Crystal Thinking (Crystal Marketing Limited)

CT-100 Cyber Essentials

The purpose of the service is continual cyber risk management, providing;

1. Continual alignment with the Cyber Essentials framework, reporting vulnerabilities and secure configuration issues for all Windows & Linux servers and user devices.

2. Pre-preparation of IT infrastructure for streamlined Cyber Essentials assessments & renewals.


  • Continually monitors compliance with Cyber Essentials
  • Reduces Cyber Risks by continual assessment of device security
  • Includes the cost of Cyber Essentials certification assessment
  • Secure and highly available, hosted in multi-site UK datacentres
  • Centralised cloud-based dashboards & MI reporting
  • User access protected through Multi-Factor authentication
  • All data held within the UK with GDPR compliant processing
  • Facilitates patch-management best practice
  • Detects all devices in use, maintaining a device asset register
  • Records installed software history, maintaining a digital asset register


  • Continual security monitoring helps avoid cyber-attacks like WannaCry succeeding
  • Automated configuration monitoring provides accurate management information aiding risk management
  • Quickly establish organisation compliance state via central dashboards
  • Avoid expense and delays preparing for annual Cyber Essentials audits
  • Reduce risks through continual compliance rather than annual snapshot audits
  • Provides vulnerability insights, difficult to uncover though normal operations
  • Reduces security management overhead, freeing resource for business objectives
  • CT-100 is flexible and extendible, future-proofing security administration
  • Hosted on highly-available infrastructure complying with ISO27001 best practice


£1.00 to £3.50 per device per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

9 2 1 4 1 9 0 8 9 0 3 9 2 3 8


Crystal Thinking (Crystal Marketing Limited)

Gareth Owen

+44 (0) 203 872 2162

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Cyber Essentials Certification Preparation & Assessment
Vulnerability scans and penetration testing
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints The service can be installed on Windows & Linux servers and user devices only. It does not currently support Apple Mac.

Devices in the scope of Cyber Essentials certification and assessment are network-connected devices. The service relies on frequent or permanent device connection to the internet.

Our policy is to maintain support for the last three version of the following browsers required to logon to the cloud portal management dashboard; Microsoft Edge Google Chrome Mozilla Firefox Apple Safari for macOS
System requirements
  • Vendor supported Linux, Windows Server, Enterprise, Home or Professional
  • Frequent or permanent internet access
  • Configurable outbound device to cloud communications port
  • Whitelisted cloud service addressing capability
  • 100Mb free space on all devices in scope

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Monday - Friday 8am - 5.30 pm - 1hr
Saturday, Sunday and Bank holidays - 4hrs
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Accessible via authenticated user support link on Crystal-thinking website. Supports voice, voice call-back, email, live text chat. The last three versions of the following browsers are supported;
Microsoft Edge
Mozilla Firefox
Google Chrome
Safari for MacOS

Web chat does not currently support WCAG accessibility options other than standard voice, voice call-back, email, live text chat and in-built browser accessibility options for the above browsers.
Web chat accessibility testing None at this time
Onsite support Onsite support
Support levels We offer 4 support tiers,0 -3. Tiers 0 -2 are included in the service pricing.

Tier 3 is supports cyber security incident response outside the scope of CT-100 service.

A dedicated account manager is appointed and included in the service pricing.

Tier 0 support is provided via account manager directly, self-help knowledgebase and FAQ located in customer portal.

Tier 1 support provided through ticketing system. The target is to achieve 80% first time resolution for issues such as username & password, service use guidance, report metric interpretation.

Tier 2 support is for more complex technical issues that cannot be resolved through Tier 1 support. Tier 2 support tickets are automatically escalated to account managers who liase directly with customers as appropriate.

Tier 3 support is provided for cyber security incidents such as cyber attack response outside the scope of CT-100.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Fully supported installation and user training is provided on-site, UK within the cost of the service.

Pdf user manuals are available for direct download via the customer portal.

The CT-100 application can be trialled on one or more devices for the purpose of compatibility and user-acceptance where required. Organisational distribution of the application can be arranged according to country, site, device types, departments or other logical groupings enabling installation controls.

