CyberRMP is a GRC software company offering organisations Cyber Security Governance,Risk Management and compliance capabilities through SaaS. Our unique proposition is built on connecting cyber security controls and data sources to automate risk assessments for legacy,hybrid and cloud environments.We help with standards such as GDPR,PCI,ISO,NIST,CIS benchmarks,Cyber essentials,third party vendor security.


  • Cyber Security posture of projects and entire organisation.
  • Assess application security in development stage by shifting security left.
  • Fasten information security risk assessments.
  • Track in progress,completed assessments.
  • Generate different type of reports for finding cyber security posture
  • Perform third party vendor security assessments.
  • Connect to different tools using connectors like AWS,Jenkins
  • Achieve regulatory compliance by using ISO,CIS assessments.
  • Increase security awareness of employees using proper devsecops training channel
  • Track all organisations cyber risks at one place.


  • Perform CIS benchmark assessments using AWS cloud security posture tool.
  • Perform CIS benchmark assessment using Azure cloud security posture tool
  • Perform CIS benchmark assessment using Google Cloud Security Posture tool.
  • Perform container security for Docker,Kubernetes using container scanning tool.
  • Perform GDPR assessments and gap analysis using assessment checklist
  • Perform payment card Industry Standards assessment using PCI checklist.
  • Prepare risk assessment reports for projects using ISO, NIST controls
  • Centralise risks in risk register and track them to closure.
  • Send third party assessment controls to suppliers before onboarding
  • Connect to IDAM tools,Incident management tools,JIRA,Cloud


£20,000 an instance a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@cyberrmp.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

2 4 8 9 3 8 0 3 7 4 0 0 3 6 0


Telephone: 07438295181
Email: info@cyberrmp.com

Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements
Modern Browser (Chrome, IE 11, Edge, Firefox Safari)

User support

Email or online ticketing support
Email or online ticketing
Support response times
We respond to our customers with a maximum time of 24 hours window both on week days and weekends for the services we provide.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Normal technical support included during business hours.

Premium support incl. functional and content support negotiated based on individual customer requirements
Support available to third parties

Onboarding and offboarding

Getting started
We provide user documentation guides for clients to start using our services.
Service documentation
Documentation formats
End-of-contract data extraction
Users will need to inform us in email to wipe out entire data from our servers. Our support team have proper steps to perform this process.If user want to download reports they can download all reports from our front end web application.
End-of-contract process
We work on subscription basis.There are no additional costs to cancel the subscription. If customers wants us to move their data to their own servers they will need to pay for movement of data based on the cloud model they follow.We also have an option to securely copy data to a tape without any cost and send it to customer through proper tracking delivery services.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Responsive web application, so adapts automatically to different screen sizes.
Service interface
What users can and can't do using the API
We have API's but users cant use/change our API's. All interactions will go through our cloud hosted web application.If customers need public API's we can support it and it is on our roadmap.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available
Description of customisation
Content and certain user interface elements can be customised by customers.

Further customisation's require professional services support.


Independence of resources
Our application is hosted on AWS cloud and we scale our instances based on user load.If we see more utilisation we launch new instances automatically and host our AMI images and scale our application to handle demand.


Service usage metrics
Metrics types
Customers can download reports of different project assessment reports using our reporting page.They can access reports from our dashboard or they can email our support team.They can download reports by in progress projects who are finish GRC assessment,Completed assessments report,Key Risk Indicators,Maturity level reports by project,Maturity level reports by different areas like identity access management,Network Security,Data Security,Application security,Cloud Security,Container Security.
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
User can export the data with list of projects,list of users in excel,CSV format. We can also work with customers to read the data in JSON format an upload it in our web application. We have custom built API's for exporting the data in different formats.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
We provide 99.5% availability during 8AM and 6PM. We have capabilities to become 99.999% up time.We provide this availability based on SLA agreements.Our support team will try their best to resolve the issues in 24 hours time frame. If we still dont meet levels of availability as per contract we can provide a rebate of 10% discount on monthly invoice amount.
Approach to resilience
We built our AWS architecture to be highly available and fully resilient across application layer,database layer.We use auto scaling,Multi AZ,Load balancing of servers and be fully resilient across entire architecture.
Outage reporting
We generate email alerts.

