Capgemini UK plc


IRM's SYNERGi Platform provides a cost-effective and comprehensive GRC software solution for rationalising IT GRC, managing cyber risk, incident & vendor management, and meeting regulatory requirements not limited to IS1, IS2, ISO27001/2, PCIDSS, ISO31000, DPA/GDPR, BIA, PIA, ISO, NIST, SANS 20, CIS, SOX, 22301/BS25999, SPF, Asset Management, CTAS, HIPAA, ISO27005.


  • Supports Accreditation, Clustering, SPF and Departmental Security Health Check requirements
  • Populated with industry standards (ISO27001, NIDS, Compliancy and NIST)
  • Six modules (Governance, Risk, Compliance, Audit, Vendor and IT Security)
  • Unlimited user license arragement
  • Only UK cyber essentials certified software platform
  • Operational Risk Compitable
  • SaaS and On-Premise Deployment
  • Real-Time Reporting and Dashboard
  • Pentesting
  • Award winning platform


  • Consistent Risk Framework aligned to IS1, IS2, ISO27005 and ISF
  • Intuitive and simple user interface
  • Able to orchistrate and manage task management
  • Central Repository for Policy, control and evidence management
  • Only UK platform certified by the NCSC for Cyber Essetials
  • Scalable to meet current cyber maturity
  • Delivered by IRM's GRC Consultants
  • Proven track record across multiple HMG Departments


£22,000 a licence a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 13

Service ID

2 8 7 9 6 1 8 4 8 4 9 9 4 0 8


Capgemini UK plc Matt Griffiths
Telephone: 01242 225200

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
We no longer support IE 7/8/9/10.
System requirements
Latest web browser for IE, Chrome and Firefox

User support

Email or online ticketing support
Email or online ticketing
Support response times
Within 24 hours, first working day if received on weekend.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Onsite support
Support levels
All support calls are sent to a support engineer. All calls are prioritised, upon receipt, by IRM and resources allocated to meet the definition of the SLA. Support is included with the license cost and their are no additional costs.

IRM will provide quarterly technical account review meetings to capture monitor service level disputes and if IRM is unable to resolve these in a reasonable time frame, IRM will discuss options for service level credits and options for determination of the contract.

You will have the right to terminate your Master Subscription Agreement with us in the event (a) Service Availability of the solution drops below 98% for two months in a rolling 6 month period, or (b) there are more than two (2) Priority 1 matters that are not resolved within the Target Resolution Time or three (3) Priority 2 matters that are not resolved within the Target Resolution Time in a six (6) month rolling period. If you elect to terminate under any of these circumstances, we will refund a pro-rata portion of the pre-paid fees for the unused portion of the term of the Master Subscription Agreement.
Support available to third parties

Onboarding and offboarding

Getting started
IRM provide a professional services work package called QuickPath. It covers project management, configuration, library load, training and reporting. This is supported by an online and offline user manual.
Service documentation
End-of-contract data extraction
This information can be downloaded from the system. IRM will support this process and provide all data in an executable SQL file
End-of-contract process
At the end of the term, IRM will continue to support the client until written confirmation has been provided that the customer instance can be closed down. If this last more than 30 days IRM will charge a monthly pro-rata licence rate.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
There are no differences between the two. As long as a user has a web browser they can access and operate SYNERGi
Service interface
User support accessibility
WCAG 2.1 A
What users can and can't do using the API
SYNERGi has an API Management Interface to allow API's to be installed. A list of API's not limited to HPE ArcSight, PowerBI and SharePoint are available. A list of other API's are available upon request.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Individual User interface, grid tables etc can be bespoke to the individual. The platform can also have Custom Fields created, alongside Role creation that allows the configuration of visibility of data within the software.


Independence of resources
Customers are provided with a dedicated environment. This covers a frontend webserver and backend maria database. A sandpit environment is also provided and the service is load balanced. We also operate a fail-over service.


Service usage metrics
Metrics types
SYNERGi provides a complete audit history of all usage and changes made by an end user. The metrics are not visually reported.

Further more it has a powerful dashboard and reporting capability that supports all modules and standards activated. The reporting support Quantitative and actionable decision making.
Reporting types
  • Real-time dashboards
  • Regular reports


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2019
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
SYNERGi can generate backup files of your data on a weekly or monthly basis depending on your edition. You can export all your org’s data into a set of comma-separated values (CSV) files.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Approach to resilience
We’re ISO 27001 Certified and as such we have an Information Security Management System (ISMS).

BCP plan is in place and was tested annually but a schedule is in place for quarterly tests. The tests are desktop reviews and scenario exercises. Due to the nature of IRM business operations a full invocation is not possible.

