hicomply LTD

Hicomply - Cyber Assessment Framework (CAF) & NIS2

Cyber Assessment Framework CAF and NIS2 platform for risk and compliance management. Supporting CAF, NIS2, ISO27001, and other frameworks. A centralised GRC and ISMS solution.

Configurable tools, automation, and integrations enhance risk management, monitoring, and compliance. Ensure alignment with CAF, ISO 27001, and NIS regulations for a proactive security posture.

Features

• CAF - ISMS - GRC management System
• Policy Management and information dissemination
• CAF Scope Definition
• Essential Services and Critical Asset Management
• Critical System Management
• CAF Aligned Risk Assessment
• Evidence Automation
• Continuous Control Monitoring
• Executive Compliance Dashboards and Reporting
• Cyber Assessment Framework (CAF)

Benefits

• Cyber Assessment Framework (CAF)
• CAF for Local Government
• CAF for Operators of Essential Services (OES)
• CAF for the NHS & Healthcare Sector
• CAF for Water & Wastewater
• CAF for Energy Sector
• CAF for Digital Service Providers (DSPs)
• CAF for Transport & Aviation
• CAF for Defence & National Security
• NIS2 GRC Compliance & ISMS Management Efficiency

£250 a unit a month

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@hicomply.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

653848364572398

Contact

Sales
03301333640
sales@hicomply.com

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: Hicomply operates support service hours Mon-Fri 0900-1700 GMT excluding English public holidays. ; The Maintenance window is 2 hours between 1200 and 0200 Sunday.; Hicomply operates an uptime SLA of 99.95% availability outside of these times.
• System requirements: Web portal is accessed via modern browsers

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Support desk is open Mon-Friday 09:00-17:00; ; Urgent - Application issue affecting all users. The system is inoperable. Response within 2hr; High - Bug preventing use of a key feature or limiting access. Response within 2hr; Normal - None Critical Defect, with workarounds in place - Response 4hrs; Low - Product Queries etc - Response within 24hrs
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 A
• Phone support: No
• Web chat support: Web chat
• Web chat support availability: 9 to 5 (UK time), 7 days a week
• Web chat support accessibility standard: WCAG 2.1 A
• Web chat accessibility testing: We have not done any testing with assistive users.
• Onsite support: No
• Support levels: We provide a single support service to all customers. ; ; We can provide account management resources to contracts at additional cost.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Hicomply provides onboarding sessions to provide software training.; ; Training packages can be designed around specific product configuration, and user types to suit specific customer goals.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: We provide a data-out guarantee which ensures customers can request extraction of data at the end of the contract. ; ; This service is priced on an individual basis - pricing will be based on the size of the data held within the platform, and the handover media.
• End-of-contract process: Hicomply is a subscription service, and at the end of a subscription a customer has the right to request data extraction or data deletion. ; ; Both services charged at an additional fee. Dependent on the size of the data stored in the platform.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: Yes
• What users can and can't do using the API: Our API provides CRUD operations on most ISMS Objects, Risks, Tasks, Documents etc.
• API documentation: Yes
• API documentation formats: HTML
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: Hicomply has a highly scalable micro-services architecture operated on scalable cloud services and with a scalable architecture allowing for scaling up and scaling out as needed.

Analytics

• Service usage metrics: No

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users are unable to bulk export the data from Hicomply. ; ; Bulk extraction is undertaken as part of a End Of Contract request.
• Data export formats:
  • CSV
  • Other
• Other data export formats: JSON
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.5%; Under standard contract terms, users are not refunded for not meeting SLA targets
• Approach to resilience: We use Azure Hosting Services which provides availability SLAs fully aligned with those we provide to customers. ; Our hosting provides failover capability if the event of failure of the primary environments. ; We also use Cloudflare network solutions to protect against attack and routing when network failure exists.
• Outage reporting: Hicomply provides customers with a public availability dashboard. Where they can see current status, and historic performance.

