Our Business Continuity Management Software 'BCMS' is a web based tool designed to alleviate and assist with the day to day management of an organisation’s Business Continuity Management System (BCMS).
- Create and manage business continuity plans
- Conduct Online BIAs simply ( with activity owner review)
- Auto update of plans immediately with BIA analysis output
- Manage and schedule plan exercises automatically with BC policies
- Comprehensive Incident management notification functionality
- Auditing and compliance with standards
- BC Training and awareness delivery
- Real time MI and reporting
- Create and track actions from multiple sources
- Simple and intuitive interface
- World-class-leading SaaS deployment
- Making complicated BCM processes simple through engagement and collaboration
- Responsibility and accountability through automated sign offs
- Automates and regulates admin centrally allowing for increased productivity
- Ensures accountability, responsibility and transparency.
- Allows information to be appropriately distributed and policy driven.
- Instant reporting and task management especially important during incident management
- Manages your BCMS through automated workflows
- System Administrators use the software quickly with minimal training.
- Integrated emergency notification provides instant incident communications
£0 to £50000 per licence per year
Scheduled Outages as described below: -
1. Housekeeping tasks: Housekeeping tasks will only be performed between the hours of [6:00pm and 06:00am.] and will be non invasive
2. Server Operating System Patches & Upgrades: Server operating system patches and upgrades will be applied to the System, should they be required to ensure continued support by the operating system vendor
3. System / Application Upgrades: System / Application upgrades will be applied as necessary to facilitate continued support.
|Email or online ticketing support||Email or online ticketing|
|Support response times||
Continuity² provide a help desk between the hours of 08.00 and 18.00 UK Standard Time, Monday through Friday, with the exception of Christmas Day, Boxing Day, New Year’s Day and the first working day of January.
Users can report issues within the application, via the Issue button or by telephone (0845-0944420), the details of the fault / issue are be logged on our Incident management systems and passed directly to Continuity2 support. If the user logs the fault via the application, they will receive an email confirmation of their fault number and a summary of the fault that they logged.
|User can manage status and priority of support tickets||No|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Onsite support|
For the Continuity2 Application - 3 levels of support available: -
1. First support level - all faults / queries should be directed to The Customer ’s System Administrator, who will be able to answer most “How do I?” questions. Should the system administrator be unable to resolve the fault / issue, they will then log it with second level support, the Continuity2 helpdesk or Ticketing facility
2. Second support level - Continuity2 helpdesk who will answer technical questions and log faults for The Customer Systems Administrator, in all instances contact will be made with the user within 2 hours of a query being raised, and confirmation of actions being taken passed to the user.
3. Third support level - Continuity2 development team who will be passed those faults / issues not resolved by the first two levels of support, faults will only be accepted by third level support via the on line ticketing system. Contact will be made with the Customer System’s Administrator within 4 hours of the fault being passed to third level support.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Training can be provided either online, at our head office or at client premises and all user documentation is provided.|
|End-of-contract data extraction||SQL backup is provided to clients when contract ends. This contains all client data.|
|End-of-contract process||Maintenance, support, hosting and updates to the application are included in the annual licence fee. Upon any termination of an Agreement, Continuity² and The Customer will promptly comply with the termination obligations specified under clause 11 of our agreement and otherwise cooperate to terminate relations in an orderly manner. In order to comply with regulatory requirements, The Customer shall be entitled (but not obliged) to continue to use the Software and have access to all The Customer generated data until it has another solution in place, such period not to exceed six months and provided that The Customer pays a licence fee for any such period which is on a pro-rata.|
Using the service
|Web browser interface||Yes|
|Using the web interface||
We fully deploy the system based on each organisations requirements and specific needs. An organisations system administrator can manage and change many aspects of the application through their browser including:
Login and Home Screen - Logging into the web application and recovering passwords
Organisation Structure - Configuring the tool to meet your organisations structure
Dynamic Templates - Creating, editing and deploying new plan templates
Plans and Call Lists - Creating plans and call lists for incident response
Business Impact Analysis - Configuring and deploying BIA in your organisation
Plan Exercising - Exercising the plan and documenting observations, recommendations and actions
Document Management System - Uploading and maintaining documents for your organisation
Document Control - Maintenance of document versions through review, sign off and automated distribution
Management Information - Outputting live management information about the organisations BCMS
Contact Training - Providing training to contacts with responsibilities in the BCMS
Corrective Action - Creating and monitoring observations, recommendations and actions
Reports - Output of various reports on the BCMS
Compliance - Monitoring compliance against defined standards
Managing Contacts - Uploading and updating contact data
Manage Auditing - Creating, editing, issuing and managing audits
|Web interface accessibility standard||WCAG 2.0 AAA|
|Web interface accessibility testing||We routinely run WCAG testing to ensure we meet current best practices.|
|Command line interface||No|
|Independence of resources||All clients have separate URLs and databases which are independent of each other, this means that one client will not have an impact on any other client|
|Infrastructure or application metrics||Yes|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least once a year|
|Penetration testing approach||‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider|
|Protecting data at rest||
|Data sanitisation process||Yes|
|Data sanitisation type||Explicit overwriting of storage before reallocation|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Backup and recovery
|Backup and recovery||No|
|Data protection between buyer and supplier networks||
|Other protection between networks||Only HTTPS can be used on the application, all data is encrypted at rest and in transit|
|Data protection within supplier network||
|Other protection within supplier network||
All data is encrypted at rest and access to servers is IP restricted.
