Sword Active Risk

Sword GRC

Sword GRC provides a market leading platform for;

Risk Management (Operational, Project & Enterprise),
Audit Management,
Policy Management.

Our products address the requirements of all market sectors and deliver a versatile range of solutions that support better business decision making.

We offer deployment in the cloud or on-premise.


  • Support for both Threat and opportunity management
  • Specialised ability to deliver project objectives
  • Qualitative and Quantitative analysis of risks
  • Linked Risk, Assurance and Incident processes
  • Full ISO 31000, Orange MoR and COSO compatibility
  • Realtime message alerting
  • Dynamic filtering of information and dashboarding
  • Financial and non-financial risk aggregation of any type of risk
  • Support for multiple risk processes
  • Unique ability to deliver quantified value of risk management


  • Reduced costs
  • Increased revenue
  • Increased corporate transparency and accountability
  • Compliance with key risk management and auditing standards
  • Risk based management of all compliance obligations
  • Increased ability to deliver organisational objectives with certainty
  • Increased confidence by executives that governance is being performaned
  • Reliable internal control frameworks and business contunity plans
  • Assurance driven three lines of defence risk model
  • Greater success of projects by integrating risk into feasibility studies


£550 per person per year

Service documents


G-Cloud 11

Service ID

3 9 8 5 7 2 8 2 4 6 2 7 4 6 4


Sword Active Risk

Joe Monaghan

01628 582500


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Client machines must match the pre-requisites documented for the version of ARM they are using
System requirements
  • Microsoft Windows 7,8, or 10
  • Internet Explorer 9,10, or 11, Edge, Chrome, or Firefox

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Critical issues - 2 hours
High - 4 hours
Medium - 8 hours
Low - 48 hours
24/7 support available at extra cost.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Software support - bugs/issues/queries
Hosting support - Service Pack installation, OS patches
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Full project initiation and structured implementation walk through of installation, process mapping, configuration, data migration and training is including in the service proposals.
Service documentation No
End-of-contract data extraction A database back-up will be provided on request, or customers can export their data out using the tools provided in the software.
End-of-contract process Database backup will be provided if required, and the service will be disabled. After an agreed period of time, the service will be deleted

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Mobile devices access Risk Express, which is a light touch version of the Desktop ARM.

We also have a mobile Incident Capture app
Service interface No
What users can and can't do using the API Replicate the read and write functionality of the ARM software
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Admin users can configure which fields are available to read/write/are mandatory.
Field labels are customisable.
Custom field workflow available for certain functional areas.
Customisable email alerts on events
Custom reporting available


Independence of resources We use Amazon Web Services Elastic Cloud Computing (EC2). Customers each have their own dedicated application server, and a dedicated instance on a SQL database server. The number of instances is limited, to ensure no one server will be affected by user demand.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported into MS Excel, or custom reports can be generated using MS Reporting Services technologies.
Data export formats
  • CSV
  • Other
Other data export formats PDF
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability “Service Credit” means a sum as provided below expressed as a % of 1/12th of the annual Hosting Fees (under the hosting services agreement) or as a % of 1/12th of sums allocated to hosting within the Charges under the Software Term Licence, Support, Hosting and Services agreement:

Greater than 99.5% Uptime NO CREDIT DUE
Less than or equal to 99.5% and greater than 98.5% 1%
Less than or equal to 98.5% and greater than 97.5% 2%
Less than or equal to 97.5% and greater than 96.5% 4%
Less than or equal to 96.5% and greater than 95.5% 6%
Less than or equal to 95.5% and greater than 95.0% 10%
Less than or equal to 95.0% 15%
Approach to resilience Available on request
Outage reporting Automatic email alerts to support desk, who will contact affected customers individually.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Only dedicated members of the support team have access to hosted servers, and the AWS management console requires multi-factor authentication for access. Development, QA, and support environments are hosted on completely separate AWS accounts, so user cannot access areas they do not have permissions for.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 LRQA
ISO/IEC 27001 accreditation date 31/03/2017
What the ISO/IEC 27001 doesn’t cover The marketing and finance aspects of our organisation
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes We follow ISO 27001 standards and requirements. Allocated Information Security Manager is a VP of the company, and Information Security Officer reports directly to him. Where possible, physical or logical controls are in place to ensure policy compliance, and regular training and checks are made for ongoing compliance. Additionally there are regular internal audits, as well as six monthly Surveillance Visits from independent auditors.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes to hosted infrastructure or configuration must go though our change management process, which is a required control in our ISO 27001 implementation. A change request must be submitted and approved before a change can be made. The change control system requires details of the change, a risk assessment of the impact of the change, rollback and testing details, and communication requirements. The person raising the change cannot approve their own change.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Weekly vulnerability scans are performed using Tenable.io. Any critical patches are applied immediately (out of hours), and all servers are patched monthly to resolve any other issues.
We receive regular industry feeds from suppliers and independent providers.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Amazon Web Services monitor the environment for attack. We will be also be implementing additional, more focused monitoring this calendar year.
Incident management type Supplier-defined controls
Incident management approach The support desk handles all incidents initially, and users report incidents directly to them. Any security incident will be escalated to VP Customer Services and Support, who will liaise with the customer on resolution, and also inform them of any breach and corrective actions, and investigation results. Incident reports will be generated on an "as required" basis

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £550 per person per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