DECISION FOCUS UK LIMITED

GRC Software Solution

Decision Focus provides a single integrated platform to meet your GRC needs. Our modules help to manage your risk, compliance and audit process and the no-code structure helps you to configure and adjust the platform to for yourself.

Features

• Integrated cloud-based SaaS platform
• 20+ modules (Risk, Compliance and Audit)
• Dashboard analytics
• Real-time performance monitoring
• Exception reporting
• Workflow logic, targeted notifications, action tracking
• No code platform
• Automation (e.g., risk committee board reports)
• Open API for third-party integration
• Optional AI features (e.g., generative AI / NLP)

Benefits

• Access a single repository of GRC data
• Streamline data analysis and control data sharing
• Assemble modules together for a consolidated list of actions
• Flexibly customise a module to your existing framework
• Benefit from quick-to- value "off-the-shelf" modules
• Fast adoption of software with modern, easy-to-use UI
• Be "regulator ready" with a single source of truth
• Implement in weeks (not months) without IT resource
• Reduce laborious manual regulatory analysis with AI (ECE)
• Increase data input precision with generative AI features

£60,000 a unit

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at glen.howell@decisionfocus.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

425235226983329

Contact

Glen Howell
+44 7934 659 276
glen.howell@decisionfocus.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: No
• System requirements: Browser: Chrome, Edge or Firefox

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times are based on the severity of the issue raised, support is available Mon- Fri 9am - 5.30pm.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 3 Levels of support packages are offered (in additonal to the standard support that comes with the software). The cost of the packages is defined by the size and the complexity of the implementations i.e. number of domains/modules deployed, number of users and locations. A Technical Account Manager is included within our Tier 1 Package .
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We will work with the client to agree the best way for their end users to be trained on using the system. This can be a combination of onsite or online training as required.
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: We would work with the user to extract their data as needed, our default method is to download in csv format but will work with clients if their needs are different.
• End-of-contract process: We will work with the client to agree the process for shutting down their system, all work will be scoped and charged on a time and materials basis.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: It contains a web service interface that can be accessed through a browser.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We automatically scan for accessibility issues
• API: Yes
• What users can and can't do using the API: Decision Focus has an open API and can easily integrate other systems as long as they too have APIs.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The Decision Focus platform is a no-code solution. This means that all forms, fields, dashboard and reporting etc can be configured by users once they have had adequate training rather than being reliant on developers.

Scaling

• Independence of resources: Through scaling capabilities, load balancing, rate limits on the API and resource monitoring.

Analytics

• Service usage metrics: Yes
• Metrics types: Service Metrics can be reported on requests.
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: CSV and Excel exports are available from the tool
• Data export formats:
  • CSV
  • Other
• Other data export formats: Excel
• Data import formats:
  • CSV
  • Other
• Other data import formats: Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: There is a uptime SLA within our standard contract which specifies a target of 98.5% each month taking into account agreed exceptions.; ; We do not offer refunds/service credits
• Approach to resilience: Available on request
• Outage reporting: Email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: Also using Single Sign On with integration with client's active directory.
• Access restrictions in management interfaces and support channels: The platform offers a customisable approach to data access, extending from the broader organisational structure (e.g. legal entity, region, department) down to individual roles profilrd and even specific named individuals. This robust configuration ensures that users can access only the data pertinent to their roles, fostering a secure and tailored user experience. ; Our system allows for nuanced control, enabling data to be editable for some stakeholders while restricting it to read-only access for others, aligning precisely with the unique needs and permissions of each user within Zurich.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 28/09/2023
• What the ISO/IEC 27001 doesn’t cover: All areas with in our Statement of Applicability have been reviewed and covered as part of the certification.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We have all necessary policies in place to comply with the ISO 27001 framework, these are reviewed internally and updated annually, all staff have to read and attest to their understanding and compliance on an annual basis. We are subjected to external audits which review processes and our compliance of them as part of the ISO accreditation. There is a monthly information security meeting with senior staff to discuss relevant changes/incidents.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our configuration and change management processes involve tracking all service components through their lifecycle and utilising version control systems that maintain a history of changes, enabling rollback if necessary and tracking who made changes and why. Changes are carefully reviewed by to evaluate potential security risks and are monitored through automated a scannings
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Our vulnerability management process is designed to systematically identify, assess, and mitigate threats to our services. We continuously monitor to stay informed about potential threats. ; When a potential threat is identified, we conduct a assessment to determine the risk it poses to our services. This assessment includes analyzing the threat's severity, potential impact, and the likelihood of exploitation. Based on this analysis, we prioritize the deployment of patches and updates, aiming to address critical vulnerabilities as quickly as possible, often within days of a patch's release. This proactive approach ensures that our services maintain robust defenses against emerging security threats.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: We utilise monitoring tools to continuously scan our network and systems for unusual activity that could indicate a compromise. We aim to respond to incidents within hours of detection, ensuring rapid mitigation to minimise potential impacts on our operations and maintain the integrity of our services.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Users report incidents via our online portal. After resolving an incident, we provide detailed reports that outline the incident, response actions, outcomes, and lessons learned to improve future responses and maintain transparency with stakeholders.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  We are committed to bringing the benefits of GRC software to a wide as possible market, by disrupting the market through high value services tailored to our clients needs. This means that companies of all sizes are both creating jobs and training staff on new skills. The application of the frameworks that we support bring greater resilience to the supply chain of our users allowing them to diversify their supply chain.

Pricing

• Price: £60,000 a unit
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at glen.howell@decisionfocus.com. Tell them what format you need. It will help if you say what assistive technology you use.