enCircle Solutions Ltd.

Integrated Governance, Risk and Compliance, (GRC) Management System

XMS (eXtensible Management System) is a fully integrated governance risk and compliance platform which helps organisations understand their residual risk and track service requests, incidents, problems, corrective actions and non-conformances, to fully understand their policies, procedures, legislative commitments and security posture in one single view.

Features

• Legislative Register and Residual Risk Management
• Scope Taxonomy Definition and Control Evidence Mapping
• Integrated Management Policies and Procedure Manuals
• Corrective Actions and Non-Conformances
• Service Catalogue and Configuration Items
• Service Requests, Incidents and Problem Management

Benefits

• Holistic view of risk and compliance across all teams
• Consistent approach to controls and risk treatment plans
• Massively reduced cost of compliance
• Become agile and responsive to evolving legislation
• Single view of the truth

£1,278 to £50,000 a unit a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@encircle.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

405313007967575

Contact

Darren Woods
08449910109
gcloud@encircle.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Community cloud
  • Hybrid cloud
• Service constraints: None
• System requirements: Computing platform

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We aim to respond to questions immediately but always within 4 hours.; ; Standard working hours: Monday-Friday 9:00 to 17:30.; ; - P1 Critical (Service unavailable, or >70% users affected and no workaround): Immediate response, 1hr fix.; - P2 Major (Service degraded >30% users affected, difficult or no workaround available) : 1hr response, 2hr fix.; - P3 Medium (Component or module malfunction, simple workaround available) : 2hr response, 2hr fix.; - P4 Minor (Service request, feature enhancement, how to): 4hr response, 8hr fix.; ; NOTE: Weekends, public holidays and out of hours support available at additional cost. Elapsed times based on working hours.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: Custom font sizes, high contrast options, screen reader compliant.; ; Keyboard Accessibility:-; Move focus to the next element [tab]; Move focus to the previous element [shift] [tab]; Move focus from messages* [up arrow] or [down arrow]; Move focus to the next section** [F6]; Move focus to the previous section*** [shift] [F6]; Take action or "click" on buttons [space]; Take action or "click" on links [enter]; Close windows, menus or the message field [escape]; ; *Using a screen reader, you may need to toggle the virtual cursor.; **If using in a browser, use .; ***If using in a browser, use .; ; Reading messages; Press [F6] to move to the message window.; Press [up arrow] or [down arrow] to navigate between individual messages.; Or use any of these keys:; ; • [page up] or [page down] to move up or down.; • [home] to go to the oldest message.; • [end] to go to the most recent message.; • [space bar] to scroll through messages.; ; Interact with messages; Press [F6] to move to the message window.; Press [up arrow] or [down arrow] to navigate between messages.; When focused on a message, press [tab] to scroll through items.; Press [enter] to select.
• Onsite support: Onsite support
• Support levels: We provide comprehensive managed services to ensure the smooth running of cloud systems and software. Our team of experienced staff have an obsessive approach to support, ensuring end users are delighted by the services they are consuming. We support both buyer services and third party services provided by companies such as Microsoft, Memset, Amazon and Google (to name just a few). Private cloud / hybrid hosted solutions are also supported, e.g. where client support teams are over capacity or lacking experience in the particular software or service in question. We provide Open Source software support, including code audits and quality assurance, vulnerability assessment and monitoring. We provide an educated interface between clients and third party organisations, ensuring prompt communication and resolution of bugs, problems and known errors.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We offer comprehensive onboarding services to ensure customer success. This includes discovery, design and configuration to support user stories. We then "train the trainers" and create a detailed ops manual, before handing over to BAU.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Encrypted archive downloaded via secure support portal.
• End-of-contract process: No additional costs, all off-boarding requirements are included in the scope agreed during the discovery phase.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: None
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: Web based interface through standard browser. Workflow items, interaction logging and monitoring.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: NV Access screen reader has been thoroughly tested with end users.
• API: Yes
• What users can and can't do using the API: Web services WSDLs, SOAP and REST available.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Processes, Forms and Business rules are all customisable by non technical business users.

Scaling

• Independence of resources: Our services are built on a scalable architecture, using cloud-based solutions like Amazon Web Services (AWS) and/or Microsoft Azure, that can automatically scale to meet demand.; We implement load balancing techniques to distribute traffic evenly across multiple servers, ensuring that no single server is overwhelmed by demand. We continuously monitor performance and resource usage, and conduct stress tests to simulate high-demand scenarios.

