Continuity2 ltd

Business Continuity, Resilience and Risk Management Software with Hosting (SaaS)

"Meridian" BCMS is a web based tool designed to automate and alleviate the everyday management of an organisation’s Business Continuity Management System and delivers compliance to ISO22301 and FCA Operational Resilience standards. The system delivers all aspects of Resilience ,Risk Assessments , BIAs, Dependency Mapping, Scenarios Planning, Testing, Notification/Incident Management.

Features

• Create and manage business continuity plans
• Conduct online BIA (online via activity owner review)
• Automatic update of plans with up to date BIA output
• Manage and schedule plan exercises automatically with BC policies
• Comprehensive Incident management notification functionality
• Auditing and compliance with standards e.g ISO22301, FCA Operational Resilience
• BC Training and awareness delivery
• Real time MI and reporting
• Create and track actions from multiple sources
• Fully integrated Enterprise Risk Management module

Benefits

• World-class-leading SaaS deployment
• Making complicated BCM processes simple through engagement and collaberation
• Ensures accountability through automated sign offs
• Automates and regulates admin centrally allowing for increased productivity
• Ensures accountability, responsibility and transparency
• Allows information to be appropriately distributed and policy driven
• Instant reporting and task management especially important during incident management
• Manages your BCMS through automated workflows
• System Administrators use the software quickly with minimal training.
• Integrated emergency notification provides instant incident communications and managment

£16,000 to £38,000 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Lisa.mcstay@continuity2.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

365684822832234

Contact

Lisa McStay
07703721957
Lisa.mcstay@continuity2.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Scheduled Outages as described below: - ; 1. Housekeeping tasks: Housekeeping tasks will only be performed between the hours of [6:00pm and 06:00am.] and will be non invasive; 2. Server Operating System Patches & Upgrades: Server operating system patches and upgrades will be applied to the System, should they be required to ensure continued support by the operating system vendor; 3. System / Application Upgrades: System / Application upgrades will be applied as necessary to facilitate continued support.
• System requirements:
  • PC / Laptop / Mobile Device
  • Recommended 4GB Ram, I3 processor or above
  • Browser Software - Chrome, Edge and Safari
  • Microsoft Office 2007 minimum
  • 10Mbps Download Speed minimum

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: C2 provide a help desk between the hours of 08.00 and 22.00 UK Standard Time, Monday through Friday, with the exception of Christmas Day, Boxing Day, New Year’s Day and the first working day of January. ; ; Users can report issues within the application, via the Issue button or by telephone (0845-0944420), the details of the fault / issue are be logged on our Incident management systems and passed directly to C2 support. If the user logs the fault via the application, they will receive an email confirmation of their fault number and a summary of the fault that they logged.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: All clients have 2 Account Managers - one form the technical side and one from the business resilience side of our support desk. ; We also offer 3 levels of support available, under contract and at no additional cost: -; 1. First support level - all faults / queries should be directed to The Customer ’s System Administrator, who will be able to answer most “How do I?” questions. Should the system administrator be unable to resolve the fault / issue, they will then log it with second level support, the Continuity2 helpdesk or Ticketing facility .; 2. Second support level - Continuity2 helpdesk who will answer technical questions and log faults for The Customer Systems Administrator, in all instances contact will be made with the user within 2 hours of a query being raised, and confirmation of actions being taken passed to the user.; 3. Third support level - Continuity2 development team who will be passed those faults / issues not resolved by the first two levels of support. Contact will be made with the Customer System’s Administrator within 4 hours of the fault being passed to third level support.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Upon contract signing, C2 will engage to introduce the key personnel who will take the client through the Meridian BCMS deployment journey. Each C2 deployment project is assigned a Technical Lead and a Risk and Resilience Analyst Lead. These individuals will be your main points of contact from deployment kick off to go live and thereafter.; ; A project plan will be created and agreed mutually, this will include all important milestones, target dates etc including Site Creation, Site Branding, Organisational Structure Set Up, Business Impact Analysis Set Up, Plan Template(s) Creation, Contact Data Configuration, Notification Testing and System Administrator Training (two days).; ; C2 will provide a full user guide on the application along with quick reference guides, these will be digital copies so they can be stored and used on-the-go. Following the MBCMS deployment we offer additional training sessions for admins which can be carried out via online web-sessions. C2 adopt the "Train the trainer" approach so we endeavour to ensure that your system admins are in a position to provide further training to any potential new users during their internal roll-out of the system.
• Service documentation: Yes
• Documentation formats:
  • PDF
  • Other
• Other documentation formats: Word (if required)
• End-of-contract data extraction: SQL backup is provided to clients when contract ends. This contains all client data. Clients also have the facility to download all plans and documents stored within the BCMS. We provide offboarding documentation detailing the end to end process.
• End-of-contract process: Upon any termination of an Agreement, Continuity2 and The Customer will promptly comply with the termination obligations specified under clause 11 of our agreement and otherwise cooperate to terminate relations in an orderly manner. In order to comply with regulatory requirements, The Customer shall be entitled (but not obliged) to continue to use the Software and have access to all The Customer generated data until it has another solution in place, such period not to exceed six months and provided that The Customer pays a licence fee for any such period which is on a pro-rata.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: We offer both IOS and Android apps for BCMS. There are some differences in functionality. They're specifically designed for each client and offer:; * Communicate: Call recovery team, send text message & send email.; * View plan: View plan, battlebox files access & controlled documents.; ; The mobile application negates the requirements for "hard copy" BCPs ensuring that everyone has access to the right information, immediately, during an incident.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: No
• Customisation available: Yes
• Description of customisation: The application is highly configurable with over 400 specific configuration items. Including branding the system to match your company policies on logos, we work with you to configure your BIA's, plan templates and system modules.; ; A system administrator can manage/change:; Organisation Structure - Configuring the tool to meet your organisations structure; Dynamic Templates - Creating, editing and deploying new plan templates ; Plans and Call Lists - Creating plans and call lists for incident response Business Impact Analysis - Configuring and deploying BIA in your organisation ; Plan Exercising - Exercising the plan and documenting observations, recommendations and actions ; Document Management System - Uploading and maintaining documents for your organisation ; Document Control - Maintenance of document versions through review, sign off and automated distribution ; Management Information - Outputting live management information about the organisations BCMS ; Contact Training - Providing training to contacts with responsibilities in the BCMS ; Corrective Action - Creating and monitoring observations, recommendations and actions ; Reports - Output of various reports on the BCMS Compliance - Monitoring compliance against defined standards ; Managing Contacts - Uploading and updating contact data ; Importing of Suppliers , System / applications etc. for BIA analysis ; Manage Auditing - Creating, editing, issuing and managing audits.

