RISK LEDGER LTD.

Risk Ledger, vendor risk management and supply chain security platform

The Risk Ledger network is a vendor risk management and supply chain security platform that enables organisations to increase their resilience and better manage security in their suppliers. Risk Ledger solves third party risk management, remediates supplier vulnerabilities, identifies and remediates concentration risk, data protection, GDPR, financial and ESG risk.

Features

• NCSC cyber assessment framework (CAF) supplier security maturity assessment
• Supply chain assessment to measure financial risk in vendors.
• Measure environmental risk, social risk, and governance risk in suppliers.
• Continuous supplier risk monitoring of your suppliers ongoing risk profile.
• Measure sub-contractor compliance of fourth, fifth, and sixth parties.
• Supply chain mapping to measure and assess concentration risk.
• Real time risk reporting with live dashboards and network visualisations.
• Browser based remote access, multifactor authentication, and single sign on.
• Maintain GDPR compliance, PCI DSS compliance, and other regulations.
• Supply chain security vulnerability assessment and supply chain remediation.

Benefits

• Supplier security incident reduction and supplier risk management.
• Supply chain security risk reduction and risk management.
• Reduce financial risk and ESG risk of your supply chain.
• Maintain and increase compliance with key regulation, reducing fines.
• Reduce the time taken for new supplier onboarding.
• Quickly and easily review supplier security and remediate vulnerabilities.
• Supplier security review cost reduction, increased efficiency, increased effectiveness.
• Continuous alerts on new supplier vulnerabilities and remediation.
• Analyse, measure, and reduce concentration risk of critical suppliers.
• Maintain ISO27001 compliance, PCI DSS compliance, SOC 2 compliance.

£120,000 a licence a year

• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@riskledger.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

507915796139554

Contact

Sales
07510305024
sales@riskledger.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: We currently operate at 99.999% uptime. All scheduled maintenance is done out of business hours and clients are notified in advance. Users must have an up to date and in-support browser. Internet Explorer is not supported. There are no other service constraints.
• System requirements: Users must use MFA, either through SMS or authenticator app.

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: All support requests are responded to within 4 business hours of them being received.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: Web chat
• Web chat support availability: 24 hours, 7 days a week
• Web chat support accessibility standard: WCAG 2.1 AA or EN 301 549
• Web chat accessibility testing: We use intercom, for our user support webchat:; so accessibility testing is not done by us., However our accessibility is as follows: ; Screen reader support: the Messenger is accessible via screen readers.; Color contrast: all text in the web Messenger is clearly visible when using colors with enough contrast. ; Keyboard navigation: Every component of the Messenger can be accessed using a keyboard without requiring a mouse or trackpad. Visual indicators of focus are present for sighted users.
• Onsite support: No
• Support levels: All support is accessed via email, web chat, or telephone. Once received, Risk Ledger will prioritise the support into general questions or a support ticket (ranging from P1 to P4) as per our terms. All support is included in our standard pricing and there is no extra cost. Our enterprise customers receive a dedicated technical Customer Success Manager.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Our customer success team support onboarding and provide virtual training. We also have extensive onboarding documentation, an in house consultant who can support with client embedding, and an extensive knowledgebase.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • ODF
  • PDF
• End-of-contract data extraction: Data can be exported by users (as CSVs, ODF, PDFs) through the platform, or they can request a data dump in CSV format via their Customer Success Manager. This is included within the contractual cost of the platform.
• End-of-contract process: At the end of the contract, if the client does not wish to renew they have the option to export their data (either manually themselves or via their customer success manager) and have their accounts suspended or deleted. This will all be managed by the customer success team.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 AA or EN 301 549
• Description of service interface: The browser is used to connect to our interface through our easy to use graphical interface.
• Accessibility standards: WCAG 2.1 AA or EN 301 549
• Accessibility testing: We have tested the colour contrast and keyboard navigation with users. We asked users of assistive technology to use our platform in the presence of our product team and to provide feedback on any challenges they faced. These challenges were then mitigated through the further development of our product.
• API: Yes
• What users can and can't do using the API: Users can call our API to receive data from our platform related to the use of the services.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: No
• Customisation available: No

Scaling

• Independence of resources: Our platform scales vertically due to being run on an elastic computing platform (we can expand or decrease computer processing power in real time).

