Blackthorn GRC Limited

Audit Case Management

No matter what is being audited, transparency, collaboration and remediation are key. This tool helps manage audit activities and data across the whole life-cycle, from planning and execution to remediation and reporting. It covers compliance, IT, supplier, and quality audits as well as ISO compliance. UK hosted up to IL3/OFFICIAL.


  • Built on core modules
  • Easily extendable and customisable
  • Intuitive, clear user interface with user configured reports and dashboards
  • Create/implement action plans to resolve audit or controls failures
  • Drill-down; detail accessible but not at expense of clarity
  • Workflow to ensure methodical and repeatable execution
  • Tools for assigning, managing and reporting on remediation activities
  • Review and approve audits for audit and compliance control programs
  • Sophisticate RBAC to ensure secure partitioning of information
  • Routing through questions based on ealier answers


  • Easy identification across organisation of systematic audit failings
  • Re-use of question-sets across audit plans/types
  • Increased visibility through internet browser access
  • Optimised time management with workflow, task assignment and user alerting
  • Improved data integrity with cross-checking and data validation on entry
  • Full audit trail ensuring users fully accountable for their actions
  • Secure storage of data with channel encryption on remote links
  • Clean, intuitive user interface reducing any training requirements
  • Wide range of supported platforms e.g. tablet, laptop, desktop
  • Detects emerging trends and manages risk


£45 to £65 per licence

  • Free trial available

Service documents


G-Cloud 11

Service ID

1 6 3 8 4 3 1 6 3 6 1 3 2 7 3


Blackthorn GRC Limited

Nigel Adcock


Service scope

Service scope
Software add-on or extension No
Cloud deployment model
  • Public cloud
  • Private cloud
  • Hybrid cloud
Service constraints If you require a service hosted at 'Assured' (IL2) or 'Protect' (IL3) level, your IT network infrastructure will require a connection to the Public Sector Network (PSN-A and PSN-P respectively) and your firewalls will need to be configured to allow traffic to and from our data centres.

An SSL certificate is required, which will need to be requested by your IT department, to ensure encryption of data in transit.
System requirements
  • Browser (minimum Windows 7, IE8 or chrome)
  • Suggested connection speed of 1Mbps per concurrent user
  • SSL Certificate

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Support requests made by email or online are acknowledged within 30 minutes. Our acknowledgement will include a preliminary 'severity classification' based on impact to your operations: P1 (major business impact) through P4 (no discernible business impact). Initial (detailed) investigation response times and full resolution response times are tiered, based on impact (P1 to P4). Please see Service Description for more information. Support is administer 9 / 5 or 24 / 7 depending on support package purchased. If on 24 / 7 support, the above response times will be available at weekends.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Our Silver support level offers our clients access to support 9am -5pm.
The cost of Silver Support varies according to user numbers and starts from £498 a month.
For clients who need on call 24/7 support, we do offer a Gold level support package for P1 (business critical) and P2 (business significant) support issues. This provides direct access to technical support engineers as and when need and enables maintenance windows out-of-hours.
The cost of Gold Support varies according to user numbers and starts from £6,498 a month.
Further details can be found in the Service Definition and Pricing Guide documentation.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Self-service, on-line training is provided as standard. Users are provided with a URL, (to the application), training account ID and temporary password. The URL is set to point to a dedicated training system, that has been pre-configured for training purposes.
Training material is provided to guide participants.
Classroom training, either using generic materials or bespoke packages developed in partnership with the customer, is available at additional cost.
Service documentation No
End-of-contract data extraction Users are able to export the underlying database in CSV format. Information can be selectively extracted using Blackthorn's reporting functionality and user configurable filters. Additionally, a backup of the application database (MS SQL) is supplied in an unencrypted format.
End-of-contract process A backup of the MS SQL Database will be provided as part of off-boarding and at no additional cost.
Should you require assistance to migrate the database content to a new application or platform, we will be pleased to assist. Such assistance, available under Lot 3 is at additional cost.
Servers used to deliver the retiring service (production, development, test, acceptance etc.) will be securely wiped and repurposed.
Any legacy backups not retained by the customer will be identified and securely wiped.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service At present we have only a single web application which is designed to work on devices with a permanent network connection. The web application will not work off-line.