Installation of the CT-100 compliance application is optionally self-service, involving running a Windows MSI or Linux package on each device within the scope of Cyber Essentials. Installation normally takes less than a minute. Customers choosing to self-install require access to the customer portal which is arranged at the end of initial training or during supported installation.

Training for the use of the management portal is optionally provided through webinar or on-site and takes approximately 1 hour.

The service becomes effective immediately after CT-100 application installation.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Immediately following the termination date, CT-100 monitoring data collected and stored during the service period can be downloaded as csv files via the customer service portal. Portal access is maintained for one month following service termination. At the end of the period, we seek written permission to permanently deleted all CT-100 data and decommission the customer account.
End-of-contract process At the end of the contract, customers can optionally renew for a further period. If the customer chooses to terminate, items 1- 4 are included in the price of the service.
1. each of the CT-100 monitored devices are de-registered from the cloud environment.
2. The CT-100 can be uninstalled by the customer or with support from our staff.
3. Access to the CT-100 service portal is maintained for a further month for the purposes of reporting and downloading device monitoring data collected through the contract period.
4. Customer authority is sought for the permanent deletion of data and the decommissioning of the CT-100 cloud environment.
5. Further monitoring, data analysis or reporting is available at an additional cost depending on requirements.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Linux or Unix
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The CT-100 compliance monitoring application is designed to operate on Windows or Linux operating server and user systems, reporting compliance status to the CT-100 cloud.

The CT-100 central cloud dashboard can be accessed through desktop and mobile device browsers to view and report on device status.
Service interface No
Customisation available No


Independence of resources CT-100 cloud service is built on Amazon Web Service (AWS) infrastructure. The core infrastructure services we use are Lambda, S3, Dynamo Db. These services are provided at scale and auto-scale according to service demand.

Each customer cloud environment is created within a separate infrastructure and accounting environment.

CT-100 device monitoring applications use a small amount of network bandwidth for management data and monitoring data returned to the cloud. Devices and network performance is monitored for congestion with service monitors dynamically adjusting execution timing in response to congestion or local device resource availability.


Service usage metrics Yes
Metrics types Number of devices registered over time
Device registration detail & summary
Number of devices deregistered over time
Device de-registration detail & summary
Current active devices
Number of compliant devices over time
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Amazon Web Services cloud infrastructure

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data collected during the period of the service can be downloaded as csv files via the customer portal at any time during the contract and for one month after the end of the contract.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Service Levels;

We offer a service level of 99.9 service uptime

Data uptime is defined as the percentage of time the CT-100 cloud service availability during a one-month billing period.

Service Credits

Service Credits are calculated as a percentage of the total charges paid by you for the CT-100 service affected for the billing cycle in which the Monthly Uptime Percentage fell within the ranges set forth in the table below.

Less than 99.9% but greater than or equal to 98.0%. Service Credit 10%

Less than 98.0% but greater than or equal to 95.0%. Service Credit 25%

Less than 95.0%. Service Credit 100%
Approach to resilience The CT-100 service monitors security configuration of user devices, transmitting small report files to a central cloud location for storage, analysis and reporting.

CT-100 Service Resilience addresses the following resilience requirements;

Raw data-storage

This comprises the raw report files send by user devices to the cloud environment. The files are stored in a json format within AWS S3. AWS S3 resilience is backed by compliance certification with ISO/IEC 27001:2013, 27017:2015, 27018:2014, and ISO/IEC 9001:2015. . AWS S3 is built for 99.99% availability and guarantee 99.9% availability. AWS guarantee 99.999999999% annual durability, which is a measure of the ability to withstand file loss or damage.

When files are uploaded to AWS S3, AWS writes each file (file bits) to multiple devices and multiple locations.

Processed data-storage

Raw data files stored in AWS S3 is processed and stored in a database from which dashboard reports and other business intelligence is compiled. The database storage engine is also provided by Amazon and called AWS DynamoDb. Similar storage specifications and technology apply to DynamoDb as AWS S3. All dashboard and business intelligence reports can be entirely rebuilt from the original raw data files held on S3.

Further detailed availability information is available on request.
Outage reporting We offer two methods of reporting service outages;

The underlying infrastructure provided by AWS has a corresponding public dashboard and RSS feed providing the current and historical status of each service in each region. CT-100 customers are provided with the specific region and service identifiers allowing status reporting.

