GRC One Ltd

GRC1

GRC1 supplies governance risk and control software software to the customers to support risk management, auditing, and performance management.

Features

  • The software is a role based, GRC software product.
  • Designed by Audit, Compliance and Risk Management professionals.
  • Distributed approach to managing risk and compliance
  • Output to Board Members - Areas requiring investment
  • Evidence of corporate control - Auditors - Insurance - Regulators
  • Visualises the relationship between the Risk and the Controls
  • Identifies areas of weakness through real-time risk and controls
  • Notifies key people when risk levels or controls effectiveness changes
  • Highlights critical areas for improvement and strategic investment
  • Empowers the right people

Benefits

  • Proven at a variety of global businesses
  • Working from single risk management database facilitates communication
  • Web based tool
  • Can be white labelled for organsiation
  • Collaborative audit function to facilitate sharing and response
  • Automatic risk management calculations
  • Customizable risk management matrix
  • System security to banking compliance levels

Pricing

£10 to £50 per user per month

  • Education pricing available
  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

6 3 5 5 9 7 9 7 1 0 2 3 7 0 2

Contact

GRC One Ltd

Daren Martin

0333 344 8600

admin@grc1.com

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to What software services is the service an extension to

Business Optix Process Improvement Tool. A new active control element is also in development
Cloud deployment model
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
Service constraints No it works on a web based browser and downtime for maintenance has very limited impacts
System requirements
  • Web based Broswer preferable chrome or IE9 upwards
  • No software installed on client computers
  • Internet connection operating at normal office complex speeds

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Response is dependent on client requirements. Normal support is 24 hour response. Faster times are available if required at additional cost.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Not yet requested so not implemented.
Web chat accessibility testing Not yet requested so not implemented.
Onsite support Yes, at extra cost
Support levels Dedicated support function supported by focal point at management grade and two support engineers. Additional support is possible as required.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started We can provide on site support and training. To date this has proved to be aa small requirement as the system is intuitive. We are also developing system training videos which can be used in deployment and help scenarios.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction From inside the system the Admin users can extract location, group and user files (system setup) and risk, control, action and assessment data using a data extract function, which downloads data to a .csv, XML or XLSX. Not all data in the system is able to be downloaded this way though. For Documentation data it requires GRC ONE to create that extract, which is a service that incurs a cost to the customer (dependent on the size of the extract produced and how it is to be delivered to the customer).
End-of-contract process The software is the purchased component bought as software as a service. At the end of the contract the purchaser owns all data and IPR on how their instance works. This can be exported to a suitable format for them to transfer elsewhere. This function need to be done by system admin. The transfer of data at contract end has so far been executed successfully by one user at contract end. (European Commission)

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices No
Service interface No
API No
Customisation available Yes
Description of customisation All features are customisable. Labels, groups, security access, risk matrix, risk template questions, logos.

Scaling

Scaling
Independence of resources We have significant redundancy in capacity on our services and can create individual instances of the software if we need to ring fence an individual customer due to high usage.

Analytics

Analytics
Service usage metrics Yes
Metrics types Within the system based on user login data, and audit trail.
Reporting types

Reports on request
Reporting types
  • API access
  • Real-time dashboards

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach From inside the system the Admin users can extract location, group and user files (system setup) and risk, control, action and assessment data using a data extract function, which downloads data to a .csv, XML or XLSX. Not all data in the system is able to be downloaded this way though. For Documentation data it requires GRC ONE engineers to create that extract, which is a service that incurs a cost to the customer (dependent on the size of the extract produced and how it is to be delivered to the customer).
Data export formats
  • CSV
  • Other
Other data export formats
  • Xml
  • Xlsx
Data import formats
  • CSV
  • Other
Other data import formats
  • Xlsx
  • Xml

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Legacy SSL and TLS (under version 1.2)
Data protection within supplier network Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability We rely on MS Azure services. Our current availability is in excess of 99%, with no unplanned downtime in the last 12 months
Approach to resilience Resilience is managed through the data centre provision of MS Azure. Details available on request.
Outage reporting Direct to customer account contacts (as held in our CRM system). Planned downtime can be managed through the user notification feature of our product.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Limited access network (for example PSN)
  • Username or password
Access restrictions in management interfaces and support channels The system has a comprehensive security environment restricting access to data via location, group, and function.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 See below
ISO/IEC 27001 accreditation date See below
What the ISO/IEC 27001 doesn’t cover Nettitude our penetration tester are both ISO9001 and ISO27001 certified. Nettitude are also PCI SSC, ISC2, BCI, Chartered Institute of IT, NCSC, NCSC CHECK and CREST accredited. Certification is and can be obtained to meet customer demands. We also have support from Blast Asia who are 27001 certified details available on demand.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Data Protection Policy, Information Security Incident Response Policy, Information Security Incident Response Process, Acceptable Usage Policy, Mobile Devices and Laptop Policy, Information Security Policy, Network Security and Connection Policy, Penetration Test Customer Statement, Data Retention Policy, Data Privacy Policy and Website Privacy Policy and Statement.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The change management process is agreed with each individual customer as part of the service contract. Changes can be tested by customers prior to application to the customer instance.
Vulnerability management type Undisclosed
Vulnerability management approach Our services are hosted on MS Azure platforms with vulnerabilities managed and notified through the Microsoft security centre. Patches are deployed by Microsoft and notified through the server controller interface to the Senior IT engineer.
Protective monitoring type Undisclosed
Protective monitoring approach Basic ITIL Incident Management Process We have a constant monitoring of the system 24/7/365 with the system alerting us to any security vulnerability, potential threat or performance issue from the MS Azure security and performance centre. We monitor the dashboard during the working day and respond to alerts accordingly. Target response to all incidents within 60 minutes or it being reported and fix all incidents within the working day
Incident management type Undisclosed
Incident management approach Basic ITIL Incident Management Process We have a constant monitoring of the system 24/7/365 with the system alerting us to any security vulnerability, potential threat or performance issue from the MS Azure security and performance centre. We monitor the dashboard during the working day and respond to alerts accordingly. Target response to all incidents within 60 minutes or it being reported and fix all incidents within the working day.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £10 to £50 per user per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Full operational service for one month. Help in building a demonstration compliance software template. Population of available templates from our library if required Initial set up is free for trial version.

Service documents

Return to top ↑