JC Applications Development Limited

JCAD CORE Risk & Compliance Management Software

JCAD CORE is a quick to implement and simple to use "off the shelf" solution for risk and compliance management used by both the public and private sectors.

Our end to end solution includes all necessary software, services and support.


  • Enterprise Risk Management
  • Incident & Issue Management
  • Internal Control Management
  • Opportunity Management
  • Audit Recommendation Management
  • System generated emails for reviews, events and approvals
  • Realtime interactive dashboard & reports
  • Configurable
  • Quick to implement
  • Can utilise, ISO31000, COSO, OGC & IRM guidance


  • Overview of all areas of compliance in one place
  • Tailored to your own framework, terminology, structure and categories
  • Ensure no task or activity is missed
  • Provides a business-wide standard format for ERM
  • Easily demonstrates compliance
  • Removes need for multiple spreadsheets
  • Easily compare and analyse risk performance across the business
  • Entire organisation can view reports if necessary
  • Aligns risk to corporate objects
  • Enables linking between registers for a holistic view of risk/compliance


£4500 per licence per year

Service documents


G-Cloud 11

Service ID

3 6 9 2 5 0 6 2 4 9 5 4 8 5 7


JC Applications Development Limited

Phil Walden

01730 712027


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements Access to IE8 and above, Safari, Chrome or Mozilla browsers

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Our support desk runs 9 - 5.30 Monday through Friday. We guarantee immediate acknowledgement and fix within 4 hours. If this is not possible we keep the client informed and there is a defined escalation process that is followed for serious issues that can not be resolved within 24 hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels SLA for response times is based upon severity level.

Urgent/High Impact problem - Within 1 Business day
System Down/Database outage - Immediate
Informational/Request for information - Within 1 Business day
Important/Important issue that does not have significant current impact - Within 1 Business day
Critical/Significant customer impact - Within 2 Hours

Costs for the support detailed above are included within our maintenance fee.

Each client will have access to an Implementation Consultant and an Account Manager as well as the dedicated support desk. Should the issue lie with our hosting partners then JCAD will work with them to resolve. A separate SLA is available for this partner, UKFast Ltd.

On site support is charged at £560 for a half day (4 hours) or £980 for a 7 hour day.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Due to the nature of the system being "off the shelf" we adopt a standard approach to implementation which means that it can be achieved quickly and with a low resource from the client.

The basic approach is as follows.

1. Client receives access to evaluation site to enable review of system prior to configuration
2. Pre-implementation meeting (remote or onsite) with assigned consultant to discuss configuration and to provide sufficient training to enable this review.
3. Over the course of an agreed timeframe - consultant and client will agree relevant customisations
4. JCAD configures database based upon discussions
5. Prototype database created
6. Further training provided to enable prototype testing (remote or onsite)
7. Changes made if necessary
8. System goes live

We would normally expect an implementation to go live within 4 - 12 weeks.

Online documentation is provided as part of the system and this can be amended to fit the clients own framework.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction The system can export most records to HTML or Excel. Alternatively JCAD are able to provide a copy of the data in a similar format at no charge should the client wish to terminate the contract.
End-of-contract process Once the contract is terminated, all access to the cloud service will be denied. If requested within 6 months of termination JCAD will provide a data export (at no charge) of risk and control data in .csv, html or Excel format.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices No
Service interface No
Customisation available Yes
Description of customisation Our application is able to be configured to meet with the risk & compliance framework in place at the client. We do not enable the wholesale customisation of the actual system just the components necessary for ERM. For example, organisation structure, terminology, categories, matrix and viability of certain data capture fields.


Independence of resources We operate in a scalable environment whereby resources can be distributed to servers as usage on those resources increases. Clients are deployed in segregated environments to limit any interference between implementations. There is also dedicated server environment options for clients if required.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance None

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency Less than once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach If necessary then data can be easily exported from within the system grid views to Excel. This takes the fields & data within that view and exports to Excel. Graphs within the interactive dashboard can be output to Word. A data export can be setup from with the Report area (using Crystal) that can export data into HTML, Excel, Word or pdf.
Data export formats
  • CSV
  • Other
Other data export formats
  • Pdf
  • Html
  • Word
  • Excel
Data import formats
  • CSV
  • Other
Other data import formats Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability The infrastructure has 100% network uptime availability. We aim to provided 99.9% Application availability outside schedule maintenance windows.
Approach to resilience Available on request from our partners UKFast Ltd.
Outage reporting Email alerts in event of outage.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication IP restrictions can be applied to restrict access to the application from specific IP ranges.
Access restrictions in management interfaces and support channels Access is restricted to designated support staff at a level required for them to perform their role. A escalation process in place whereby senior staff can also interface if needed.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards Our hosting partner is accredited to ISO27001. JCAD have a information security policy and this forms part of our ISO9001 accreditation.
Information security policies and processes We have an information security policy which is applied by our consultants when working with client data. The same policy is used in relation to our own data.

Our Head of Operations and MD are responsible for each of these respectively. Any breaches or issues will be reported to one of them.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All our services are monitored through threshold capacity monitoring on CPU, RAM, HDD and server availability monitoring with live SMS and email notification to support staff.

Any server changes go through a change control and risk assessment process and are logged.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Our servers have independent penetration tests performed to highlight any potential vulnerabilities.
Patches are can be deployed within a short period of time to address any vulnerabilities.
Potential threat information is obtained from best practice review and industry focus based literature.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Potential compromises can be highlighted by industry focus literature, client feedback, penetration testing. Any potential compromise will be reviewed for mitigation requirements and based up the level of risk addressed within a short period.
Incident management type Supplier-defined controls
Incident management approach Incidents are recorded and assessed for root cause, resolution actions and resolution effectiveness. Common events are handled by our support team and incident tracking systems. Users can report incidents to our support team by phone or email during support hours.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £4500 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Access to a time agreed evaluation copy of the standard system - password required. A low cost POC (proof of concept) can also be organised.
Link to free trial https://demo.jcadcore.com/LogOn.aspx

Service documents

Return to top ↑