Continuity2 ltd

Business Resilience Software with Hosting (SSAS)

Our Business Continuity Management Software 'BCMS' is a web based tool designed to alleviate and assist with the day to day management of an organisation’s Business Continuity Management System (BCMS).


  • Create and manage business continuity plans
  • Conduct Online BIAs simply ( with activity owner review)
  • Auto update of plans immediately with BIA analysis output
  • Manage and schedule plan exercises automatically with BC policies
  • Comprehensive Incident management notification functionality
  • Auditing and compliance with standards
  • BC Training and awareness delivery
  • Real time MI and reporting
  • Create and track actions from multiple sources
  • Simple and intuitive interface


  • World-class-leading SaaS deployment
  • Making complicated BCM processes simple through engagement and collaboration
  • Responsibility and accountability through automated sign offs
  • Automates and regulates admin centrally allowing for increased productivity
  • Ensures accountability, responsibility and transparency.
  • Allows information to be appropriately distributed and policy driven.
  • Instant reporting and task management especially important during incident management
  • Manages your BCMS through automated workflows
  • System Administrators use the software quickly with minimal training.
  • Integrated emergency notification provides instant incident communications


£0 to £50000 per licence per year

Service documents

G-Cloud 10


Continuity2 ltd

Lisa McGlave


Service scope

Service scope
Service constraints Scheduled Outages as described below: -
1. Housekeeping tasks: Housekeeping tasks will only be performed between the hours of [6:00pm and 06:00am.] and will be non invasive
2. Server Operating System Patches & Upgrades: Server operating system patches and upgrades will be applied to the System, should they be required to ensure continued support by the operating system vendor
3. System / Application Upgrades: System / Application upgrades will be applied as necessary to facilitate continued support.
System requirements
  • Windows PC / Laptop
  • Minimum 512MB RAM, Pentium 2 processor
  • Recommended 2GB Ram, Pentium 4 processor or above
  • Browser Software - Internet Explorer 10+, Chrome and Edge
  • Microsoft Office 2007 minimum

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Continuity² provide a help desk between the hours of 08.00 and 18.00 UK Standard Time, Monday through Friday, with the exception of Christmas Day, Boxing Day, New Year’s Day and the first working day of January.

Users can report issues within the application, via the Issue button or by telephone (0845-0944420), the details of the fault / issue are be logged on our Incident management systems and passed directly to Continuity2 support. If the user logs the fault via the application, they will receive an email confirmation of their fault number and a summary of the fault that they logged.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Onsite support
Support levels For the Continuity2 Application - 3 levels of support available: -
1. First support level - all faults / queries should be directed to The Customer ’s System Administrator, who will be able to answer most “How do I?” questions. Should the system administrator be unable to resolve the fault / issue, they will then log it with second level support, the Continuity2 helpdesk or Ticketing facility
2. Second support level - Continuity2 helpdesk who will answer technical questions and log faults for The Customer Systems Administrator, in all instances contact will be made with the user within 2 hours of a query being raised, and confirmation of actions being taken passed to the user.
3. Third support level - Continuity2 development team who will be passed those faults / issues not resolved by the first two levels of support, faults will only be accepted by third level support via the on line ticketing system. Contact will be made with the Customer System’s Administrator within 4 hours of the fault being passed to third level support.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Training can be provided either online, at our head office or at client premises and all user documentation is provided.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction SQL backup is provided to clients when contract ends. This contains all client data.
End-of-contract process Maintenance, support, hosting and updates to the application are included in the annual licence fee. Upon any termination of an Agreement, Continuity² and The Customer will promptly comply with the termination obligations specified under clause 11 of our agreement and otherwise cooperate to terminate relations in an orderly manner. In order to comply with regulatory requirements, The Customer shall be entitled (but not obliged) to continue to use the Software and have access to all The Customer generated data until it has another solution in place, such period not to exceed six months and provided that The Customer pays a licence fee for any such period which is on a pro-rata.

