TheTechForce Limited

ISMS Online

An online secure information security (ISMS), privacy (PIMS), business continuity (BSMS), quality (QMS) and AI (AIMS)management system with tools, policies and frameworks. To meet governance, regulatory, compliance of internal ISMS/ IMS and supply chain collaboration for ISO 27001, ISO 27701, ISO 22301, GDPR, ISO 9001, ISO 42001 (and more), including;

Features

• Information Security Management System (ISMS)
• Collaboration tools: version control documents, tasking, discussions,
• Risk identification, evaluation and treatment based on confidentiality, integrity, availability
• Information security policies, controls, requirements repository and approval workflows
• Supplier relationship management, contracting, contact management, supply chain control
• Project working, privacy impact assessments, prebuilt security frameworks
• Security incident management, GDPR strategic compliance and privacy
• Audits, improvements, corrective actions, tracking tools,subject access requests
• Staff communications, awareness and engagement tools

Benefits

• Always on secure cloud information security management system (ISMS)
• All in one place ISMS saving time and reducing risk
• Prepopulated with actionable tools, policies and frameworks
• Easy to use, little or no training, low total cost
• Describe and demonstrate information security and privacy practices
• Mitigate risk of ICO and GDPR fines and penalties
• Collaborate internally and through the supply chain
• Easy to add and remove users, upgrade or downgrade scope
• Manage multiple standards and other government IS requirements
• Encourage suppliers to follow your information security policies

£500 a unit a day

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jai@techforce.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

811105753770891

Contact

Jai Aenugu
01224516181
jai@techforce.co.uk

Service scope

• Software add-on or extension: No
• Cloud deployment model: Public cloud
• Service constraints: NO
• System requirements:
  • Access to the internet
  • Web browser

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We aim to respond to all queries within five working days
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support is provided by the Culture.Ai team. All Support is included in the cost of the subscription, there are no extra charges for support or maintenance.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: A comprehensive onboarding procedure is in place including, administrator training, monthly customer service engineer calls, getting started documentation and hand holding, local UK based first line support and guidance - all included in the price. Onsite administrator training can be provided at extra cost.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: Customers can simply remove any information they want in line with our easy off processes, or we can do it for them if they have non standard needs. If we do it for them to meet specific exit requirements beyond our standard process then there may be a small cost which is always proportionate to the work requested and agreed with the customer in advance based on the SFIA rate table. There is a professional exit process well established in line with our UKAS accredited ISO 27001 to ensure the customer has a good exit experience and all data is securely disposed of at the time agreed.
• End-of-contract process: The subscription, training, documentation, support and product updates are all included in the single subscription price. Contracts are a minimum of 1 year. At the end of the year, if the customer does not wish to renew, all data is archived and then securely deleted.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Accessible through the mobile browser.
• Service interface: No
• User support accessibility: WCAG 2.1 AA or EN 301 549
• API: No
• Customisation available: Yes
• Description of customisation: Users can customize CultureAI by configuring automated communications, selecting integration options with existing tools, and tailoring report triage processes.

Scaling

• Independence of resources: Strict SLA's in place to ensure the user experience is always optimal. SLA's are available on request.

Analytics

• Service usage metrics: Yes
• Metrics types: " Our capacity monitoring has alerting for CPU, Memory and Disk Space. We have measures in place to scale the capacity of an individual server, or to add in additional load-balanced application servers within minutes to cope with changes in demand"
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: Culture.AI - all services

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Physical access control, complying with another standard
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: You can export the content via the platform in either a CSV or PDF format.
• Data export formats: CSV
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: 99.9% uptime guarantee
• Approach to resilience: Load balancing, multi-zone, mirrored databases, snapshots, Web app firewall, redundant DNS
• Outage reporting: Outages reported by email and on the status webpage

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: We enforce strict access restrictions in management interfaces and support channels. Through Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA), only authorized personnel with specific permissions can access sensitive functions. Support staff are granted minimal access based on the principle of Least Privilege. Detailed audit trails monitor all activities, and regular access reviews ensure alignment with business needs. These measures tightly control access, mitigating the risk of unauthorized entry and data breaches.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: CultureAI adheres to stringent information security policies and processes to ensure the utmost protection and compliance with global standards. Our security measures are designed around the principles of data confidentiality, integrity, and availability.; ; At the heart of our security approach is the robust access control system, which ensures that only authorized personnel have access to sensitive data, strictly based on their operational roles. We employ advanced encryption for data at rest and in transit, alongside comprehensive security assessments including penetration testing to pre-emptively identify and rectify vulnerabilities.; ; To guarantee policy adherence, we conduct regular training for all employees emphasizing the importance of security, detailing our specific policies, and explaining the consequences of non-compliance. An internal audit team performs periodic checks to ensure consistent policy enforcement and compliance with regulatory requirements.; ; CultureAI's commitment to security is aligned with international standards such as ISO/IEC 27001 and the GDPR. Our proactive approach includes a designated Data Protection Officer who oversees compliance, manages data protection measures, and serves as a liaison with regulatory authorities.; ; Our incident response protocol outlines clear steps for handling and reporting security incidents to minimize impact and ensure transparency. CultureAI protects user data against cyber threats, maintaining trust and compliance.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: CultureAI employs a rigorous configuration and change management approach. We maintain a detailed inventory of all service components in a centralized database, tracking each through its lifecycle, from deployment to decommission. Changes are systematically documented and reviewed.; ; Assessing Changes for Security Impact:; ; Impact Analysis: Every proposed change undergoes a thorough security impact analysis to identify potential risks.; Review Process: A specialized security team reviews these impacts, considering dependencies and the broader system environment.; Testing: Changes are tested in a controlled environment to ensure they do not compromise security before being applied to the live system.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Annual, Quarterly, and Monthly various security scans and reviews and testing. Vulnerability scans, risk assessments and other configuration and security testing.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: CultureAI's protective monitoring approach employs advanced detection systems to continuously monitor for unusual activities signaling potential compromises. Our systems use real-time analytics and threat intelligence to identify suspicious behavior swiftly.; ; Upon detecting a potential compromise, our incident response team is alerted immediately. This team evaluates the severity, contains the threat, and initiates remediation processes to mitigate any damage. We aim to respond to incidents within minutes of detection.; ; We follow a structured protocol that includes notifying affected parties and regulatory bodies as required, ensuring compliance with legal obligations and maintaining transparency with our users.
• Incident management type: Supplier-defined controls
• Incident management approach: Standard Operating Procedures (SOPs): We've developed SOPs for common security events like phishing, unauthorized access, and data breaches to ensure consistent, efficient responses.; ; User Incident Reporting:; Users report incidents via support email, a hotline, or directly through our secure platform tool. We offer guidance and support through trained personnel.; ; Incident Reporting:; We promptly acknowledge reports, provide regular updates during resolution, and issue detailed final reports outlining the incident, impact, actions taken, and preventative recommendations. This method ensures effective incident management and maintains user trust.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Wellbeing

  Wellbeing

  CultureAI contributes to wellbeing by promoting a healthy work culture through its AI-driven solutions, fostering employee engagement, and enhancing mental health awareness in the workplace.

Pricing

• Price: £500 a unit a day
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Complete features of the platform for a limited number of days.; Contact us below.
• Link to free trial: https://techforce.co.uk/contact

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at jai@techforce.co.uk. Tell them what format you need. It will help if you say what assistive technology you use.