Primary Tier 1 Data Centre with a Secondary failover Tier 1 Data Centre. Failover to DR site for test instances are scheduled biannually.

Backups are taken every 24 hours.
Outage reporting
Email Alert

Identity and authentication

User authentication needed
User authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels
The software has a security domains feature that allows Role-based Access to be assigned across the platform. This can be provisioned for the management interfaces ad support channels. The System Administrator/Operations Team are responsible for ensuring that logical access rights are up to date and maintained to:
• The operating system;
• The database;
• The application
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Description of management access authentication
Organisations can limit the IP range from which access is possible

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
It covers all operations
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Cyber essentials
Cyber essentials plus
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
The Executive Board are responsible for ensuring that appropriate information security requirements have been considered and applied proportionately based upon legal and regulatory obligations, risk assessment and business needs and that legal and regulatory controls are identified, implemented and maintained throughout the company. A set of policies and procedures have been developed and are part of our JML process which is managed by HR and the relevant line managers.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Within the operational information systems changes are commonplace as part of normal business activity, however if they are not controlled effectively there is the potential for disruption to business operations and product delivery. The objective of IRM's processes is to make sure that all changes to the live systems and production environments are controlled and conducted properly. A formal policy covers the following headings and more detail across each section can be provided upon request:
1. Scope
2. Third Party Suppliers
3. Change implementation
4. System monitoring
5. Responsibilities
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
There is a formal process to test and approve all:
i. network connections
ii. Security monitoring and patching
iii. firewall and router configurations
b. Test for the presence of unauthorised wireless access points.
c. Internal and external network vulnerability scans
d. Quarterly vulnerability scans
f. Conduct internal and external penetration testing at least annually or after any significant infrastructure or application upgrade

We consume threat intelligence data and perform regular threat led risk assessments.

We create and maintain a plan with milestones to document remedial actions to correct weaknesses, vulnerabilities and deficiencies noted
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
A. Corporate networks incorporate tools (software and hardware based) for real-time monitoring, measuring and reporting of network connections and performance are in place.
b. The use of network resources shall be monitored, tuned and used for making projections on future capacity requirements to maintain system performance for business operations;
c. Monitoring systems are capable of immediately providing at least three months of data for review with a minimum of one year availability off-line;
f. Upon detection of any event affecting the security of the corporate network, reporting and escalation actions in accordance with the Incident Response Management Policy.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Reporting security incidents and vulnerabilities is an important contributory factor to maintain the security of corporate information systems. Intelligence on the type and frequency of security incidents enables the company to continually monitor the effectiveness of the technical and procedural controls in place. The IRM policy covers the following headings and can be provided upon request:

1. Objective;
2. Scope;
3. Type of breach;
4. Incident description; and
5.Security Incidents, Events and Categories

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks

Social Value

Fighting climate change

Fighting climate change

The group has a long‐standing commitment to environmental sustainability, with a strategy focusing on managing and reducing our own environmental impacts and deploying our expertise in technology and business transformation to help clients address their sustainability challenges. Our Group environmental sustainability ambition is to be Carbon neutral no later than 2025 and transforming to net zero by 2040 as approved by SBTi.

We integrate sustainability into our existing structures and solutions where applicable with our impacts being calculated using our online carbon impact calculator, underpinned by our methodology.

Scalability can reduce the future need to replace hardware; increased efficiency reduces energy consumption; and pay per use encourages companies to only use what they require, increasing energy efficiency.

Cloud Native apps can be agile, flexible and scalable to a variety of innovative outcomes e.g. Smartly, facilitating electric vehicle charging. Direct energy reduction through efficient equipment.

Assessment of where it is possible to retire and rationalise legacy applications, as well as reducing inefficiencies, lowering operating costs and enabling business model innovation. This could all reduce energy consumption across the estate

Delivering operational efficiencies through the wider operations can lead to energy savings as well as cost and time across the business.
Covid-19 recovery

Covid-19 recovery

The group has implemented a flexible working policy allowing all our employees to request arrangements for hybrid working where appropriate in view of client and team requirements.

We have made strides in helping communities gain access and skills to cope with the situation. We forged a new collaboration with Digital Unite, a leading Digital Inclusion organization in the UK. For over two decades the organization has been helping third sector organizations build digital capacity by helping them recruit and train a network of ~4000 Digital Champions, who then directly engage communities and help tens of thousands of people to learn basic digital skills. We have also launched Digital Futures initiative, spearheaded by our Cloud Infrastructure Services leaders and colleagues. The initiative is designed to help and support thousands of digitally excluded people in their journey to inclusion through digital literacy projects. Initiatives such as this is a testament to our collective commitment towards digital inclusion actions. The group aims to support digitally marginalised people through digital literacy programme across the world.

