QOREX Business Management Software

QOREX maximises organisations performance. It does this by removing unnecessary complexity, simplifying operations and aligning investment with results. Enabling a systematic approach to business management, it delivers a single point of truth, bringing together data and information from across the organisation(s) including Planning, Benefits, Operations and Project Delivery.


  • Translate strategy into action, leveraging capabilities to optimise organisation potential.
  • Holistic Portfolio, Programme and Project prioritisation, management, delivery and reporting
  • Encourages operational focus on value adding products, services and capabilities
  • Executive dashboards provide insight into performance e.g. most accretive projects
  • Benefits are quantified, prioritised and delivered to sustain over time
  • Business Maps highlighting interdependencies support transparency and risk management interventions
  • Supports performance appraisal by associating results with assigned staff records
  • Revolutionises routine reporting, eliminating wasted effort and boosting morale
  • Document repository and distribution management system with full audit trail
  • Geographic mapping can be used to create organisation services heat-maps


  • Establishes a clear line of sight between strategy and delivery
  • Displays organisation scope and RAG-rated performance using simple graphics
  • Eliminates complexity to structure streamlined data and support effective governance
  • Improves collaboration, co-operation, productivity, information accessibility, employee engagement
  • Enables evidence based leadership and timely fact based decision making
  • Integrated data repository creates transparency and eliminates data reconciliation activities
  • Maps and rates interdependencies, creating a delivery risk early-warning system
  • Systemised management approach reduces administration and encourages adoption
  • Clear accountability and responsibility for results increases likelihood of success
  • Role based access control ensures appropriate levels of security


£97.00 per person per month

Service documents


G-Cloud 11

Service ID

6 8 1 2 3 8 8 6 9 1 2 1 6 3 1



Philip Trickey

07834 800416


Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
Any service constraints wil be agreed with the client and documented as part of the initial proposal phase so that all parties are aware of any such constraints prior to the start of on-boarding.
System requirements
  • Appropriate equipment and technology to access QOREX servers
  • Appropriate Internet connectivity and bandwidth
  • Adequate browsers are installed on end user computers
  • Ensure that firewalls configured to allow access to QOREX servers
  • Whitelisting QOREX domain so that QOREX emails can be received

User support

Email or online ticketing support
Email or online ticketing
Support response times
Severity 1 = 2 Business Hours Response time; 1 Business Day Resolution Time
Severity 2 = 4 Business Hours Response Time; 2 Business Days Resolution Time
Severity 3 = 1 Business Day Response Time; 5 Business Days Resolution Time
Severity 4 = 2 Business Days Response Time; Resolution is next major release of Software subject to the enhancements or additional modules being agreed by the Company.
User can manage status and priority of support tickets
Phone support
Web chat support
Onsite support
Yes, at extra cost
Support levels
Level 0 support – Self-service solutions that users can access themselves include automated password resets, soft copy user guides.

Level 1 support – Filters all reported incidents and provides basic support and troubleshooting and escalation to Level 2 and Level 3 support.

Level 2 Support - Investigates and resolves incidents and observations.

Level 3 Support – Troubleshoot and repair more complex issues. Level 3 support is carried out by technology specialists with the ability to deploy solutions to problems.

A QOREX Account Manager is assigned to each customer and has responsibility for ownership of usability, training and implementation questions raised. They act as a single point of escalation, keeping users informed of the status of their enquiry and ensuring responses are within agreed service levels.

