Policy Monitor Limited

Cyber Security, Policy Management & Compliance Platform

Policy Monitor provides a cybersecurity management platform, Cyber Security Policy Monitor (CSPM). CSPM gives you a centralised platform to support your organisation through complex industry-certified accreditations, to create and implement internal security policies, train your staff, scan for vulnerabilities and establish best practices to provide the best defence against criminals.

Features

• Enables you to establish best cybersecurity practices through simple workflows.
• Pre-loaded boiler plate polices available with easy implementation through workflows.
• Generate regular and ad-hoc incidents to trigger response workflows.
• Real-time data load from third party technology APIs.
• Demonstrate compliance with real-time dashboard and audit trail.
• CyberEssentials, IASME, HIPPA, NIST CSF & CIS-8 templates pre-loaded.
• Qualys vulnerability scanning included as part of your subscription.
• Access to our training video library.
• Currently available in English (EN/US), Arabic, French and Spanish.
• Can be white-labelled to reflect your company's branding.

Benefits

• Simple start to cybersecurity with a basic checklist.
• Engages your whole organisation in cybersecurity defence.
• Employee awareness maintained through continuous training.
• Monitoring of compliance and threats in a centralised dashboard.
• Simplifies complex cybersecurity frameworks through structured workflows.
• Pre-loaded policies streamline operations, freeing staff for other tasks.
• Facilitates smooth internal policy rollout.
• Enables in-house cybersecurity management, reducing reliance on costly managed services.
• Vulnerability scanning feature identifies audit failures, allowing timely issue resolution.
• Focus on user experience to optimise employee engagement.

£1.00 a user a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at grace.maynard@policymonitor.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

217890312173270

Contact

Grace Maynard
02045181570
grace.maynard@policymonitor.co.uk

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: CSPM extends features from a number of other solutions to provide additional (optional) in-app functionality, such as LearnDash (to deliver bespoke cybersecurity training content) and Qualys (to provide vulnerability scanning capabilities). We also integrate with the Pervade OpAudit solution for submitting CE/IASME assessments.
• Cloud deployment model: Public cloud
• Service constraints: We are not aware of any material constraints not covered elsewhere in this document (for example browser support) and that this solution is a subscription services provided on the AWS cloud only, within an EC2 environment.
• System requirements: Access to a supported, internet-enabled browser.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We will respond to all call within 4 hours during the working day and to urgent issues within 2 hours on a best endeavours basis.; ; Out of working hours we will respond to P1 on a best endeavours basis.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: There is a single support offering for users of the core product. Internally this comprises level 1, responding to user enquiries of the system in normal operation; level 2, addressing issue investigation; and level 3, addressing bugs identified through level 1 or level 2 support.; ; The primary mechanism for providing support is through an Atlassian support desk instance.; ; Our solution is extensible. We can develop and load new controls, policies and governance standards. We accept customer enhancement requests, will review these, add appropriate requests to our product roadmap and roll them out within our normal release cycle. General product enhancements we may do at no cost, customer specific capability we may charge for by agreement.; ; The primary on-site support we provide is in the form of additional consulting services related to:; 1. Developing and implementing a cyber security policy using our product.; 2. Gathering customer information to populate the system.; 3. Deploying and integrating third party products.; Costs would be between £700/day and £1200/day depending on the level of expertise required.; Any customer taking additional professional services would have a named account manager and every effort would be made to assign a named technical engineer.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Our objective is that the service is sufficiently simple for users to adopt without mandatory support from us.; ; As our focus is on SME organisations who are not sophisticated technologists, many users though are unfamiliar with cyber security and with general system administration, so need help in the business aspects of service usage.; ; We provide context-sensitive help functionality at all points within the service, often linked to help documentation as well as guidance videos we have pre-loaded onto YouTube.; ; We provide online training through our support desk when requested.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: We have a utility which enables users to extract their data in the form of text files which are re-loadable into another instance of the service at a later date.; ; The structure mirrors the underlying data structures of the database which are documented.
• End-of-contract process: At the end of the contract all users (save a single system administrator) have their access terminated, with the organisational account disabled. Organisational data is purged from our database upon request.; ; Billing is suspended.; ; the system administrator has a grace period to remove their data from the system if required.; ; The system administrator may initiate a purge of their data from the system. After a period no shorter than six months an organisations data will be extracted, archived and purged from the production system. The archive will be deleted after a year or when requested by the organisation.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Our solution has been designed to be used on mobile.; ; However the majority of our development and testing endeavours are focused on desktop browser usage. We are continuously optimising our user-facing interfaces to be increasingly mobile-friendly.
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: Yes. The service is accessed via the browser as previously identified.; ; There is a service API which allows integration by applications able to invoke that interface.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: WCAG self reporting tool "WCAG-EM Report Tool", "axe DevTools" and "Chrome Screen Reader".
• API: Yes
• What users can and can't do using the API: Currently the API is not public and we do not allow external uncontrolled access through this API.; ; The purpose of the API is to facilitate integration with third party technology products that generate data relevant to the platform. Specifically we have in mind asset data such as the identification of an asset, details of its configuration and the identification of vulnerabilities and other threats located on that asset.; ; We are currently decoupling the API from the main application to make it more generic, to facilitate a single API into the product behind an integration and transformation hub within which data from different products can be enriched and transformed before being injected into the system.
• API documentation: No
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The service enables security policies to be modified, workflows that implement those security policies to be changed, and tasks that make up workflows to be added, modified, or removed.; ; Users can also customise the displayed language throughout the application.; ; Organisations who wish to partner with us can request a bespoke version of the application that features custom branding and whitelabelling, which can be used to onboard other organisations (who will then be directed to this customised application rather than the base interface). This is handled on a request-basis only.