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Hicomply support staff must request access to perform support tasks. This access it time bound.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Sancert
• ISO/IEC 27001 accreditation date: 09/09/2023
• What the ISO/IEC 27001 doesn’t cover: Everything is covered with a whole Organisation Scope including product and business operations.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Hicomply adheres to all required security policies for the ISO27001 standard. ; Privacy Policy; Acceptable Use Policy; Access Control Policy; Asset Management and Information Classification; Business Continuity Management Policy; Clear Desk and Clear Screen Policy; Code of Conduct Policy (including whistle blowing); Cryptographic Controls Policy; Disposal of IT Assets Policy; Encryption Policy; Environmental and Sustainability Policy; Exchange of Information Policy; Information Security Policy; Logging and Monitoring Policy; Mobile Device Policy; Password Policy; Physical & Environmental Security Policy; Protection of Electronic Data Policy; Risk Management Policy; Supplier Security Policy - Standard operating procedure; System Security and Network Access Policy; ; Management Review Procedure; Access Control and Account Management (SOP); Business Continuity Plan; Code Promotion Process - Standard operating procedure (SOP); Documents and Records Management Procedure; Incident Management Procedure; Internal Audit Program Procedure; Malware Protection Procedure; Recruitment, Changes and Leavers; Risk Management Procedure; Roles, Responsibilities, Training & Competence; Security Patching - Standard operating procedure (SOP); Software and Security Assurance Testing - Standard operating procedure (SOP); Software Development Process - Standard operating procedure (SOP); System Usage Logging and Audit (SOP)

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Our configuration and change management processes involve tracking service components from procurement to decommissioning via a configuration management database (CMDB). Changes undergo a thorough proposal phase, including a detailed security impact assessment. These changes are then peer-reviewed and tested in a controlled environment to ensure no new vulnerabilities are introduced. A Change Advisory Board (CAB) reviews and approves changes based on security evaluations and test results. Implementation is closely monitored, with all steps documented for compliance and audits, ensuring that changes do not adversely affect our system's security posture.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Our ISO27001-certified vulnerability management process involves continuous monitoring and assessment of potential threats using industry-leading threat intelligence sources such as CERT, NIST, and security vendors. Vulnerabilities are identified through automated scanning and expert analysis. Critical patches are prioritized and deployed within 24 hours of release, while less critical updates follow a structured timeline, typically within one to two weeks. We ensure comprehensive coverage by integrating feedback from security audits, penetration testing, and real-time threat monitoring systems, maintaining robust security across all service components. We also continuously monitor vulnerabilities within our software code and components during the development process.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Our protective monitoring process, aligned with ISO27001 standards, employs real-time security information and event management (SIEM) systems to detect unusual activity signaling potential compromises. Alerts generated by the SIEM are analyzed by our security team to quickly assess and prioritize incidents based on severity. We respond to critical incidents immediately, with a goal of beginning remediation within one hour. Incident response protocols are predefined, including escalation paths, mitigation strategies, and communication plans, ensuring efficient and effective management of potential security breaches while minimizing impact on operations.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Our incident management approach is structured around ISO27001 principles, featuring predefined processes for common security events to ensure swift and systematic responses. Users report incidents via a dedicated helpdesk system and email support team. Each report triggers our incident response protocol, which categorizes the incident type and severity to guide the response strategy. Post-incident, we provide detailed reports through our secure online portal, summarizing the incident, actions taken, and recommendations for preventing future occurrences. This ensures transparency and continuous improvement in our security posture.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Fighting climate change

  Fighting climate change

  Using Hicomply Security Compliance Platform provides significant efficiency gains which reduce the demand on additional hardware service and document storage facilities. ; As Hicomply is a Multi-tenant system all customers benefit from shared compute resources meaning they are consuming far less energy that building and hosting a platform of their own.

Pricing

• Price: £250 a unit a month
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales@hicomply.com. Tell them what format you need. It will help if you say what assistive technology you use.