The group Research Institute recently published “The Future of Work: From Remote to Hybrid” to specifically look at how changes to working practices driven by the pandemic are likely to persist and what these changes mean to organisations such as the group and our clients.
Tackling economic inequality

Tackling economic inequality

The group is committed to ensuring that digital transformation creates an inclusive and sustainable future for all. This means opening doors to technology careers for people who are currently far from the digital skills job market, such as refugees whose studies/career journeys have been interrupted.

We open up digital job opportunities by collaborating with CodeYourFuture. This UK-based non-profit organisation supports refugees/individuals, possibly at a disadvantage, to become software engineers.

The group plays an active role in creating a CodeYourFuture community of coders ready to help one another. Our employees volunteer to ensure practical access to working professionals through which students can gain clarity on what working in the tech sector is like. Sessions include homework clubs, immersion workdays at our offices, sharing insights into careers and pathways to get there, and we also offer one-to-one mentoring for programme participants. 500+ employees have volunteered their help (March 2022).

In 2021, the group sponsored 128 students and helped run four CodeYourFuture courses in London, Birmingham and Manchester. We also assisted classes in Glasgow with job opportunities and support from volunteers.

The group continues to offer Code Your Future insights into market demand based on what our clients are requesting, helping evolve the programme curriculum to best prepare graduates for employment. As of March 2021, the group has employed 53 Code Your Future programme graduates – helping us ensure we extend employment opportunities to individuals from disadvantaged backgrounds through this new recruitment channel.

Code Your Future graduates who have joined the group are now working on client assignments across the Public and Private sectors.

We support our charity partners to build their digital skills and increase their impact through digital transformation. In 2021-22 we completed a pro-bono project to improve the functionality and inclusiveness of the Future Steps fundraising App.
Equal opportunity

Equal opportunity

The group is a member of the Business Disability Forum that provides training, podcasts and comprehensive advice on conditions and adjustments. We hold a Disability Confident Employer badge, which recognises the group’s commitment to supporting team members with disabilities.

At the group we want technology to be an opportunity for everyone. As more services such as healthcare, housing, banking, shopping and education move online, it is critical that everyone can access them. We aim to inspire those at risk of being left behind, to build the digital skills needed for life and work.

Working closely with our partner Digital Unite we have developed a new model for corporate support of digital skills training in the UK. Previously digital skills training was not typically supported by corporate volunteers and instead led by charities and non-profits. Together we have created Inspire, a training programme to support the group employees to become Digital Champions. We developed and piloted the model in 2020, before rolling out Inspire across the group from January 2021. By embedding Champions within communities, people can more easily access regular support and have a more personal connection with those teaching them digital skills.

Inspire trains our employees on how to teach digital skills. The group employees, for example, have advanced technology skills but can lack knowledge and confidence on how best to share these with their families, friends and local communities. To change this, employees attend a ‘Digi Day’ session to learn about digital exclusion, complete training on how to share skills via an e-learning module, and are encouraged to make a pledge to help others.

The Inspire training gives our volunteers the ability to support individuals from any community and background as chosen by our volunteers and includes access to specific modules on digital skills and disability.


The group is proud to be an accessible and inclusive organisation where people of all abilities want to work and collaborate: nothing is a barrier to success.

From the first stages of recruitment through to each working day with the group, support is always at hand. For team members with a disability, mental health condition or caring responsibility, our Disability, Carers & Allies employee network provides a space to meet others at the group and share advice, questions and experiences.

Here’s a snapshot of what we’ve achieved so far:
-The group has signed the Time To Change Employer Pledge: committing to continue building a working environment where employees feel able to talk openly and honestly about mental health – and know where to go when seeking help.
-We have educated and mobilised over 120 mental health champions to support colleagues.
The group is a member of the Business Disability Forum that provides training, podcasts and comprehensive advice on conditions and adjustments
-We hold a Disability Confident Employer badge, which recognises the group’s commitment to supporting team members with disabilities.
-Our commitment to supporting our people’s mental health has been recognised by Mind, who -awarded us Silver in their 2017/18 Workplace Wellbeing Index.
-We are committed to raising awareness and supporting team members with hidden disabilities. Also, a member of The Hidden Disabilities Sunflower Campaign.

The group is putting a spotlight on invisible disabilities via a new campaign: ‘Now You See Me’. While raising awareness of a number of conditions, we will also be adopting the nationwide ‘Sunflower Scheme’ and looking at best industry practices to see where we can improve.


£22,000 a licence a year
Discount for educational organisations
Free trial available
Description of free trial
All modules, support and maintenance and training is provided. This is typically delivered under a controlled Proof of Value for up to 60 days.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.