Servers are patched regularly and anti virus and malware protection is installed on all servers
Availability and resilience
|Guaranteed availability||This is included within the Contract and is discussed with the client.|
|Approach to resilience||
Continuity2 have an Active / Active infrastructure with Data centres in Edinburgh and Milton Keynes.
Further details are available on request
|Outage reporting||Email, SMS and telephone are used to inform clients of any incidents or planned outages.|
Identity and authentication
|Access restrictions in management interfaces and support channels||Role based security is employed and users can only see their specific area and business area. System administrators can define user rights via the user management functionality.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||
|Devices users manage the service through||
Audit information for users
|Access to user activity audit information||Users contact the support team to get audit information|
|How long user audit data is stored for||Between 1 month and 6 months|
|Access to supplier activity audit information||Users contact the support team to get audit information|
|How long supplier audit data is stored for||Between 1 month and 6 months|
|How long system logs are stored for||Between 1 month and 6 months|
Standards and certifications
|ISO/IEC 27001 certification||Yes|
|Who accredited the ISO/IEC 27001||BSI|
|ISO/IEC 27001 accreditation date||14/06/2017|
|What the ISO/IEC 27001 doesn’t cover||The data centre is covered by this certificate|
|ISO 28000:2007 certification||No|
|CSA STAR certification||Yes|
|CSA STAR accreditation date||25/10/2016|
|CSA STAR certification level||Level 3: CSA STAR Certification|
|What the CSA STAR doesn’t cover||All parts are covered|
|Who accredited the PCI DSS certification||SSC|
|PCI DSS accreditation date||01 March 2017|
|What the PCI DSS doesn’t cover||All areas of PCI DSS Roc are compliant.|
|Other security certifications||Yes|
|Any other security certifications||Cyber Essentials Plus|
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||Continuity2 are aligned to ISO27001 and will apply for certification in 2018|
|Information security policies and processes||Continuity2 have a security policy aligned to ISO27001 and details are available on request|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Continuity2 have a defined and documented processes for configuration management. This defines the procedures to be followed when making any system configuration changes.
Our configuration control process implements this process.
We have a separate change management process which defines how changes will be controlled, applied and monitored.
Changes are assessed for Security vulnerabilities as part of the process.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||
Continuity2 evaluate all changes for Security vulnerabilities as part of the deployment process.
Application Patch management is defined within the Change procedure, and server / OS / network patching is defined within the patch management procedure.
Information is provided from suppliers e.g. Microsoft, data centre and technical resources.
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
Compromises are identified via PEN testing and technical resources.
The system actively monitors all traffic to identify risks and potential threats. These are logged and reviewed and any vulnerability is assessed and controlled as soon as is possible
|Incident management type||Supplier-defined controls|
|Incident management approach||
We are certified to ISO 22301 and the data centre to ISO 27001 , which require us to have predefined incident management processes in place.
Incidents can be reported by users via the application and these are passed directly to the Service desk for treatment and resolution .
Post incident reports are supplied to clients after an incident detailing incident, actions taken, root cause analysis and any subsequent actions required.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Separation between users
|Virtualisation technology used to keep applications and users sharing the same infrastructure apart||Yes|
|Who implements virtualisation||Supplier|
|Virtualisation technologies used||VMware|
|How shared infrastructure is kept separate||Clients have different URLs and separate database instances|
|Price||£0 to £50000 per licence per year|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Terms and conditions document||View uploaded document|