Scaling

• Independence of resources: We cannot guarantee this because the service runs on a shared AWS platform which therefore has at any one time a set level of compute resource.; ; However because the service runs on AWS, we monitor the resource consumed, receive alerts if resource limits are crossed and can increase the level of resource applied by appropriately increasing the number of application servers running.; ; We have carefully designed the database to minimise the risk of any user locking another, and specifically to ensure that users in different organisations cannot impact through locking users in other organisations accessing a different data set.

Analytics

• Service usage metrics: Yes
• Metrics types: Every service invoked by a user is logged and these audit logs can be inspected by system administrators.; ; From these logs administrators can determine system usage.; ; If there was demand we could configure analysis of these metrics via the dashboard displaying KPI's.
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: A system administrator with export privilege can export their data at any time, for example as a backup.; ; A log entry is held of the export.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats:
  • PDF
  • Word
• Data import formats:
  • CSV
  • ODF
  • Other
• Other data import formats:
  • PDF
  • Word
  • Vendor specific formats consistent with integrations
  • Any BLOB format where stored as a "document".

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: We don't guarantee availability or specific service levels and therefore do not provide any refund if a service is not available.; ; However we nevertheless have a robust BC/DR programme through our architecture to ensure there is no single point of failure.; ; We have database replication in the event of a data corruption and can swap over to the standby database rapidly.; ; We have multiple instances of our web servers and application servers so that we can start up multiple instances if the primary instances come under load.; ; In the event of a catastrophic failure we can re-create new instances in approximately 30 minutes from the latest software build using AWS/YAML build facilities.; ; We provide advanced notice of a software upgrade and perform planned outages out of business hours following notice.
• Approach to resilience: Our UK service is provided within the AWS London data centre, and we follow industry best practices for provisioning secure resources on the cloud through AWS.; ; We have no single point of failure.; ; We replicate the primary database to a secondary in real time and can roll over to that secondary database in the event of a failure of the primary.; ; We also store regular backups on AWS S3 encrypted storage.; ; We can start up multiple web server / application server pairs to meet demand and to horizontally scale and can rapidly fail over if any pair becomes unavailable.
• Outage reporting: We provide a public dashboard which we start up if there is an outage.; ; We publish by email planned future outages.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
• Access restrictions in management interfaces and support channels: On a user-facing level, the service defines three access levels: standard user, organisation manager, and system admin. Access to sensitive data is confined to system admins. Organisations can only access their own organisational data.; ; There is a fourth "superuser" access level that is restricted for by users.; ; SSH access is managed via a secured gateway secured through a PKI system. SSH access is also restricted via IP address whitelisting.; ; Access to the AWS console is strictly restricted (following the principle of least privilege), and is protected by TFA.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • IASME Cyber Assurance Level 1
  • IASME Cyber Assurance Level 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: Cyber Essentials.