The cost is dependent on the agreed implementation and ongoing support plan.
Support available to third parties

Onboarding and offboarding

Getting started
We typically use a three-phase approach. During the Discovery phase we work with the client to document the existing systems, processes, data (and migration requirements), technical architecture, security and systems integration requirements and the scope of the final audience, resulting in a detailed plan detailing of the new system requirements and how it is to be implemented, including any necessary bespoke development (and any associated additional costs). The Pilot phase involves setting up a new QOREX ‘instance’, working with the client to populate it with a subset of data, demonstrating the functionality to a small number of client users, including required amendments to the data-set along with the rollout and testing of any bespoke development and/or systems integration agreed. The Deployment phase commences when the client wishes to rollout the system to the entire agreed audience. On-site training will have been provided during the Pilot phase and additional on-site training may be delivered as required to a wider audience during the Deployment phase. The agreed support procedures and any further documentation required will also be rolled out at this point. User documentation is provided in the form of training and user manuals.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
In the event of termination of the Contract by either the Company or the client and on written request by the client, the Data within the Software will be provided to the client within 10 Business Days of termination of the Contract in Comma Separated Variable (CSV) format.
End-of-contract process
At the end of each of the Discovery, Pilot and Deployment phases’ client approval is required before proceeding to the next stage. The Service shall be provided to the client for a period of twelve (12) months from the Contract Date and shall terminate immediately upon expiry of that period unless the client has paid the Annual Subscription Fee to renew the Service for a further twelve (12) month period. In the event of termination, the licence of intellectual property rights shall be revoked automatically. Data within the software can be provided on written request within 10 business days in CSV file format.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
QOREX has been designed and developed with responsive design in mind to maximise users’ experience, however, there exists common limitations with some mobile devices. The display on a very small mobile device (e.g. a phone) may be portrait-oriented, so scrolling and zooming may be required and hover may be unavailable; less processing power and bandwidth may be available on a mobile device which may result in pages rendering more slowly than desktop; browser features may be limited on a mobile device and the keyboard is typically smaller so data entry is less favourable on a mobile device than desktop.
Service interface
Customisation available
Description of customisation
Customisation includes local instance language, categories, types, tags and other site-wide settings like password strength, logo, colours, etc.

Customisation is carried out at the Site Administration Level and is available to those with the necessary level of Role Based Access Control.

More fundamental enhancements to the software functionality can be specified and agreed with QOREX in collaboration with the customer. Such work will be prioritised, scheduled and delivered by QOREX Ltd. All intellectual property rights associated with any software application enhancements remain with QOREX Ltd.


Independence of resources
Each QOREX 'instance' has its own subdomain and its own independent database. The web and database servers are on separate physical servers with the database server only being accessible (either by QOREX staff or the QOREX application) over VPN.