The second method is via email alerts to nominated customer personnel. Crystal Thinking operates health heartbeats and probes for each service component in CT-100. In the event of missing heartbeats, scheduled events or service probe reporting mal-functioning services breaching prolonged outage periods, an alert email is despatched, outlining the problem and severity regularly until the service resumes.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels We operate an IAM system restricting access to management interfaces through a series of controls. The primary control is via TLS & 2FA with permissions to dashboard components restricted according to the minimum permissions principal for the role. The second is programmatic, used by the CT-100 application installed on user devices where access is initially restricted to installation packages presenting an authenticated site-code and 64-bit access key. The process is conducted via TLS with key rotation application restarts.
Support access is managed through a combination of VPN authentication to a bastion server, fixed source IP and 2FA.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essnetials Plus
  • IASME Governance Gold Standard

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards Cyber Essentials Plus
IASME Governance Gold Standard
ISO / IEC 27001 (not audited)

Our infrastructure provider (AWS) complies with;
CSA CCM version 3.0
SO/IEC 27001
Information security policies and processes We operate an Information Security Management System (ISMS) comprising and information security policy with statements detailing technical and personnel security control policies.

Central to operations is a risk management system comprising, incident monitoring, reporting and management, regulatory and legal compliance monitoring conducted at least quarterly and audited internally at least bi-annually and annually by a third-party Certification Body through IASME Certification Authority for Cyber Essentials Plus and every three years against the IASME Governance standard.

Our ISMS also include Business Continuity and Disaster Recovery Plans. Disaster Recovery plans and continually reviewed and exercised at least annually.

All audit and risk management outcomes are reported to the CEO (Gareth Owen).

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The components of the CT-100 Service are recorded within our digital asset register detailing version. Our version control system tracks major and minor releases according to the significance of change using automated version control tools within AWS & Jira.

Change control comprises a 5-gate process involving several processes; initial needs analysis & risk review, requirements analysis, high-level design, owner approval, implantation, testing, staged-release. Design, implementation and testing is based on CCA & OWASP security principals.

All components versions are designed for backward compatibility, code reviewed regression tested in a staging environment prior to release.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Potential threats are assessed through a combination of frequent risk review of technical, legal and environmental threats. Technical threats are assessed according to CVSS Ver 3.0.

Patches are prioritised according to CVSS rating. Critical security patches are applied within 24 hours of becoming available, High & Medium CVSS rated patches within 72 hours. All other patches are applied within 14 days of patches becoming available.

Out threat intelligence comes from a variety of sources, including CVE notifications, automated vulnerability scan reports, OWASP, Information Security Forums, incident reporting, system log analysis, risk reviews, internal and external audit reports.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach All system events are logged for each customer environment. Monitoring and analysis is performed automatically against rules that create alerts for unusual behaviour such as repeated, failed portal access or failed process executions. Events meeting this criterion are emailed and SMS'd to nominated staff.

Where potential compromises are detected automatically, the originating IP is blocked and added to a blacklist. Where repeated, failed access attempts against a specific account is detected, account access is immediately blocked.

Automated incident response is immediate. Staff alerted responses are based on significance with Emergency & Critical within 15 minutes, Warning within 2 hrs.
Incident management type Supplier-defined controls
Incident management approach We follow the NIST SP 800-61 R2 guidelines on incident management, largely similar to ISO 27001 / CCA standards.

We operate pre-defined processes for common events which include (repeated / prolonged DDOS, account break-in, lost credentials)

Users report incidents via a dedicated customer portal ticketing system or directly with the customer account manager. A process is in place for verifying the authenticity of the reporter where the incident has not been reported anonymously.

Incident reports are made available as downloadable encrypted documents via the customer portal or sent encrypted via email to the customer nominated incident management contact.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1.00 to £3.50 per device per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial CT-100 application installation for up to 5 devices.

Included in the trial are device compliance reports against the current Cyber Essentials standard. Reports are automatically emailed to the nominated customer representative, highlighting compliance issues on a weekly basis.

The trial length is limited to three months.

Service documents

Return to top ↑