• Information security policies and processes: We comply with the following standards: Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance Level 1, and IASME Cyber Assurance Level 2.; ; We use our own service to implement these policies and monitor compliance.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All the components of our service are software components running as cloud resource across various AWS-supplied services.; ; All build procedures are defined within YAML templates to ensure a consistent, repeatable, identical build and configuration.; ; All changes are reviewed by our in-house AWS specialist.; ; Prior to deployment, all software development takes place within our Atlassian/Jira/Bitbucket environment. Changes are defined, reviewed, implemented, and tested to ensure standards are strictly adhered to.; ; We use Bitbucket Premium giving MFA protection, enforced code reviews and mandatory testing prior to merging to enhance.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We use Qualys to regularly scan our internal development network, our production network, our AWS product networks, and all company workstations. Any detected vulnerabilities are assessed against CVSS criteria, prioritised, and patched at the earliest opportunity within a defined order of priority.; ; We have an RMM agent deployed to all laptops as a secondary layer providing asset monitoring and automatic patch management.; ; We apply all patches on a weekly basis to all development and production machines.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We monitor system load and performance using the AWS console.; ; We monitor user activity by analysing the user service access logs and looking for strange and inconsistent usage such as excessive operations of a particular type. ; ; Where possible, we deploy vulnerability scanning agents and RMM agents for real-time monitoring of potential compromises. We also conduct a weekly network scan for systems to which these agents cannot be deployed.; ; We schedule annual penetration testing.; ; All incidents are responded to at the earliest opportunity.; ; We comply with the following standards: CE, CE Plus, IASME Cyber Assurance L1, and IASME Cyber Assurance L2.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a predefined incident management policy and specified general workflows for managing incidents.; ; We have specific processes for common/well-defined incidents.; ; Users can report incidents by raising an alert through our company solution or internal help desk.; ; All workflows related to an incident are recorded in the system and can be reported upon.; ; Incident reports are generated on a case-by-case basis and shared with relevant personnel on a need-to-know basis.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Tackling economic inequality

  We've designed our platform and its pricing structure such that cost shouldn't be a barrier to cybersecurity. It's £10 per administrator user per month and £1 per additional user per month. This affordable pricing structure ensures accessibility and inclusivity, allowing organisations of all sizes to access and benefit from our its resources .By democratising access to valuable resources, we empower SMEs to enhance their cybersecurity in-house, rather than opting for a costly third party managed service.

  Equal opportunity

  Our solution is compliant with WCAG 2.1AA and hence available to disabled users.; ; We recruit highly able people. On occasions during our recruitment process we identify people that have challenges and where we're able to support them we ensure that they aren't excluded from our recruitment process as a consequence of any issue that they may have.

  Wellbeing

  We have a strong mentoring and buddy system underpinned by wellbeing policies to ensure that our staff feel safe and supported at work. We carry out regular briefing to ensure that all staff are aware of how to identify potential issues and how to escalate them to management in an appropriate manner that respects individual privacy while providing the appropriate level of support to the individual.

Pricing

• Price: £1.00 a user a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: When an organisation registers the user registering has full use of all system functionality but additional users are not able to login. ; ; Access is provided either when the direct debit mandate triggered by submission of the first invoice is confirmed, or when authorisation enabled by the support desk.
• Link to free trial: https://www.cybersecuritypolicymonitor.co.uk/register

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at grace.maynard@policymonitor.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.