Analytics

• Service usage metrics: Yes
• Metrics types: We can provide a variety of service metrics including platform availability, specific metrics around supplier management and onboarding, and client specific metrics on their users management of their suppliers.
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users can export their data by logging in and using the "Export data as CSV" or "Export data as PDF" tools built into the User Interface, or by contacting their customer success manager and requesting their data to be exported as a CSV, ODF, or PDF.
• Data export formats:
  • CSV
  • ODF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Risk Ledger’s web-based Services will be available for a minimum of 98% of time within each calendar month. Scheduled; Maintenance will be excluded from downtime. “Available” means that the Site is operating, and all basic functions are accessible. We operate service credits if this level of availability is not achieved.
• Approach to resilience: We operate multiple availability zones and failover sites. Details can be provided upon request.
• Outage reporting: Email alerting is primarily used. If requested, we can also provide phone based alerts via our customer success team. This is included within the cost and can be provided on request to your customer success manager.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: All management interfaces are only accessible by authorised personnel requiring CTO signoff before access is provisioned. All access is secured via a bastion hots, IP address whitelisting, and SSH keys which are rotated regularly. All support channels are secured using 2FA and complex passwords. Access is reviewed quarterly.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Standards Institute (BSI)
• ISO/IEC 27001 accreditation date: 22/06/2023
• What the ISO/IEC 27001 doesn’t cover: The certification covers the entire organisation.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards:
  • ISO/IEC 27001
  • Other
• Other security governance standards: Cyber essentials
• Information security policies and processes: Our information security policies are aligned to ISO27001. We have a full suite of policies that are annually reassessed and signed off by the board. Compliance with policies is monitored by the senior leadership team who receive extensive training.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our hosting infrastructure is deployed using infrastructure as code. We keep an up to date bill of materials and use Github's Dependabot to monitor for vulnerable software packages. When deploying new infrastructure we follow a secure configuration process to ensure the devices are hardened and we run monthly vulnerability scans against all devices.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: We use a variety of inputs to monitor for any potential vulnerabilities we may be exposed to, including but not limited to monthly vulnerability scans (with additional scans conducted when new vulnerabilities are announced), a tool that monitors our software packages, a tool that monitors our AWS infrastructure. Any vulnerabilities identified are risk assessed and remediated within 48 hours.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: We use a variety of IDS tools to monitor our hosting infrastructure. Any alerts indicative of a breach are sent to our product and security teams who investigate the alert and invoke our incident response process. Incidents are responded to immediately.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: We have a defined and documented incident response process which triages and responds to each incident. All security incidents are triaged as priority 1. Users can report incidents either via our support channels or to their customer success manager. Once the incident is resolved and investigated we provide our clients with a notification and report which includes a root cause analysis and future remediation actions. This is provided to the Lead user of the client's Risk Ledger account.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity

  Fighting climate change

  Risk Ledger has a full suite of environmental management policies that we follow to ensure our impact on the environment is minimised. We conduct assurance against suppliers to ensure we are minimising environmental risk and we follow several frameworks to minimise and offset our carbon emissions.; Our platform also helps our clients to identify a supplier’s maturity when it comes to environmental management through our ESG (environmental, social, and governance) risk domain. We help our clients to ensure their suppliers also follow best practice environmental management.

  Covid-19 recovery

  Risk Ledger's platform increases supply chain resilience. We build communities of organisations within the supply chain to help them share cyber resilience best practices and improve systemic resilience. Our platform is a cyber assurance supply chain platform that measures and decreases cyber security risks in the supply chain.

  Tackling economic inequality

  Risk Ledger provides paid internships to students to support them in their studies.

  Equal opportunity

  Risk Ledger is an equal opportunities employer with a full suite of diversity and inclusion policies that we follow to ensure this.

Pricing

• Price: £120,000 a licence a year
• Discount for educational organisations: No
• Free trial available: Yes
• Description of free trial: Limited number of users, features, and limited number of connections to suppliers allowed. Trials typically run for 2 weeks but this will be agreed on an individual basis.
• Link to free trial: Contact our Customer Success or Sales team.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@riskledger.com. Tell them what format you need. It will help if you say what assistive technology you use.