3E Europe Limited

CIRIS for NICE Compliance

Delivered as a service over the Internet, CIRIS for NICE Compliance is workflow solution for compliance with NICE guidance where assessments are devolved to clinicians. All stakeholders - including clinicians, service managers, clinical committees and the board - can have direct access to the system.


  • All NICE guidance prepopulated in the system
  • Automated guidance assignment, assessment, assurance, ratification and action progress monitoring
  • Audit requirement assessment with configurable criteria
  • Comprehensive set of standard reports
  • All workflow participants receive online forms via email
  • Principal assessor can delegate assessments of selected recommendations to clinicians
  • Import data from legacy systems
  • Bundle reports into a single PDF and schedule its distribution
  • Support for single sign-on
  • Application Program Interface (API) for links to other systems


  • Configurable automated end-to-end business process
  • One system - no more reinput of Recommendations from spreadsheets
  • One system - no more reinput of assessments from spreadsheets
  • All 26,000+ NICE recommendations in a searchable repository
  • Single repository for all NICE compliance related matters
  • Automated progress chasing and monitoring of actions
  • Automated report distribution to predefined user groups
  • Configurable workflow task timescale and escalation rules
  • No more end-user training - instructions built into all forms
  • All the advantages of an in-house solution without the risk


£3618 to £12170 per licence per year

  • Free trial available

Service documents


G-Cloud 11

Service ID

7 6 6 1 8 8 2 6 8 3 1 2 0 7 6


3E Europe Limited

Richard Brown

01223 421148


Service scope

Software add-on or extension
Cloud deployment model
Public cloud
Service constraints
System requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support is business hours, Monday to Friday. We typically respond the same day, but sooner depending on severity of the ticket and in line with our stated response times in our SLA.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
We provide a comprehensive level of support for the duration of the license at no additional cost (except for onsite support). Members of the support team have sufficient technical expertise to handle the vast majority of support requests, and direct access to specialists to assist in the resolution of issues.
Support available to third parties

Onboarding and offboarding

Getting started
We provide online training for system administrators. End-user training is not required.
Service documentation
Documentation formats
End-of-contract data extraction
Each report has an export button that allows users to export their data in CSV format. We also have a service that exports all uploaded documents, which we forward on to the client via e-mail, DVD etc.
End-of-contract process
At the end of the contract, access to CIRIS is removed and customer data deleted. Therefore, customers must ensure that they export any data they wish to retain prior to expiry of the contract. There are no additional costs involved in the off-boarding process.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Service interface
Description of service interface
Access using an internet browser.
Accessibility standards
None or don’t know
Description of accessibility
Web pages are titled, have headings and labels. Help is context-sensitive and text-based. Functions, like buttons and menus, have captions. All non-text content presented to users has a text alternative, except for content uploaded by end-users who have not specified a text alternative for the non-text content.

Navigation within and between pages is simple and consistent; there are just two clicks to most data in the application. User input is validated before submission and errors are described in text.

Web pages do not contain anything that flashes more than three times in any one second period.
Accessibility testing
We have not performed any testing with users of assistive technology
What users can and can't do using the API
Users can retrieve, edit, insert and delete rows from any report in the service via the API. Documents stored in the service can also be retrieved via the API.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
The configurable elements includes forms, email alerts, reports, dashboards, data transformations, query customisation and query permissions, making CIRIS a feature-rich and flexible enterprise platform for managing NICE Compliance. CIRIS can be configured by 3E or by the customer with or without reference to 3E.


Independence of resources
Our hosting partner has built-in support for enterprise-class network segregation between client environments, and segregation between networks within client environments. On the application side, we monitor the response times for each customer, and adjust the system as necessary to maintain response times in accordance with our service level agreements.


Service usage metrics
Metrics types
For each user, CIRIS keeps a record of the dates and times that the user logged in and logged out, along with which reports the user ran. CIRIS also includes an audit trail facility that can be configured to record every change to a field in a record as well as providing a function to view records that have been deleted.
Reporting types
  • API access
  • Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
CIRIS provides users the functionality to export any report to CSV format, which can be read by Microsoft Excel. Added flexibility for exporting data is provided through the CIRIS Application Programming Interface (API).
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
3E shall use all reasonable commercial efforts to ensure that CIRIS is operational and available 99.99% of the time in any calendar month, excluding the Scheduled Maintenance Time, and that it runs 90% of reports within 6 seconds, and all reports within 30 seconds. However, this does not apply to any performance issues cause by events outside of 3E’s control, customer equipment and/or third party equipment that is not within the primary control of 3E, limitations, delays, and other problems inherent in the use of the internet and electronic communications.
Approach to resilience
Available on request.
Outage reporting
Email alerts

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
CIRIS allows system administrators to control access to the application and to individual reports. 3E provide support to named contacts.
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We have Cyber Essentials Accreditation. We are working towards compliance with ISO 27001 : 2013.
Information security policies and processes
We have developed internal polices and procedures regarding information security. All employees must adhere to these policies and any breach reported to senior management. We perform audits to ensure that policies are being correctly followed.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We have operational documents that detail the configuration of each component in the system. Any changes required must be documented, and must include the procedure for making those changes and a roll-back plan. This is then submitted to QA, who apply it to a test environment, evaluate it and perform regression testing prior to accepting/rejecting it. Once accepted, the operational documents are updated and a schedule for rolling out the change is drawn up.
Vulnerability management type
Vulnerability management approach
3E has a patch management policy that specifies that all critical patches released by vendors be applied within one month of their publication, and important patches within two months. News regarding potential treats come from signing-up to vendor news feeds and daily industry bulletins.
Protective monitoring type
Protective monitoring approach
We collect and study the event logs and application logs of all servers involved in the delivery of CIRIS. Furthermore, we monitor firewall logs, web-server logs and database logs. Any potential compromise is recorded in the incident log and an investigation begun immediately.
Incident management type
Incident management approach
3E has a documented incident management policy that describes how to handle incidents. Users can report incidents via email or telephone.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£3618 to £12170 per licence per year
Discount for educational organisations
Free trial available
Description of free trial
We provide a guided tour of the application and then give the customer a free unrestricted access to a fully-functional version of the application containing demo data. The trial period is usually for a period of up to one month.

Service documents

Return to top ↑