Service usage metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
Less than once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Other data at rest protection approach
Dedicated Mechanical & Engineering corridors away from IT equipment. Biometric iris scan man-trap to gain access to data floor area. On-site human security presence 24x7. Proximity access locks on all external and internal doors. Interlocked man-traps on front entrance and goods in area. Perimeter fence with rota spikes, anti-ram raid barriers, blast-proof windows and steel security doors. External and internal digital IP ICCTV system with digitally controlled motion sensors and flood lighting.
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
QOREX provides a facility within the software to export data to either a Comma Separated Value (csv) or Excel (xlsx) file format.
Data export formats
  • CSV
  • Other
Other data export formats
Excel (xlsx)
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
With the exception of planned downtime and events outside our control the QOREX BMS is planned to be available for 99.9% of available time. Any reduction on this availability will attract a refund as set out in our Terms and Conditions.
Approach to resilience
The servers run the Trend Micro Deep Security IDS software to protect against attacks. The hardware is connected to redundant power supplies and our SLA has a 2 hour hardware replacement guarantee. Each instance database is backed up every 2 hours and stored on a separate (Centro -based) server.
Outage reporting
The system is monitored every minute and any outages are reported to the development director and lead developer by SMS. Maintenance will be required on both a scheduled and ad hoc basis and some (but not all) maintenance activities will require system downtime. QOREX will use all reasonable efforts to keep maintenance related downtime to a minimum and wherever possible to undertake any such activities outside business days. QOREX will inform users of any necessary maintenance related downtime by giving at least 24 hours' notice and an indication of the expected downtime (if any) by email alert. Any significant planned maintenance activities that will result in extended downtime and will occur during business days will only be undertaken by QOREX in agreement with the customer at a mutually convenient time. Such activities include system migration, major software releases and hardware upgrades.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Client system administrators access their QOREX instance using an email address and password and are able to add new user accounts (up to their agreed limit) and manage existing accounts. They are empowered to create, manage and delete users accounts within their own instance and are able to dictate the screens and entities each user is able to access and the degree of control (RO/RW) over those screens and entities. Support requests to QOREX are logged within the application itself and any that are related to user account management would be referred back to the client system administrator to resolve.
Access restriction testing frequency
Less than once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We ensure we react appropriately and in a timely fashion to any actual or suspected incidents relating to the security of our information systems. We have a clear incident reporting process in place which details the procedures for the identifying, reporting and recording of security incidents. This applies to all QOREX employees, contractors and partners who use QOREX facilities and equipment or have access to QOREX’s client data and all are responsible for ensuring the safety and security of QOREX’s systems and information. We foster a proactive incident reporting culture to help reduce and even prevent incidents from occurring.
Information security policies and processes
Although QOREX does not yet have ISO27001 certification, an Interim Security Policy, Risk Register and Information Security Incident Management Policy is in place; enshrining the principles of confidentiality, integrity and availability of our own and client’s information; ensuring regulatory and legislative requirements are met and suspected breaches are reported and investigated. Phil Trickey, CEO, is the board representative with overall responsibility for security. An Incident Owner will be assigned for each Security Incident and is responsible for managing all aspects of the incident through to its resolution and subsequent reporting and feedback. As part of the cycle of continuous improvement, all staff are encouraged to contribute to the improvement of our information security procedures and techniques by being constantly aware of the risks associated with a breakdown in security procedures and submitting suggestions for improvement. All observations and suggestions for improvement are logged in the ticketing system and assigned to appropriate staff to review and action. Every quarter a Security Bulletin is issued to all staff in the form of an email in addition to ad-hoc security messages. Both the quarterly Security Bulletins and ad hoc updates are required reading for all staff.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All changes are carefully reviewed to ensure that they will not have a detrimental effect; are documented in the ticketing system; specified to be relevant to all clients (or markets); considered within the context of the existing security provisions to ensure that security is not compromised or new security provisions implemented; undergo a code review before they are submitted for local testing; documented, tested and approved by the Development Director before being released to the live system. Releases are performed, whenever possible, outside office hours. Appropriate tests are repeated on the live system once a change request has gone live.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The QOREX system was last subjected to penetration testing by Portcullis (now part of Cisco) a CHECK service provider, in 2016 as part of our successful security assessment to become a SaaS supplier to the Student Loans Company. MalDet is currently run every 24 hours. However, we are currently evaluating a number of other automated vulnerability monitoring applications (such as OWASP ZAP, Nikto, etc) and will be implementing our preferred solution before the end of the year.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Potential compromises are detected from either a user or a monitoring system detecting an incident and triggering an alert. The servers run the Trend Micro Deep Security IDS software to protect against attacks. The incident is recorded and tracked, assigned an Incident Owner, allocated a severity of critical (reported immediately), significant (reported within 4 hours) or minor (reported within 1 day) and an Incident Resolution Plan is formulated. If the incident severity is Critical, the Incident Owner commences the assessment within 60 minutes of the incident being reported and informs the Security Manager of a Critical Security Incident.
Incident management type
Supplier-defined controls
Incident management approach
The Incident Management Process comprises four stages. Detection - an end user or employee reports a problem via a phone call or the reporting system in the QOREX platform or a monitoring system detects an incident. Assesment - the nature and severity of the Security Incident is assessed and a plan is formulated. Resolution - the Incident Owner will manage the resolution and ensure that all interested parties are informed of progress and closure through regular reporting. Review - the Incident Manager and Security Manager, will review and report the incident to see if any lessons can be learned.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£97.00 per person per month
Discount for educational organisations
Free trial available

Service documents

Return to top ↑