C2 RISK LTD

ESG

Our platform enables our clients to identify and manage the environmental, social, and governance risks posed by their suppliers and internal lines of business.

The service provides risk assessments with recommendations, open-source risk metrics, and a secure collaborative environment to enable both customers and suppliers to reduce collective risk.

Features

• Evidence-based assessment of environmental, social & governance (ESG) standards
• Suitable for assessment of supply-chain or own business units/estate
• Includes validation of responses and evidence provided during assessment
• Flexible weighting system allowing prioritisation of most important areas
• Ability to add in additional questions or requirements if needed
• Dashboards giving a comparative view and easy identification of hotspots
• Collaboration suite and reporting to track remediation actions
• Unlimited customer and supplier users

Benefits

• Gives an enhanced understanding of ESG-related risks
• Standardised assessment methodology so all entities judged by same criteria
• Ability to track performance changes over time
• Efficient ESG assessment meaning team can focus on remediation
• Easy to factor ESG into procurement processes & contract negotiations
• Multi-lingual user portal and assessments

£75 to £200 a unit a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at frameworks@c2risk.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

158741107563066

Contact

C2 Risk Frameworks Team
020 7965 7596
frameworks@c2risk.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: Private cloud option capable of deployment at extra cost for protectively marked installations
• System requirements: Internet/intranet facing browser required for each user

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within one working day. Priority tickets and premium support customers receive faster turnaround.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: For service issues we provide 1st, 2nd and 3rd line support.; ; Online documentation addresses majority of self service issues. ; ; Additional support is provided by our Cloud Support services.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Initial support can be delivered by phone in setup for an organisation, where a lead user is available. ; ; Training is available through C2 Cyber cloud support services to facilitate mass adoption
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Clients will be issued a complete set of their retained data as held on the production system at the end of contract conditional on the client providing a suitable storage device.
• End-of-contract process: At the end of the contract we will disconnect our service from the client site. The client is responsible for removing and/or downloading copies of their data prior to contract cessation.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Differences are presentational only, with responsive user experience and active dashboards accessible from both.
• Service interface: No
• User support accessibility: WCAG 2.1 AAA
• API: No
• Customisation available: Yes
• Description of customisation: Clients can request:; - additional questions are added to assessments ; - specific weighting of individual questions or sections of the assessment; - analyst support to interpret results

Scaling

• Independence of resources: We have adequate spare capacity to minimise the risk that one user will place a disproportionate demand that impacts on other users.

Analytics

• Service usage metrics: Yes
• Metrics types: Standard supplier compliance and assurance metrics; bespoke measurement and graphs available
• Reporting types:
  • Real-time dashboards
  • Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Customers can download a copy of data held on production systems at any time during the contract. This is subject to having the correct user permissions the client organisation.
• Data export formats: Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The service availability target is 99% excluding planned downtime; Clients can claim a refund based on a pro rated service charge for each complete day that the service was unavailable in excess of the target.
• Approach to resilience: The architecture of our platform delivers resilience through high levels of redundancy across the both the data, analytics, and application layers. Further information may be made available on request.
• Outage reporting: Outages and planned maintenance are reported on the dashboard. Major outages that may render the dashboard inaccessible will be reported by email.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: The architecture is multi-tenanted by design, with strict data labelling to ensure one tenant cannot access another tenants data. Multiple user roles are provided to separate those users with management or administrative responsibilities from those who are
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 6 months and 12 months
• Access to supplier activity audit information: No audit information available
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 17/02/2020
• What the ISO/IEC 27001 doesn’t cover: The hosting of the service in Azure is covered separately by Microsoft's own ISO27001 certification.; C2 Cyber's ISO27001 scope covers all aspects of the business, including the COBRA services.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber Essentials
• Information security policies and processes: We are certified ISO27001, Cyber Essentials and adopt cyber security accepted good practice.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We have a robust configuration and change management approach. Any material changes to the system are deployed in our Development environment and tested before being deployed to the Production environment.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our platform is heavily segmented with multiple layers of defence between zones to reduce the risk that a vulnerability can be exploited. The presentation layer and portal is only accessible to authenticated users, and is vulnerability scanned on a monthly basis. Vulnerabilities that are identified are triaged, and the target is that critical vulnerabilities within the presentational layer will be addressed within one week of a fix being available.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use a C2 detection service to monitor the service itself for compromise, using multiple custom log sources and threat analytics. Critical incidents generate a call out event so that they are addressed at any time of the day. If a critical incident cannot be remediated quickly we may close down all or part of the service to mitigate the impact until it is addressed.
• Incident management type: Supplier-defined controls
• Incident management approach: We have high levels of automation and orchestration within the platform to ensure common events are addressed quickly and consistently. Users can generate an incident through the portal. The incident reports we provide to clients for security incidents that the platform has detected will provide incident data, contextual data, attack type descriptions, and guidance on appropriate response actions.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Our service can provide our clients with information about their supplier’s environmental impacts and their performance managing those impacts. We focus in particular on greenhouse gas emissions, environmental performance reporting, carbon offsetting, biodiversity and environmental management. This information enables our clients to make more environmentally sustainable procurement decisions to help fight climate change.
• Tackling economic inequality:

  Tackling economic inequality

  Our service supplies our clients with information on which of their suppliers provide training and development opportunities for employees, with a particular focus on transition assistance programmes and training programmes to upgrade employee skills. Our service also enables our clients to identify which of their suppliers are delivering on equality of opportunity and fair recruitment practices to facilitate opportunities for those who face barriers to employment. The information we provide helps our clients to make better procurement decisions through selecting suppliers which can demonstrate that they are tackling economic inequality.
• Equal opportunity:

  Equal opportunity

  Our service helps our clients to identify which of their suppliers are promoting equal opportunity. In particular we focus on accessibility schemes, such as Disability Confident UK, to help our clients identify which of their suppliers can demonstrate that they are taking action to increase the representation of disabled people in the contract workforce. Our service is used by clients to facilitate social and environmental screening of suppliers, with a particular focus on national minimum wage legislation adherence and modern slavery compliance. We are signatories to the Armed Forces Covenant and have helped many service people transition to the private sector. We have worked with the Prince’s Trust to enable people to access careers in technology and Cyber.

Pricing

• Price: £75 to £200 a unit a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Full use of platform but without the ability to submit new suppliers. anonymised suppliers will be visible to demonstrate full capabilities of the system. ; ; For enterprise sales (more than 500 suppliers) a custom trial is possible. please contact for details.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at frameworks@c2risk.com. Tell them what format you need. It will help if you say what assistive technology you use.