Xyone Cyber Security


Mitigate is an innovative internal risk mitigation solution, which has been certified by the UK’s Government Communications Headquarters (GCHQ). Mitigate calculates and presents level of internal risk according to a range of metrics from Cyber, Compliance and GDPR. Mitigate reduces risk and strengthen's resilience within organisations.


  • Real time risk reporting
  • Measure internal risk
  • Policy management
  • Employee and admin dashboard
  • Detailed user reporting
  • 16 GCHQ Certified training courses
  • Template cyber security policies
  • Policy enforcement & generator tool
  • Algorithm for assessing resilience
  • User assessments


  • Improve internal compliance
  • Build internal resilience
  • Reduce internal cyber liability
  • Employees receive GCHQ certified training certificate
  • Policy management process is ISO 27001 & GDPR compliant
  • Improves HR efficiency
  • Presents audit trail for insurance, compliance and GDPR purposes
  • Count towards CPD points
  • Save time and cost
  • Updates annually and regulatory changes


£2.50 per user per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11


Xyone Cyber Security

Zain Javed

0333 323 3981


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints N/A
System requirements
  • Access to the Internet via browser
  • Valid email address

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Mon-Fri: Response time up to 24 hours.
Sat-Sun: Response time up to 48 hours.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard: Mon-Fri 9-5 - Response up to 24 hours. Support available by email and ticket.

Premium: Mon-Fri 9-5 - Response up to 8 hours. Support available by email, ticket and phone.

Bespoke: Mon-Fri 9-5 - Response up to 8 hours. Support available by email, ticket, phone and on-site. Additional Cost. Dedicated account manager.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started For end users, they have access to a user guide and built in walk through when logging into solution for the first time. A get started and continue button is built into the solution to allow users to 'pick up where they left off' when logging back in.

For client admins remote and on-site training is provided. User documentation is also provided to assist with the roll out of the Mitigate solution.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction The client raises a support ticket and mitigate support will export all requested data and provide this in a suitable format for the client.
End-of-contract process The client will go through the renewal process and if the client decides not to renew the data is stored in line with GDPR unless the client has requested permanent deletion.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Service interface No
Customisation available Yes
Description of customisation Clients:
e-Learning content can be customised at additional cost. This can include the following customisation's: Branding, Text Changes, Translations, Audio Voice Overs, Video Embedding.
This customisation is controlled by Mitigate Support and no user can customise the e-learning content directly.

Client admins can also customise their own training, assessments and policies.

Re-sellers of the Mitigate solution can customise the logo, re-seller web interface login to be hosted on the re-sellers sub domain.


Independence of resources As we our services are based on AWS we can theoretically expand and contract our server pool to meet expectations. Our development team is looking into ways of making this more efficient to do, moving more resources into the cloud.
The development team is also looking at AWS Shield and Web Application Firewall, to improve our capability in this area.


Service usage metrics Yes
Metrics types Real-time dashboard and risk scales.

Real-time report generation
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users cannot directly export their data.

If a user wishes to get access to exported data they submit a request to the support team who will supply this information directly.
Data export formats
  • CSV
  • Other
Other data export formats PDF
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The Company shall provide at least a 99.5% uptime service availability level (Uptime Service Level). This availability refers to an access point on the Company hosting provider’s backbone network. It does not apply to the portion of the circuit that does not transit the hosting provider’s backbone network, as the Reseller is responsible for its own internet access. Availability does not include

Maintenance Events as described in paragraph 2.1 of Schedule 6, Reseller-caused or third party-caused outages or disruptions (except to the extent that such outages or disruptions are caused by those duly authorised third parties sub-contracted by the Company to perform the Services), or outages or disruptions attributable in whole or in part to force majeure events within the meaning of Clause 18.

3.1 If availability falls below the Uptime Service Level (as defined in paragraph 1 of Schedule 7) in a given calendar month (Service Delivery Failure), the Company shall credit the Reseller’s account by an amount calculated as the product of the total cumulative downtime (expressed as a percentage of the total possible uptime minutes in the month concerned) and the total Monthly Hosting Fee and Monthly Software Licence Fee owed for that month (Service Credit).
Approach to resilience Information available upon request
Outage reporting Email alerts are issued to company admins and user reporting any minor or major incidents.

Users are kept up to date depending on the stage of the incident
Fix Released

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels There are various different user roles with access to management interfaces and support channels.
Mitigate support team has access to front end support and there are two levels of Mitigate support:
Support Admin
Support SuperAdmin

For the back end, this is limited to the development team and is restricted to the office IP. There is also 2-Factor Authentication enabled.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Other
Description of management access authentication Restricted to IP address

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Alcumus
ISO/IEC 27001 accreditation date 19/09/2014
What the ISO/IEC 27001 doesn’t cover Accounting
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials Plus
  • GCHQ Certified Training

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials Plus
Information security policies and processes We use our internal Mitigate software to train, test and store policies available to all employees in Xyone. It is mandatory training for new starters to complete the training and sign the relevant information security policies. The following policies are on the Mitigate portal:
Password policy; Communications Policy; Internet Usage Policy;
Information Classification Policy; Cryptographic Controls Policy; Back-Up Policy;
Social Engineering Policy; Disposal & Destruction Policy; Clean Desk Policy;
Remote Working Policy; Public Wi-Fi Policy; BYOD Policy;
Data Protection Policy;

The mitigate portal tracks user compliance and logs when users sign each policy. If a policy is updated on the portal then 'Compliance' status is revoked and users are alerted to re-sign the relevant policies.

It is a requirement that all training, assessments and policies are taken at a minimum of every 12 months.

More information on Mitigate can be found here which has been certified by GCHQ- https://mitigatehub.com/

As per our ISO 27001 accreditation and Cyber Essentials Plus accreditation we have to provide evidence that our information security policies are not only in place but up to date and understood by all employees.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The specification is put forward to Management. A course of action and priority are decided by them and development team. This committee will also factor in predicted development time and number of users affected to decide a project ordering.
Once development is completed and tests run, new features are deployed to a live-like staging area.

Deployment and user tests are carried out.

If this passes with no incident the new feature is merged into the main codebase and put live at the next available window.
After that we are reliant on error catching software and customers to identify future issues.
Vulnerability management type Supplier-defined controls
Vulnerability management approach On a regular basis we make use of code reviews to make sure there are no glaring vulnerabilities. As part of the ongoing project maintenance we make sure that the underlying software our projects rely on is kept up to date.

The error catching software used to find errors can be used to discover vulnerabilities and when on is discovered a fix is written, tested and deployed with the higher priority. Critical and high level vulnerabilities are patched immediately. Threat alerts gathered from university research.

Finally, we penetration test the portal at a minimum quarterly and on every major release.
Protective monitoring type Undisclosed
Protective monitoring approach As our resources AWS we make use of the monitoring tools to observe several different diagnostics. Should one of these diagnostics change dramatically we’ll investigate to find the cause and deploy any patches required.

Critical and high level issues are investigated on the same day.

We are currently investigating the use of additional AWS services to streamline this process.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach ISMS Section 16 Incident Management process is followed. Users can report incidents through our support functionality and built in support ticketing system. In the case of major incidents, immediate notification to the CTO/ISM is required in order to ascertain how best to contain and rectify the incident.

Incident reports are logged and stored in line with our ISMS as part of our ISO 27001 certification.
Incident reports are documented and stored internally. If requested users can ascertain redacted incident reports.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £2.50 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Free 14 day trial with access to 3 cyber security modules, 1 assessment and 1 policy.

No certificate of completion.

Service documents

pdf document: Pricing document pdf document: Terms and conditions
Service documents
Return to top ↑