Analytics

• Service usage metrics: Yes
• Metrics types: Metrics including availability, uptime, response times, page views and other analytics such as origin country, unique users, etc...
• Reporting types:
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Supplier-defined controls
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export their data from the administrator dashboard or via batch API.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: Uptime guarantee: We offer availability guarantees of 99%, 99.98% and 99.99%, depending on customer requirements. Service credits: If we fail to meet the uptime guarantee, our customers may be eligible for service credits, which are typically a percentage of the monthly service fees. Maintenance windows: We may reserve certain maintenance windows, such as weekends or off-peak hours, during which the service may be temporarily unavailable. Exclusions: We exclude certain events, such as force majeure events or user-caused issues, as these are out of our control. Reporting: We provide regular reports on service availability and performance to our customers, as part of regular service level reviews.
• Approach to resilience: Our services are designed to be fault-tolerant, meaning that they can continue to operate even if individual components fail. We use techniques such as replication, redundancy, and automated failover to ensure that services are resilient to component failures. Services can be deployed across multiple Availability Zones (AZs), which are physically separate datacentres within a single region. We implement network security features, such as Virtual Private Clouds (VPCs), security groups, and network access control lists (ACLs), that allow users to control access to services and data.
• Outage reporting: We offer a service availability dashboard to our customers, along with email and Slack notifications of outage events. After a service interruption, we may also conduct a post-mortem analysis to identify the root cause of the issue and develop strategies to prevent similar issues in the future. The results of these analyses are shared with our customers through debrief sessions and service level review meetings.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
• Access restrictions in management interfaces and support channels: We grant users the minimum level of access necessary to perform their job functions. This is achieved through role-based access control (RBAC), which assigns users to specific roles with predefined access levels. We require users to provide multiple forms of authentication, such as a password and a security token, to access management interfaces and support channels. We segment networks into different zones, such as production, development, and management, and restrict access between zones to prevent unauthorized access to management interfaces. We use encryption to protect sensitive data, such as login credentials and support tickets, in transit and at rest.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: CFE Certification Ltd.
• ISO/IEC 27001 accreditation date: 01/09/2024
• What the ISO/IEC 27001 doesn’t cover: A11.1.6 - Delivery and loading areas (Remote organisation with no owned office space)
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Security Policies: We maintain a comprehensive set of security policies that define our approach to information security. These policies cover areas such as data protection, access management, incident response, and risk management. We are certified to a number of compliance standards and frameworks, including ISO 27001, Cyber Essentials and Cyber Essentials Plus. We provide security awareness and training programs to our employees to ensure that they understand and comply with our security policies. We have a robust incident response process that is designed to identify, respond to, and mitigate security incidents. The process includes procedures for incident reporting, investigation, containment, and recovery. We conduct regular audits and compliance monitoring activities to ensure that our security policies and processes are being followed and that our services meet the highest standards of security and compliance. We have a small but dedicated team that reports directly to our Technical Director who is ultimately responsible for information security.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Management approach ; We maintain a CMDB that tracks the configuration and status of all IT assets, including hardware, software, and network components. We follow a formal change management process. Changes are submitted through a formal change request process, which includes a description of the change, the business justification, and an impact analysis. Changes are reviewed and approved by a change advisory board (CAB) that includes representatives from security. Approved changes are implemented using automated tools and processes where possible to ensure consistency and reduce the risk of errors.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We regularly scan all systems and applications for vulnerabilities using automated tools and manual testing. We stay up to date on the latest threats and vulnerabilities by subscribing to threat intelligence feeds and vulnerability databases such as the Common Vulnerabilities and Exposures (CVE), and the Open Web Application Security Project (OWASP). We assess the potential impact and likelihood of each vulnerability to determine the level of risk it poses to the service. We monitor systems and applications for vulnerabilities and track patch deployment to ensure that all systems are up to date. Zero day patches are applied immediately where appropriate.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We continuously monitor systems, networks, and applications to detect potential security incidents. This can include monitoring system logs, network traffic, and user activity. We deploy IDS/IPS systems to detect and prevent intrusions and attacks. We use a SIEM system to collect, analyze, and correlate security events from multiple sources. We have a formal incident response process that includes detection, containment, eradication and recovery. We conduct a post-incident analysis to identify lessons learned and improve the incident response process. We respond to security incidents as quickly as possible to minimize the impact, ideally within 24 hours of detection.
• Incident management type: Supplier-defined controls
• Incident management approach: We have a clear incident management policy that outlines roles and responsibilities, escalation paths, and communication procedures. We classify incidents based on their severity, impact, and urgency to determine the appropriate response and escalation path. We have established pre-defined procedures for common incident types to ensure a consistent and efficient response. We provide clear guidelines for how clients should report incidents, including what information to provide and how to submit a report. We provide regular incident reports to stakeholders and management to keep them informed of incident status and resolution, including metrics such as time, volume and severity.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: Yes
• Connected networks:
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • NHS Network (N3)
  • Joint Academic Network (JANET)
  • Health and Social Care Network (HSCN)

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We are founded on the core ethic of Earth Care. All decisions are considered through the lense of climate change and how we can help increase biodiversity and reduce emissions. We have recently published our Carbon Reduction Plan which crystalises the efforts we have been taking over the past 20 years to support climate action: https://www.encircle.co.uk/our-net-zero-commitment-and-carbon-reduction-plan/ One of our core ESGs is to support the Permaculture Association of Britain, who are a registered charity promoting education and networking between local groups, supporting a groundswell of change within society.

