CTO Technologies Ltd

Qualys software licensing and renewals

Delivering our focused cyber security services to the NHS and healthcare, we work in partnership with Qualys to offer licensing, renewals, initial discovery/readiness, solution design, migration/adoption, support/optimisation and management of their Qualys VMDR software, including licensing consultancy services to help our clients get the most from their Qualys deployment.


  • All-in-One Vulnerability Management, Detection, and Response (VMDR) platform
  • 20+ powerful Apps
  • Free Global Asset inventory App
  • Focus on most urgent threats
  • Automated patch deployment as well as ability to quarantine
  • 6 Sigma accuracy scanning technology


  • Industry leading vulnerability scanning software
  • Support critical infrastructure services
  • Reduce and eliminate downtime
  • Efficiently manage and optimise IT infrastructure performance
  • Free-up IT teams' resources
  • Transform from a 'Reactive' to 'Proactive' IT organisation
  • Installation support from experienced and qualified engineers
  • Configured offering NHS compliance reporting, administration for CareCERTs and DSPT


£10.00 a unit

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.bishop@ctotechnologies.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

9 9 2 5 7 8 7 7 2 8 3 4 5 5 7


CTO Technologies Ltd Mark Bishop
Telephone: 0845 644 3830
Email: mark.bishop@ctotechnologies.co.uk

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Qualys software can be used as a stand-alone SaaS or integrated into CTO Tech’s Vulnerability Management services.
Cloud deployment model
Public cloud
Service constraints
System requirements
Subject to product requirements.

User support

Email or online ticketing support
Email or online ticketing
Support response times
As defined by SLA
User can manage status and priority of support tickets
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
As defined by SLA
Support available to third parties

Onboarding and offboarding

Getting started
Qualys offer a range of support and training facilities provided to help new and existing users. These range from FOC on-demand training through to professional services offered remotely and onsite. Online support portals and customers community forums are also available.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Downloadable in CSV or PDF formats.
End-of-contract process
All customer data is removed and destroyed and access to the platform is revoked for all customer-approved users. VPN connectivity to the cloud is decommissioned.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Browser-based application, which will work on any internet-enabled device.
Service interface
Description of service interface
Web-hosted portal with a tailored dashboard of key data, showing a relevant summary, with drill-down capability.
Accessibility standards
None or don’t know
Description of accessibility
Access is through a web browser utilising TLS/SSL secure communication with standard accessibility options including display size of page elements (text, images, tables etc). Support is either via phone or email.
Accessibility testing
None or don’t know
What users can and can't do using the API
Users can easily integrate and automate the sharing of capabilities and data.
API documentation
API documentation formats
  • PDF
  • Other
API sandbox or test environment
Customisation available
Description of customisation
Qualys VMDR offers a wide capability to create, modify and save dashboards that can be set up based on the requirement of a client. CTO Technologies staff are fully trained and experienced to support such customisations.


Independence of resources
Effective and automated capacity planning.


Service usage metrics
Metrics types
Vulnerabilities, Assets, Criticality, Patch rates, Trends, Compliance trends, Number of elements, Number of transactions, CareCERTs etc
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports


Supplier type
Reseller providing extra features and support
Organisation whose services are being resold

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Qualys software has a built-in mechanism enabling users to export their own data from the dashboard throughout the duration of the contract and on contract end.
Data export formats
  • CSV
  • Other
Data import formats
  • CSV
  • Other

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
As defined by SLA
Approach to resilience
Information available on request
Outage reporting
As defined by SLA

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
When a user is set up, they are assigned a role, either a system default role or a bespoke one. Each role has a specific set of activities and permissions assigned. This is controlled by Admin User. The role of a user account can be changed or disabled at any time.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Further clarifications regarding the scope of the certificate and the applicability of requirements may be obtained by consulting the certifier.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
  • ISO 9001:2015
  • Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
Cyber Essentials Plus
Information security policies and processes
We abide by an Information Security Policy and have rigorous induction and training methods which ensure policies are followed. We also follow a strict reporting structure ensuring that any areas of concern are highlighted as soon as possible. Violation, either automatically detected or manually detected will reach our technical department immediately from where the issue will be escalated accordingly.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Our change management policy is designed to meet NIST best practices. Not all systems require the same amount of development, testing, and approval. Changes to some systems are routine and represent little or no risk. To ensure reasonable processing time for routine maintenance and low risk change requests, and to ensure that more significant, higher impact changes receive the appropriate scrutiny and planning, the following types of changes have been established. These types have corresponding development, testing, and implementation requirements as well as specific approvals necessary to process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Potential threats are assessed through Penetration Testing.
Patches are deployed as soon as they are published by a vendor, during a maintenance window.
Information on threats supplied by vendors.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Response are automated when possible. Otherwise, these are logged as security incident and responded to accordingly.
Incident management type
Supplier-defined controls
Incident management approach
Information Security Incident Management follows NIST frameworks, US-CERT guidelines and best practices. Notification will be made within 48 hours and not before the initial incident report, containing the basic facts, is completed. Notification will be sent to the data breach contact notification on file. Notification will be by email.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£10.00 a unit
Discount for educational organisations
Free trial available
Description of free trial
Free trials and Solution Demonstrations can be requested via CTO Technologies.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at mark.bishop@ctotechnologies.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.