We do have a IOS application in development, offering reduced functionality but the ability to work off-line. Please speak with us for further information.
Service interface Yes
Description of service interface Browser based.
Accessibility standards WCAG 2.1 AA or EN 301 549
Accessibility testing We have experience of integrating our solutions with assistive technologies such as Dragon. Much of our HTML coding incorporates the ‘tags’ required by assistive technologies to help people with disabilities either access or enter information. Additionally, we have designed into our software features to aid use e.g. improved contrast and visibility for the hard of sight. Our policy to date has been to work with individual users experiencing accessibility problems and to find solutions that meet their specific needs. Incrementally, therefore, we are making our software compatible with applications that aid access but as yet have not achieved 100% coverage. It is our intention to continue with this approach.
What users can and can't do using the API We have a number of API services for consumption by third party applications.
Where Blackthorn functions are supported by an API service, the functions behave and operate as if a user was logged directly onto the application.
API requests must be serviced by a standard user account (not system account) so that there is an auditable history of all actions invoked remotely. The user account can be dedicated to API requests, or an actual user's account can be used. In both cases, the account must be marked for API usage and a separate application key is required.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The application has a flexible user interface that allows terminology, workflow, taxonomies, form layouts, surveys, team structures etc. to be tailored to an organisation's individual needs..
A general user account, with appropriate account permissions, can configure dashboards, exports, mail merge reports, surveys etc. using an intuitive, filter based interface.
An administration account, with appropriate account permissions, can configure via the interface workflow, users, teams, taxonomies, forms layouts, emails etc. again via dedicated customisation interfaces.


Independence of resources The hosting is dedicated with fixed, predefined allocation of platform resources. This eliminates the possibility of memory bursts and contention by other parties.
Application servers are monitored and alerts automatically sent (to us) when a threshold is breached.
During our frequent service and maintenance reviews we assess performance to see if further resource should be allocated based on projections.
Additionally, the underlying architecture of the service is fully scalable allowing additional hardware (application servers) to be brought online if and when required.


Service usage metrics Yes
Metrics types Service metrics are providing covering: service availability, memory usage, peek bandwidth demand.

Service responsiveness can also be measured but requires a suitable host machine on which to run the monitoring software. Ideally, this machine needs to be on the customer's network.
Reporting types
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Facilities provided as standard to export data to CSV files.
Filters can be applied to the database to narrow down the data-sets exported at any given time.
Data export formats CSV
Data import formats
  • CSV
  • Other
Other data import formats Email (requires mapping)

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network Where security targets demand that the service is hosted in a secure environment, the level of protection afforded by our Hosting provider is assured through the Government's security accreditation process (pan-government accredited).

Availability and resilience

Availability and resilience
Guaranteed availability We have SLA's defining targets for initial analysis time and resolution time. The targets are a function of the severity of the incident and therefore vary. Only normal working hours count towards the measurement of response times. For example, if an incident was reported one day and not resolved until the next, the over-night non-working hours would not count in the determination of actual response times.
Response times targets for initial analysis and resolution are provided below for different priorities of incident: Priority 1, 30 minutes and 5 hours respectively: Priority 2, 4 working hours and 8 working hours respectively; Priority 3, 1 working day and 3 working days respectively;
Priority 4, 3 working days and 5 working days respectively.

Should we fail to meet these targets for an incident or KPI 3 or more times and customers are awarded service credits:

3 breaches of targets = 1% service credit, 4-5 breaches = 2%, 6-7 breaches = 3%, 8-9 breaches = 4%, 10+ breaches = 5% service credit.