  Covid-19 recovery

  enCircle understands that the Covid-19 pandemic has exacerbated existing economic and social challenges and created many new ones. We will work to aid the recovery of our local community and economy, especially through volunteering and work opportunities, community support and by developing new ways of working. We are looking to recruit a new apprentice to work on our service desk, as our most recent apprentice has recently moved onto a new role within the company. We will signpost this opportunity for someone that has lost their job throughout Covid-19, where possible. We offer our staff paid leave on top of their existing holiday allowance, to support volunteering within their local communities. As a contingency measure, and as part of DevSecOps best practice, employees will be cross trained in various functions to ensure that adequate cover is provided in different roles. To build the resilience of local SMEs, we will purchase supplies and services from them such as IT equipment and consumables where possible. We will continue to provide discounted services to charities and non-profits which provide mental health and social value such as the UK Permaculture Association and mindfulness and meditation organisations such as RIGPA.

  Tackling economic inequality

  One of our three core ethics is "Fair Share" which equates to improving economic equality wherever we can. At enCircle we ensure all our staff are paid fairly and well above the living wage. We intentionally recruit from a diverse range of ethnic and educational backgrounds, and being a virtual organisation we do not discriminate on geographical location. We have always strived to provide opportunities to young people via work experience and apprenticeships. Our most recent member of the enCircle team came to the UK as a refugee at the age of 11, speaking no English. We will continue to positively discriminate and recruit young people from least privileged backgrounds to address the imbalance in our society and help tackle economic inequality.

  Equal opportunity

  Although an SME, we pride ourselves on our diverse workforce and strive to nurture our team. We maintain an Equality and Diversity Policy to promote the equality of opportunity within our company and all business activities, reviewed annually to ensure compliance with best practice. The policy outlines the Directors’ responsibilities, our recognition of the protected characteristics as per the equality Act 2010 and our commitments as an organisation to eliminating direct or indirect discrimination, harassment of victimisation.; enCircle implement our policy and procedures by:; Monitoring and auditing data. This is a longer-term measure involving the collection of data about existing employees, job applicants, job offers, etc. to assess whether or not our policy is working. This data will be collected via an equality monitoring form, providing during the recruitment process.; The training of staff. A comprehensive training programme will be delivered so enCircle employees understand their responsibilities under the policy. Equal opportunities training will be provided in a variety of ways which may include sessions at induction, e-learning and vocational training. Regular refresher training sessions will be provided to reflect any changes in legislation.; Working closely with our employees to ensure that they feel comfortable within their working environment. We will make reasonable adjustments to working practices, equipment and premises, where appropriate.; All employees will be provided help and encouragement to develop their full potential and utilise their unique talents. Staff are encouraged to discuss their development and training needs through a process of regular support and annual appraisals. All staff are encouraged to pursue areas for development, including through internal promotion.

  Wellbeing

  Our HR department is responsible for managing our organisations capital to meet overarching business objectives; from attracting and retaining talent to guaranteeing the interests and wellbeing of our employees. Our HR Department will work in line with all UK HR regulations including The Age Discrimination and Employment Act, The Occupational Safety and Health Act and Equal Employment Opportunity laws, to name a few.; enCircle are currently developing a ‘People and Culture Policy’ that will help develop and integrate our people and culture strategy, which delivers a productive, engaged, and harmonious workplace. This strategy includes:; Defining core organisational values (Earth Care, People Care and Fair Share); Identifying people priorities (Mental health, family, and community); Prioritising equality, diversity, and inclusion; Developing values-based recruitment processes; Focussing on heath, wellbeing, and resilience; Developing and embedding values-based leadership competencies; Promoting a no-blame culture and embedding a ‘Resolution Policy’ to replace our discipline and grievance processes; We also implement the following wellbeing initiatives, and ensure they are a pillar of our overall employee engagement and benefit strategy:; We offer flexible working to ensure a healthy work life balance.; Meditation and Mindfulness resources, providing employees with tools and resources such as Online Mindfulness-Based Stress Reduction (MBSR) to support themselves.; Tangible rewards and memorable experiences such as instant recognition/feedback, mentoring programmes, training schemes, etc.; Regular continuous professional development (CPD) and personal development review (PDR) meetings will act as an opportunity for staff to highlight any challenges they are facing and for enCircle to implement the appropriate support or to signpost the member of staff to the appropriate mental health services, where necessary.

Pricing

• Price: £1,278 to £50,000 a unit a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: We offer free trials of our services to customer who qualify. These are full feature trials, limited by number of users and time, depending on client requirements.

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@encircle.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.