pam (Information Security Management System online)

An online secure information security management system (ISMS) and data privacy solution with tools, policies and frameworks. To meet governance, regulatory, compliance of internal ISMS and supply chain collaboration for ISO 27001, EU GDPR, NIST, business continuity planning, audits and reviews, staff information security communications.


  • Information Security Management System (ISMS) delivered securely by cloud
  • Collaboration tools: version control documents, tasking, discussions, notes, KPIs
  • Risk identification, evaluation and treatment based on confidentiality, integrity, availability
  • Policies, controls, requirements repository and approval workflows
  • Supplier relationship management, contracting, contact management, supply chain control
  • Project working, privacy impact assessments, prebuilt security frameworks
  • Security incident management, EUGDPR strategic compliance and privacy
  • Audits, improvements, corrective actions, tracking tools,subject access requests
  • Staff communications, awareness and engagement tools
  • Actionable ISO 27001:2013 policies & controls to Adopt, Adapt, Add


  • Always on secure cloud information security management system (ISMS)
  • All in one place ISMS saving time and reducing risk
  • Prepopulated with actionable tools, policies and frameworks
  • Easy to use, little or no training, low total cost
  • Describe and demonstrate information security and privacy practices
  • Mitigate risk of ICO and EUGDPR fines and penalties
  • Collaborate internally and through the supply chain
  • Easy to add and remove users, upgrade or downgrade scope
  • Manage multiple standards and other government IS requirements
  • Encourage suppliers to follow your information security policies


£1000 per instance per month

Service documents

G-Cloud 10



Public Service Team

01273 041 042

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Hybrid cloud
Service constraints N/a
System requirements
  • Access to the internet
  • Web browser

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard response times between 9-5 Monday to Friday are:

• Severity Level 1: 1 Business Hour
• Severity Level 2: 4 Business Hours
• Severity Level 3: 8 Business Hours

Out of hours phone support for priority 1 issues provided at evenings and weekends.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard SLA support is included within the subscription licence for the cloud service. That includes first line administrator support, second line telephone and email support as well as third line detailed technical support. We are not obliged to provide end user first line support but regularly do it as a goodwill gesture for clients if calls do come in. The service is very easy to use and requires little support but if required we can also provide onsite support and coaching by exception which is outlined in the SFIA rate card.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We have an easy start process that includes:
1 planning adoption call if required (for more sizeable procurements)
2 - automated services set up - ie preconfiguration to make the start almost frictionless
3 - customised online welcome messages for users
4 - online help and tours
5 - adoption guides and online training where required
6 - check in services by the customer account manager
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Video
  • Powerpoint
End-of-contract data extraction Users do not need to wait until their contract ends, they can extract their data at any time. Extraction can be done in numerous ways:
- printing and downloading of information in recognised file form in line with any uploads made on the platform
- automated report/export by workspace area
- full export of customer information in one or more recognisable formats (subject to approval with the customer administrator to prevent unauthorised full data extraction)
End-of-contract process Customers can simply remove any information they want in line with our easy off processes, or we can do it for them if they have non standard needs. If we do it for them to meet specific exit requirements beyond our standard process then there may be a small cost which is always proportionate to the work requested and agreed with the customer in advance based on the SFIA rate table. There is a professional exit process well established in line with our UKAS accredited ISO 27001:2013 to ensure the customer has a good exit experience and all data is securely disposed of at the time agreed.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing We have worked with government departments who use various AT to ensure their experience is appropriate given the work being done.