We are also able to provide 24x7 support, fully details are in the accompanying product description documents.
Approach to resilience Our application runs in a virtualized cloud environment. If a virtualised server fails, such as a web server, other web servers within the virtualisd environment will take up the load, until a new instance of the failed server can be brought back on line (minutes).
If the primary data centre is lost, real-time data replication to the DR data centre ensure continuity of service with short Recovery Point Times. The DR facility is normally passive and has a Recovery Time Objective (RTO) of less that 4 hours. Within this recovery time, a fully operational mirror of the Production service can be up and running.
Our enhanced offering comprises of multiple production web servers, so in the event one fails, the other can continue. Obviously there are TMGs and IPS units. There is also a DR site which can be used for fail over.
Outage reporting We have monitoring services installed on servers within the Data Centre but outside the main production environment. These monitoring service call API's with the application to determine its health. If the application is non-responsive, the monitor alerts us by email. Our service desk email is continuously monitored by support staff (mostly 24 x 7) to ensure outages are detected soonest and an appropriate recovery plan is executed.

The hosting provider also has monitoring software with realtime dashboards, copies of which are made available during each monthly service review meeting.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
  • Other
Other user authentication This service is provided over the PSN. Certain areas of the product can be made authentication free (such as surveys and alerts).
Access restrictions in management interfaces and support channels Support is offer not over the PSN, but via a VPN tunnel with client certificates and a number of jump boxes which allows access to a separate Virtual Network on which the VM's sit.

All internal and external firewalls are limited to only those ports and IP addresses that are required.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication Access restricted by IP address.

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Hosting infrastructure accredited to NCSC Pan Government Accreditation (PGA) level
  • Cyber Essentials +

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards HMG Information Assurance Standard 1
Information security policies and processes Bespoke Security Operating Procedures developed to support security accreditation of the service and approved for use by a Government Security Accreditor.
Hosting infrastructure Pan-Government accredited.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We normally adopt the Change Management Process of the organisation owning the data, to ensure that our changement management processes align fully with those of the customer. We do not make changes to the service without the prior approval of the customer's Change Approval Board.

Change and configuration management is managed using industry standard, cloud based tools supported by procedures identifying gate keeps and associated controls.

Our Software Development Life-cycle includes post implementation reviews which are conducted by engineers familiar with OWASP guidance of security web coding practices. All coding is assessed for impact and regularly penetration tested for vulnerabilities.
Vulnerability management type Undisclosed
Vulnerability management approach Threat assessment are carried out at least annually to support the annual security testing of the application. Government websites and industry associations are used to maintain awareness of the changing threat landscape, especially in respect of cyber threats. The threat assessment results are used to inform the scope of the annual security testing.

Operating system patches are installed by our Cloud Hosting Partner, a month is areas to avoid any zero-day issues. the process followed meets Pan-government accreditation requirements.
Protective monitoring type Supplier-defined controls
Protective monitoring approach The cloud hosting environment incorporates a Threat Management Gateway and Intrusion Protection monitoring. Protective monitoring (aligned to GPG 13 - DETER) is implemented at Data Centre hypervisor level.

The Hosting provider's Service Desk or NOC operations will acknowledge incidents and advise on the tests and actions required to mitigate the incident, consulting as necessary with other IT representatives and/or 3rd parties. If unable to resolve,the incident will be escalated to the team leader of either the the NOC operations or Host provider's Service Desk Team.
Escalation to Priority 1 incidents within 30 minutes; priority 2, 3 hours.
Incident management type Supplier-defined controls
Incident management approach We use and instance of the Blackthorn Case Management Tool to monitor and track incidents. Each type of incident has its own pre-prescribed workflow for incident management.

Incidents can be raised through our web portal, emailing our support desk, or by calling our support desk phone number.

A management report is provided each month with figures indicating how we have performed against our SLA.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • Public Services Network (PSN)
  • NHS Network (N3)
  • Health and Social Care Network (HSCN)


Price £45 to £65 per licence
Discount for educational organisations No
Free trial available Yes
Description of free trial This service is hosted with a commercial service provider and should not be used to run trials with confidential / PM information. All test data should be anonymised before uploading. We do not guarantee the availability of the service.

It includes the full functionality that the production system will have.

Service documents

Return to top ↑