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Only authorised users can support if a client needs support.We do role based access and perform audits every month.We also monitor account login activity.We mandate multi-factor authentication for access to admin interfaces and support tools.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
Between 1 month and 6 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We use ISO ISMS controls,CIS cloud benchmarks,Cloud Security Alliance Cloud Control Matrix to self assess our governance standards.
Information security policies and processes
Our information security policies consists of asset management,access control,cryptography,security operations,network security,System Acquisition,development and maintenance,Logging
Third Party security and Information Security Compliance.
We follow CIS,ISO ISMS and CCM standards.
We maintain a central register of all software,hardware assets,acceptable usage policy,information classification and handling policy.
All access will be subject to life cycle management process including authorisation,provisioning,review,annual re certification and revocation.
All access will be granted on principle of least access.
Encryption must be used to protect data at rest and data in transit.
All systems must implement approved and managed anti malware capability with regular updates and centralised reporting.
All inbound email will be subject to security controls to maintain integrity and security.
Physical security controls are implemented to prevent access to networking and server infrastructure.
All systems must be time synchronised to single approved source and systems should log based on provided security use cases.
Security must be integrated in all stage of development life cycle and follow OWASP standards.
Source code and repositories are protected.
Third party security risk assessments must be performed against new third party relationships.
All new projects or changes to existing projects undergo Data Privacy and Information security assessment before going to production.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
We ensure all changes are correctly configured and integrated with security as a key requirement.
Failure to adhere will lead to inconsistent deployment and increase likelihood of CIA of business systems.
All configuration changes will be performed by approved personnel.We remove,disable unnecessary accounts.
We change default passwords,remove unnecessary plugins,disable scripts,disable auto-run feature and use CIS hardened images.
We capture all information relating to change management in a single system of record for auditing purposes.
We have classified our change requests into categories like standard(Low Risk),normal and emergency changes.
All changes will need to come to CAB for review,assess and authorisation.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
We follow vulnerability management process to detect and remediate vulnerabilities in a timely fashion.
We perform continuous assurance using tools like Burpsuite,OWASP ZAP,Dependency Checker,Tenable.io.
Once a vulnerability is identified an entry will be made as JIRA ticket.
Development and security team will triage and create user story in backlog.
Development team will estimate the effort to fix and agree on best timeline taking a risk based approach considering alternative security controls.
Once defect is fixed, security team will retest the vulnerability.
We follow SLA process with issue rating as critical,high,medium,low and Info and fix quickly based on SLA time lines.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We perform protective monitoring to provide risk/intelligence based alerting on all log events.
We collate all system logs,network logs,technical logs and logs from different tools to centralised syslog system and raise alerts using ELK tool.
All logs will be time stamped,protected from unauthorised changes,encrypted,backed up and archived and transmitted securely and reliably.
We monitor endpoints,authentication,Email,VPN,Netflow,Proxy,Web,Application,Database,anti virus,IDS,IPS logs.
We create a set of use cases to generate security events and raise alerts.
All alerts will be triaged and if event is of interest a incident will be created and worked on to recover from the incident based on priority(P1,P2,P3)
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We follow incident management process in 6 steps-preparation,identification,containment,eradication,recovery,lessons learned.
We prepare by creating policies,procedures and playbooks along with exercises and training.
Once we establish who,what,where,when,why and how in identification we try to contain by locking accounts/isolate devices/terminate network connection/shut-down systems and server.
Once the issue is eradicated we try to recover and restore business to as usual and learn lessons based on work performed during incident.
Users can report incidents to the support email id given in the contract document and also speak with dedicated manager.
We provide weekly,monthly,Quarterly,annual incident reporting which include mean time to response,resolve,number of incidents,severity,incident-type,source,location.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£20,000 an instance a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@cyberrmp.com. Tell them what format you need. It will help if you say what assistive technology you use.