Scaling

• Independence of resources: All clients have a separate VM, URL and database which ensures that they can run independently from any other client. ; The F5 workload balancer ensures that the resources are available when required by the client VM and that no single client can utilise all resources at the detriment to any other client. ; This is monitored in real time and any traffic / network / resource issues are flagged and resolved immediately.

Analytics

• Service usage metrics: Yes
• Metrics types: We are able to provide service metrics in the form of a word document which is updated with user logins per month, storage used, SMS sent, tickets raised and future releases. We can provide these quarterly upon request.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: User can export their data in many ways throughout the application including:;  PDF Reports;  XLS Outputs for reports, contact data and organisational structure;  Word output for compliance reports.; ; Users simply select the output for the function they require for example, view plan allows a PDF copy of a BCP, view BIA produces PDF report of their Business Impact Analysis etc.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • PDF
  • Word
• Data import formats:
  • CSV
  • Other
• Other data import formats: XLS

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.7%. The System / Application will be made available to the client 24hours x 7days other than during downtime agreed in advance with the client or in the event of an unforeseen disruption which requires the System / Application to be switched to the alternative data centre within the documented RTO.
• Approach to resilience: Microsoft Azure provides the foundation on which the system is built. This has been configured in accordance with the Azure Security Benchmark (ASB) that provides prescriptive best practices and recommendations that help improve the security of workloads, data, and services on Azure.; ; Based on Kubernetes (AKS) and container technologies, the service platform is deployed in a highly available configuration within Azure Regions ensuring no single point of failure. Each AKS cluster is distributed across multiple availability zones (data centres within a region) to ensure that even if a data centre were to be lost, the system will be automatically recovered to a different availability zone within the same region. All data (DB and file storage) is replicated in real-time across these same availability zones to ensure that no matter where the system is running or if a data centre is lost, your data will always be available and up to date.; ; As well as this, data backups are geo-replicated to a separate, nearby Azure Region to ensure that in the highly ; unlikely case that an entire Region is lost (multiple data centres), the services can be resumed from another.
• Outage reporting: Email, SMS and telephone are used to inform clients of any incidents or planned outages.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Role based security is employed and users can only see their specific area and business area. System administrators can define user rights via the user management functionality.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: Between 6 months and 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessments Bureau
• ISO/IEC 27001 accreditation date: 25/06/2021
• What the ISO/IEC 27001 doesn’t cover: N/A
• ISO 28000:2007 certification: No
• CSA STAR certification: Yes
• CSA STAR accreditation date: 19/06/2020
• CSA STAR certification level: Level 3: CSA STAR Certification
• What the CSA STAR doesn’t cover: All parts are covered.
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Continuity2 are ISO 27001 certified and all our security policies align to these standards.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Continuity2 have a defined and documented processes for configuration management. This defines the procedures to be followed when making any system configuration changes. Our configuration control process implements this process. We have a separate change management process which defines how changes will be controlled, applied and monitored. Changes are assessed for Security vulnerabilities as part of the process.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Continuity2 evaluate all changes for Security vulnerabilities as part of the deployment process. Application Patch management is defined within the Change procedure, and server / OS / network patching is defined within the patch management procedure. Information is provided from suppliers e.g. Microsoft, data centre and technical resources.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Compromises are identified via PEN testing and technical resources. The system actively monitors all traffic to identify risks and potential threats. These are logged and reviewed and any vulnerability is assessed and controlled as soon as is possible.
• Incident management type: Supplier-defined controls
• Incident management approach: We are certified to both ISO 22301 and to ISO 27001 which require us to have predefined incident management processes in place. Incidents can be reported by users via the application and these are passed directly to the Service desk for treatment and resolution . Post incident reports are supplied to clients after an incident detailing incident, actions taken, root cause analysis and any subsequent actions required.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Tackling economic inequality

  We offer all employees attractive salaries and are part of the living wage foundation.

  Equal opportunity

  C2 have employees from many different nationalities and backgrounds, age, sex and race.

  Wellbeing

  We support employee wellbeing through multiple channels, team events, regular 121s, employee feedback questionnaires focusing on wellbeing, encourage exercise and regular breaks from your screen.

Pricing

• Price: £16,000 to £38,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: We offer a 2 week trial period. Using a small amount client approved data, we take a "bite-sized” approach to training and use of the system. Expect focused user/training sessions, full support from our service desk throughout with regular check ins. Full suite of training materials also provided.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Lisa.mcstay@continuity2.com. Tell them what format you need. It will help if you say what assistive technology you use.