Using the service

Using the service
Web browser interface Yes
Using the web interface We fully deploy the system based on each organisations requirements and specific needs. An organisations system administrator can manage and change many aspects of the application through their browser including:
Login and Home Screen - Logging into the web application and recovering passwords
Organisation Structure - Configuring the tool to meet your organisations structure
Dynamic Templates - Creating, editing and deploying new plan templates
Plans and Call Lists - Creating plans and call lists for incident response
Business Impact Analysis - Configuring and deploying BIA in your organisation
Plan Exercising - Exercising the plan and documenting observations, recommendations and actions
Document Management System - Uploading and maintaining documents for your organisation
Document Control - Maintenance of document versions through review, sign off and automated distribution
Management Information - Outputting live management information about the organisations BCMS
Contact Training - Providing training to contacts with responsibilities in the BCMS
Corrective Action - Creating and monitoring observations, recommendations and actions
Reports - Output of various reports on the BCMS
Compliance - Monitoring compliance against defined standards
Managing Contacts - Uploading and updating contact data
Manage Auditing - Creating, editing, issuing and managing audits
Web interface accessibility standard WCAG 2.0 AAA
Web interface accessibility testing We routinely run WCAG testing to ensure we meet current best practices.
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources All clients have separate URLs and databases which are independent of each other, this means that one client will not have an impact on any other client
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • CPU
  • Disk
  • Memory
  • Network
  • Number of active instances
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery No

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Other
Other protection between networks Only HTTPS can be used on the application, all data is encrypted at rest and in transit
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network All data is encrypted at rest and access to servers is IP restricted.
Servers are patched regularly and anti virus and malware protection is installed on all servers

Availability and resilience

Availability and resilience
Guaranteed availability This is included within the Contract and is discussed with the client.
Approach to resilience Continuity2 have an Active / Active infrastructure with Data centres in Edinburgh and Milton Keynes.

Further details are available on request
Outage reporting Email, SMS and telephone are used to inform clients of any incidents or planned outages.

Identity and authentication

Identity and authentication
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
Access restrictions in management interfaces and support channels Role based security is employed and users can only see their specific area and business area. System administrators can define user rights via the user management functionality.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Devices users manage the service through
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)
  • Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 14/06/2017
What the ISO/IEC 27001 doesn’t cover The data centre is covered by this certificate
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 25/10/2016
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover All parts are covered
PCI certification Yes
Who accredited the PCI DSS certification SSC
PCI DSS accreditation date 01 March 2017
What the PCI DSS doesn’t cover All areas of PCI DSS Roc are compliant.
Other security certifications Yes
Any other security certifications Cyber Essentials Plus

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Continuity2 are aligned to ISO27001 and will apply for certification in 2018
Information security policies and processes Continuity2 have a security policy aligned to ISO27001 and details are available on request

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Continuity2 have a defined and documented processes for configuration management. This defines the procedures to be followed when making any system configuration changes.
Our configuration control process implements this process.
We have a separate change management process which defines how changes will be controlled, applied and monitored.
Changes are assessed for Security vulnerabilities as part of the process.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Continuity2 evaluate all changes for Security vulnerabilities as part of the deployment process.
Application Patch management is defined within the Change procedure, and server / OS / network patching is defined within the patch management procedure.
Information is provided from suppliers e.g. Microsoft, data centre and technical resources.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Compromises are identified via PEN testing and technical resources.
The system actively monitors all traffic to identify risks and potential threats. These are logged and reviewed and any vulnerability is assessed and controlled as soon as is possible
Incident management type Supplier-defined controls
Incident management approach We are certified to ISO 22301 and the data centre to ISO 27001 , which require us to have predefined incident management processes in place.
Incidents can be reported by users via the application and these are passed directly to the Service desk for treatment and resolution .
Post incident reports are supplied to clients after an incident detailing incident, actions taken, root cause analysis and any subsequent actions required.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used VMware
How shared infrastructure is kept separate Clients have different URLs and separate database instances

Energy efficiency

Energy efficiency
Energy-efficient datacentres Yes


Price £0 to £50000 per licence per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