual backup

1. Navigate to Admin → Backup
2. Click "Create Manual Backup"
3. Wait for completion (typically 30-60 seconds)
4. Download encrypted backup file
5. Verify integrity via checksum

Restore procedure

1. Navigate to Admin → Backup → Restore
2. Select backup file (local or upload)
3. Enter GPG decryption key
4. Confirm by typing "RESTORE"
5. Wait for restore completion
6. Verify data integrity
7. Check audit trail for restore event