In addition we use a tool called "tota11y" to test the ongoing compatibility of the platform for assistive technologies and the Voiceover application for testing against screen readers.
Customisation available Yes
Description of customisation The service can be customised at two levels:
1 Organisation - by a system administrator. This includes various aspects of the service including security settings, special categories of work for the whole organisation to follow e.g. account settings.
2 User - by the end user themselves to adapt everything from their home page work to very detailed customisation of work areas, categories, workflows etc


Independence of resources Our capacity monitoring has alerting for CPU, Memory and Disk Space. We have measures in place to scale the capacity of an individual server, or to add in additional load-balanced application servers within minutes to cope with changes in demand


Service usage metrics Yes
Metrics types Organisation usage and performance of ISMS, user activity, workspace activity, log ons, work history and updates, integrated and automated reporting within customer specific reporting environments as well as by separate specific requests the provision of metrics and information through API reporting
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach By clicking a button that says export.
Data export formats
  • CSV
  • Other
Other data export formats Microsoft Office formats
Data import formats
  • CSV
  • Other
Other data import formats Microsoft Office

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability ISMS Online is a web based business application generally available 24x7x365, with expected availability of 99.5% in any one month except for scheduled maintenance (scheduled outside of normal Business Hours) or for reasons beyond our control.

We do not contractually offer service credits in response to downtime.
Approach to resilience ISMS online is served via a resilient load balancing pair which distribute traffic across multiple application servers and backed by a primary/backup database system with real time synchronisation of data to allow for fail over.

In the event of catastrophic failure, a new data centre will be programmatically provisioned and data restored from the 2nd DC backup
Outage reporting Email alerts, calls to key customer contacts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels Access to management interfaces and support channels requires (depending on system)
- a separate user account
- additional password strength requirements
- 2FA
- IP address whitelisting
- Dedicated VPN link
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 UKAS
ISO/IEC 27001 accreditation date 05/10/2018
What the ISO/IEC 27001 doesn’t cover Nothing - the organisation and the applications being delivered are covered. Our infrastructure critical supply chain providers are also certified too,
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • PSN certification for delivery over the secure government networks
  • Cyber Essentials certification
  • Compliance with Cloud Security Principles
  • Compliance with ISO 27017
  • Compliance with ISO 27018
  • Held and still practice to the original pan govt accreditation

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Also working in line with ISO 27017 and towards ISO 27018
We already operate in line with EU GDPR and have Privacy Impact Assessments, Subject Access Requests and follow the 120 activities from 7 checklists endorsed by the Information Commissioner's Office.
Have PSN certification.
Have Cyber Essentials.
Information security policies and processes We have a fully UKAS certified ISO 27001:2013 that also includes complementary capabilities for our ISMS. We follow all the security policies and controls based on our Statement of Applicability.
The ISMS is delivered itself securely in the cloud where all staff and relevant suppliers follow the policies and processes according to their roles. Frequent checks and communication is undertaken with an ISMS communications group that reports into an ISMS Board, chaired by the CISO who is also General Manager and includes the CEO and CTO. Regular audits are undertaken along with standard improvement practices outlined in the ISO 27001: 2013 standard.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Our secure development, change management, testing and asset management polices are available on request as part of our ISO 27001 accredited information security management system
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Our vulnerability management approach is comprehensively documented in our ISO 27001 information security management system and is available on request. We proactively monitor relevant communications services and have alerts sent to staff, who then have processes in place to address and respond to issues based on the severity of the threat. Depending on the nature of the vulnerability discovered and the availability of a fix (e.g. a patch) or other intervention (e.g. staff communication) can be deployed within minutes of being identified, dependent on the vulnerability. It is all evidenced in line with our ISMS.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach In line with GPG 13 and ISO 27001 we identify common patterns of potential attacks using our monitoring systems looking for increased traffic from specific sources, non standard requests, brute force attempts, irregular traffic.

We respond with; isolation of potentially affected servers, examination of logs on potentially affected servers, evidence of internal propagation, communication with potentially affected clients/customers, RCA, and how to prevent further occurrences.

Real time monitoring takes place with immediate response for suspicious alerts, dashboards highlight abnormal patterns that may not trigger alerts. Common threats such as brute force attempts, automated FW reconfiguration is in place blocking traffic.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Our incident management processes are accredited by UKAS certification and follow ISO 27001: 2013 Annex A 16. Users, staff and other interested parties can report incidents through normal service channels, via whistleblower routes, website communications and direct into customers or the regulators like the ICO.
Our processes are ready for EU GDPR as well to ensure we can report and manage in those formats. We have reporting around incidents, events and weaknesses as well as links into the broader ISMS into the BCP.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1000 per instance per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