Information Risk Management Plc


IRM's SYNERGi Platform provides a cost-effective and comprehensive GRC software solution for rationalising IT GRC, managing cyber risk, incident & vendor management, and meeting regulatory requirements not limited to IS1, IS2, ISO27001/2, PCIDSS, ISO31000, DPA/GDPR, BIA, PIA, ISO, NIST, SANS 20, CIS, SOX, 22301/BS25999, SPF, Asset Management, CTAS, HIPAA, ISO27005.


  • Supports Accreditation, Clustering, SPF and Departmental Security Health Check requirements
  • Populated with industry standards (ISO27001, NIDS, Compliancy and NIST)
  • Six modules (Governance, Risk, Compliance, Audit, Vendor and IT Security)
  • Unlimited user license arragement
  • Only UK cyber essentials certified software platform
  • Operational Risk Compitable
  • SaaS and On-Premise Deployment
  • Real-Time Reporting and Dashboard
  • Penetesting
  • Award winning platform


  • Consistent Risk Framework aligned to IS1, IS2, ISO27005 and ISF
  • Intuitive and simple user interface
  • Able to orchistrate and manage task management
  • Central Repository for Policy, control and evidence management
  • Only UK platform certified by the NCSC for Cyber Essetials
  • Scalable to meet current cyber maturity
  • Delivered by IRM's GRC Consultants
  • Proven track record across multiple HMG Departments


£20,000 a licence a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

7 8 8 6 5 0 9 8 7 9 9 1 3 8 9


Information Risk Management Plc Matt Griffiths
Telephone: 01242 225200

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
We no longer support IE 7/8/9/10.
System requirements
Latest web browser for IE, Chrome and Firefox

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 24 hours, first working day if received on weekend.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Onsite support
Support levels
All support calls are sent to a support engineer. All calls are prioritised, upon receipt, by IRM and resources allocated to meet the definition of the SLA. Support is included with the license cost and their are no additional costs.

IRM will provide quarterly technical account review meetings to capture monitor service level disputes and if IRM is unable to resolve these in a reasonable time frame, IRM will discuss options for service level credits and options for determination of the contract.

You will have the right to terminate your Master Subscription Agreement with us in the event (a) Service Availability of the solution drops below 98% for two months in a rolling 6 month period, or (b) there are more than two (2) Priority 1 matters that are not resolved within the Target Resolution Time or three (3) Priority 2 matters that are not resolved within the Target Resolution Time in a six (6) month rolling period. If you elect to terminate under any of these circumstances, we will refund a pro-rata portion of the pre-paid fees for the unused portion of the term of the Master Subscription Agreement.
Support available to third parties

Onboarding and offboarding

Getting started
IRM provide a professional services work package called QuickPath. It covers project management, configuration, library load, training and reporting. This is supported by an online and offline user manual.
Service documentation
End-of-contract data extraction
This information can be downloaded from the system. IRM will support this process and provide all data in an executable file
End-of-contract process
At the end of the term, IRM will continue to support the client until written confirmation has been provided that the customer instance can be closed down. If this last more than 30 days IRM will charge a monthly pro-rata licence rate.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
There are no differences between the two. As long as a user has a web browser they can access and operate SYNERGi
Service interface
What users can and can't do using the API
SYNERGi has an API Management Interface to allow API's to be installed. A list of API's not limited to HPE ArcSight, PowerBI and SharePoint are available. A list of other API's are available upon request.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Individual User interface, grid tables etc can be bespoke to the individual. The platform can also have Custom Fields created, alongside Role creation that allows the customisation of visibility of data within the software.


Independence of resources
Customers are provided with a dedicated environment. This covers a frontend webserver and backend maria database. A sandpit environment is also provided and the service is load balanced. We also operate a fail-over service.


Service usage metrics
Metrics types
SYNERGi provides a complete audit history of all usage and changes made by an end user. The metrics are not visually reported.

Further more it has a powerful dashboard and reporting capability that supports all modules and standards activated. The reporting support Quantitative and actionable decision making.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
SYNERGi can generate backup files of your data on a weekly or monthly basis depending on your edition. You can export all your org’s data into a set of comma-separated values (CSV) files.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Approach to resilience
We’re ISO 27001 Certified and as such we have an Information Security Management System (ISMS).

BCP plan is in place and was tested annually but a schedule is in place for quarterly tests. The tests are desktop reviews and scenario exercises. Due to the nature of IRM business operations a full invocation is not possible.

Primary Tier 1 Data Centre with a Secondary failover Tier 1 Data Centre. Failover to DR site for test instances are scheduled biannually.

Backups are taken every 24 hours.
Outage reporting
Email Alert

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
The software has a security domains feature that allows Role-based Access to be assigned across the platform. This can be provisioned for the management interfaces ad support channels. The System Administrator/Operations Team are responsible for ensuring that logical access rights are up to date and maintained to:
• The operating system;
• The database;
• The application
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
Organisations can limit the IP range from which access is possible

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
It covers all operations
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
The Executive Board are responsible for ensuring that appropriate information security requirements have been considered and applied proportionately based upon legal and regulatory obligations, risk assessment and business needs and that legal and regulatory controls are identified, implemented and maintained throughout the company. A set of policies and procedures have been developed and are part of our JML process which is managed by HR and the relevant line managers.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Within the operational information systems changes are commonplace as part of normal business activity, however if they are not controlled effectively there is the potential for disruption to business operations and product delivery. The objective of IRM's processes is to make sure that all changes to the live systems and production environments are controlled and conducted properly. A formal policy covers the following headings and more detail across each section can be provided upon request:
1. Scope
2. Third Party Suppliers
3. Change implementation
4. System monitoring
5. Responsibilities
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
There is a formal process to test and approve all:
i. network connections
ii. Security monitoring and patching
iii. firewall and router configurations
b. Test for the presence of unauthorised wireless access points.
c. Internal and external network vulnerability scans
d. Quarterly vulnerability scans
f. Conduct internal and external penetration testing at least annually or after any significant infrastructure or application upgrade

We consume threat intelligence data and perform regular threat led risk assessments.

We create and maintain a plan with milestones to document remedial actions to correct weaknesses, vulnerabilities and deficiencies noted
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
A. Corporate networks incorporate tools (software and hardware based) for real-time monitoring, measuring and reporting of network connections and performance are in place.
b. The use of network resources shall be monitored, tuned and used for making projections on future capacity requirements to maintain system performance for business operations;
c. Monitoring systems are capable of immediately providing at least three months of data for review with a minimum of one year availability off-line;
f. Upon detection of any event affecting the security of the corporate network, reporting and escalation actions in accordance with the Incident Response Management Policy.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Reporting security incidents and vulnerabilities is an important contributory factor to maintain the security of corporate information systems. Intelligence on the type and frequency of security incidents enables the company to continually monitor the effectiveness of the technical and procedural controls in place. The IRM policy covers the following headings and can be provided upon request:

1. Objective;
2. Scope;
3. Type of breach;
4. Incident description; and
5.Security Incidents, Events and Categories

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks


£20,000 a licence a year
Discount for educational organisations
Free trial available
Description of free trial
All modules, support and maintenance and training is provided. This is typically delivered under a controlled Proof of Value for up to 60 days.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.