JC Applications Development Limited

JCAD CORE Risk, Control & Compliance Management Software

JCAD is an off the shelf ERM software. It simplifies the storage, management & reporting of risk, controls, actions & compliance data. It provides easy risk & control review, risk appetite, opportunity management, system reminders & many reporting options including data output through API's to your own BI software.

Features

• Enterprise risk & compliance management
• Incident & opportunity management
• Internal control management
• Audit recommendation management
• System generated emails for reviews, events and approvals
• Realtime alerts
• Realtime dashboard
• Client configurable
• Quick to implement
• Can utilise ISO31000, OGC & IRM guidance

Benefits

• Overview of all areas of compliance in one place
• Tailored to your own framework, terminology, structure and categories
• Ensure no task or activity is missed
• Provides a business-wide standard format for ERM
• Easily demonstrates compliance
• Removes need for multiple spreadsheets
• Easily compare and analyse risk performance across the business
• Entire organisation can view reports if necessary
• Aligns risk to corporate objects
• Enables linking between registers for a holistic view of risk/compliance

£110 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at phil@jcad.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

377354258387982

Contact

Phil Walden
01730 712027
phil@jcad.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Private cloud
• Service constraints: None
• System requirements: Edge, Safari, Mozilla or Chrome

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Our support desk runs 9 - 5.30 Monday through Friday. We guarantee immediate acknowledgement and fix within 4 hours. If this is not possible we keep the client informed and there is a defined escalation process that is followed for serious issues that can not be resolved within 24 hours. ; We also have a specific SLA that details support times for hosted products.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: None or don’t know
• How the web chat support is accessible: Web chat is a feature of our CRM system, Hubspot. Anyone using our website is able to ask a question. This feature is monitored by JCAD (through an alerts facility) to ensure timely responses are provided.
• Web chat accessibility testing: None
• Onsite support: Yes, at extra cost
• Support levels: SLA for response times is based upon severity level.; ; Low - Within 24 hours; Medium - Within 24 hours; High - Within 8 hours; Critical/Significant customer impact - Within 4 Hours; ; Costs for the support detailed above are included within our maintenance fee.; ; Each client will have access to an Implementation Consultant and an Account Manager as well as the dedicated support desk. Should the issue lie with our hosting partners then JCAD will work with them to resolve.
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Due to the nature of the system being "off the shelf" we adopt a standard approach to implementation which means that it can be achieved quickly and with a low resource from the client.; ; The basic approach is as follows.; ; 1. Client receives access to evaluation site to enable review of system prior to configuration; 2. Pre-implementation meeting (remote or onsite) with assigned consultant to discuss configuration and to provide sufficient training to enable this review.; 3. Over the course of an agreed timeframe - consultant and client will agree relevant customisations; 4. JCAD configures database based upon discussions; 5. Prototype database created; 6. Further training provided to enable prototype testing (remote or onsite); 7. Changes made if necessary; 8. System goes LIVE; ; We would normally expect an implementation to go live within 4 - 12 weeks.; ; Online documentation is provided as part of the system and this can be amended to fit the clients own framework.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • Other
• Other documentation formats:
  • Online help
  • Video
• End-of-contract data extraction: Data is extracted by the client in Excel format. If necessary JCAD can provide assistance with this but professional services may then be involved if it is more than the provision of a .csv or .xls format of record and action data.
• End-of-contract process: Once the contract is terminated, all access to the cloud service will be denied. If requested within 90 days of termination JCAD will provide a data export (at no charge) of risk and control data in .csv, html or Excel format.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: The application can be accessed from smart phone or desktop but the user interface changes appropriately dependant upon screen size.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: Yes
• What users can and can't do using the API: The API allows the user/organisation to retrieve data over a secure connection for reporting purposes with applications such as Power BI or Microsoft Excel
• API documentation: Yes
• API documentation formats:
  • PDF
  • Other
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: We operate in the MS Azure environment - Segregated customer instances have ringfenced resources to ensure that one customer doesn't take up a disproportionate amount of a single resource.

Analytics

• Service usage metrics: Yes
• Metrics types: Usage metrics such as who logged in, when they logged in and what they accessed are available as a report.
• Reporting types: Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: Less than once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: If necessary then data can be easily exported from within the system grid views to Excel. This takes the fields & data within that view and exports to Excel. A data export can also be setup from with the Reports area for direct export into Excel.; ; The API can also be used to extract data in to the relevant BI tool available at client site.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • Pdf
  • Word
  • Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: The infrastructure has 100% network uptime availability. We aim to provide 99.99%. Application availability outside schedule maintenance windows.
• Approach to resilience: JCAD use the MS Azure environment with the .....
• Outage reporting: Email alerts in the event of an outage

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
• Other user authentication: IP restrictions can be applied to restrict access to the application from specific IP ranges.
• Access restrictions in management interfaces and support channels: Access is restricted to designated support staff at a level required for them to perform their role. An escalation process in place whereby senior staff can also interface if needed.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ISOQAR
• ISO/IEC 27001 accreditation date: 25/03/2024
• What the ISO/IEC 27001 doesn’t cover: We are compliant with all elements of the ISO27001:2022 standard.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: JCAD is independently certified ISO27001:2022 and ISO9001:2015 and also Cyber Essentials Plus standard.
• Information security policies and processes: We have an information security policy which is applied by our consultants when working with client data. The same policy is used in relation to our own data.; ; Our Head of Operations and MD are responsible for each of these respectively. Any breaches or issues will be reported to one of them.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: All our services are monitored through threshold capacity monitoring on CPU, RAM, HDD and server availability monitoring with live SMS and email notification to support staff.; ; Any server changes go through a change control and risk assessment process and are logged.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Our infrastructure has vulnerability scanning performed regularly to highlight any potential vulnerabilities and has virus and threat protection in place. ; Patches are deployed within a short period of time to address any vulnerabilities.; Potential threat information is obtained from best practice review and industry focus based literature.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential compromises can be highlighted by industry focus literature, client feedback, penetration testing. Any potential compromise will be reviewed for mitigation requirements and based up the level of risk addressed within a short period.
• Incident management type: Supplier-defined controls
• Incident management approach: Incidents are recorded and assessed for root cause, resolution actions and resolution effectiveness. Common events are handled by our support team and incident tracking systems. Users can report incidents to our support team by phone or email during support hours.; As part of ISO27001:2022 our incident reporting policies and procedures are recorded and actioned routinely should they occur. ; JCAD have a Information & Security Policy that includes details of our incident management approach.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  A 2018 study found that using the Microsoft Azure cloud platform can be up to 93 percent more energy efficient and up to 98 percent more carbon efficient than on-premises solutions. This is why JCAD have partnered with Microsoft.; ; Within our organisation cloud computing and remote working have reduced emissions from less travelling to and from the office and a reduction in other forms of business travel.; ; JCAD also look to our supply chain to increase sustainability and reduce our carbon footprint.

Pricing

• Price: £110 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Access to a demo site is available. A user is able to interact with a full version of the software for an agreed time. A low cost POC is also possible if more access is required along with some limited configuration.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at phil@jcad.com. Tell them what format you need. It will help if you say what assistive technology you use.