SYMBIANT LTD

Risk, Audit and Compliance Management software

Modular online (cloud based) software for the management of Audits, Risks and Compliance. Modules include Custom Data Entry, Risk Registers, Incident Reporting, Questionnaires, Assessments, Indicators, Control and Policy Management, Control Assessments and Testing, Working Papers, Audit Tools, Audit Planning, Action Tracking, Time-sheets, Audit Universe, Project Management, Document Management, Collaborative tools

Features

  • risk
  • audit
  • policy
  • compliance
  • incidents
  • cloud based
  • controls
  • reports
  • bespoke
  • heatmaps

Benefits

  • Customise forms as required
  • Collaborate
  • work offline
  • Bespoke Reports
  • Create new data entry forms as required
  • share data between risk, audit, compliance and governance
  • SHE, DPIA, Due Diligence, Action Tracking
  • custom reports
  • Auto notices and emails

Pricing

£1 to £20 a user

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mlong@symbiant.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

1 1 8 8 6 8 4 1 0 0 3 2 4 9 4

Contact

SYMBIANT LTD Mark Long
Telephone: 0113 873 0193
Email: mlong@symbiant.co.uk

Service scope

Software add-on or extension
No
Cloud deployment model
Public cloud
Service constraints
No
System requirements
HTML5 compatible browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
24/7/365
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
No
Support levels
Support is included
Support available to third parties
Yes

Onboarding and offboarding

Getting started
Video and online training
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Export
End-of-contract process
Data is destroyed.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Menus and screen size
Service interface
No
API
No
Customisation available
Yes
Description of customisation
Layouts and wording by administrator level users

Scaling

Independence of resources
We use AWS EC2 auto scaling which gives extra resources as required.

Analytics

Service usage metrics
No

Resellers

Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Using the export or reporting functions
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
  • HTML
  • PDF
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
99% update and availability. Pro-rata time is credit back to the client if we miss this level
Approach to resilience
Information on this is available on request.
Outage reporting
A public dashboard

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
We have a defined security policy, all management and support access is protected by Multi-factor authentication with views and privilege levels based on the users role within the business.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
Ernst and Young
ISO/IEC 27001 accreditation date
05/11/2019
What the ISO/IEC 27001 doesn’t cover
Locations outside of the data centre
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
No

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
ISO/IEC 27001
Information security policies and processes
We have a published IT Security Policy, which is GDPR compliant and a Data Protection Policy (GDPR Compatible).
These documents provide full information and are available from our web site.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Procedures exist to provide that only authorized, tested, and documented changes are made to the system. We have a isolated testing environment to ensure all changes are fully tested before being made live.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We perform various tests including penetration testing and vulnerability scanning. We deploy any security patches within 48 hours. Threat information is provided by the industry standard testing software.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Our servers are monitored 24/7 for any potential issues including hack attempts. If a potential security issue is discovered immediate action is taken to block the attack. Security incidents are responded to immediately.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We have automated system to log all network events and dedicated software for users to log incidents and for them to be managed and escallated as required. All incidents have a tracking cycle to ensure the correct course of action is taken to resolve issues to a satisfactory conclusion.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£1 to £20 a user
Discount for educational organisations
No
Free trial available
Yes
Description of free trial
30 day full system free trial
Link to free trial
https://www.symbiant.co.uk/free-trial/

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mlong@symbiant.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.