Simplerisk Pricing
Our pricing is designed to be simple, just like our product. However, if at any point you have questions please don't hesitate to schedule a pricing call to speak with a real person.
Feature-Based Pricing
At SimpleRisk, we believe that there should be a direct relationship between how much a product costs and how much value you derive from it. The majority of GRC products employ a "land and expand" pricing strategy where they license by number of users, knowing that they can charge more as your organization grows. We feel strongly that the more users participating in the GRC process, the more value you will get out of it. That's why every SimpleRisk instance is licensed for an UNLIMITED number of users. All you need to do is pick the features that add value for your organization.
Deployment Model Agnostic
Want to run SimpleRisk on your servers in your data center? No problem! We have scripted installations, virtual machines and Docker containers to get you up and running quickly.
Would you rather us handle all of the installation, backups, monitoring and upgrades for you? We've got you covered! Start with a free 30 day trial and we will migrate your data to our Production environment when you determine that SimpleRisk is the right fit for you.
You decide which deployment model works best for your organization and we will support you. The majority of our customers choose our SaaS offering because of its simplicity to get started. However, the decision is yours, and our pricing remains the same no matter which deployment model you choose.
SimpleRisk Core: The Free and Open Source GRC Foundation
Every SimpleRisk installation, regardless of where it is hosted or what features you select, begins with the SimpleRisk Core. It is the free and open source foundation of SimpleRisk on top of which everything else is built. The Core includes all of the basic Governance, Risk Management and Compliance (GRC) capabilities that an organization needs to get started with their program. SimpleRisk was started with the altruistic belief that all organizations should be able to manage their GRC program with a purpose-built tool, rather than a spreadsheet. That is why even though SimpleRisk has been embraced by some of the largest organizations in the world, our SimpleRisk Core offering enables every organization to go from ZERO to GRC in minutes.
What follows is a list of some of the key functionality that you'll find in the SimpleRisk Core:
Governance
The SimpleRisk Core includes the ability to define your own frameworks and controls. As your risk management program matures, these can be used later on to associate controls with risks under Risk Management or to validate for control effectiveness under Compliance. You can upload documentation for all of your organization's policies, guidelines, standards, and procedures as well as the ability to track exception approvals for your policies and controls. These can then be linked to controls, have owners and approvers defined, and then used to track review dates and status.
Risk Management
The SimpleRisk Core includes the ability to submit new risks and keep a registry to track all of the risks for your organization. You can plan mitigations for your risks by setting mitigation dates, defining the level of effort, assigning ownership, associating with the controls defined in Governance, and tracking changes in residual risk by setting a mitigation percentage. Management will be involved in the risk management process by outlining next steps for your risks in the review process. Risks can be grouped together into higher level projects for batch management and reporting purposes. SimpleRisk will help you with tracking review dates and status for your risks and ensure regular reviews are occurring.
Compliance
The SimpleRisk Core includes the ability to define unlimited tests across all of the frameworks and controls that you've defined in Governance. Audits can then be initiated at the framework, control, or test level. Active audits can be filtered and tracked along with all of their associated documentation and evidence. Past audits can be viewed and access to your testing progress and results can be restricted to only individuals with a need to know.
Asset Management
The SimpleRisk Core includes the ability to do a basic automated discovery of assets in your organization. Assets can also be added manually with the ability to assign valuation to assets and associate them with different teams and locations. Assets can be logically grouped together and associated with risks.
Self-Assessments
The SimpleRisk Core includes the ability to take one of our pre-configured risk assessments by answering a series of Yes / No answers for the CIS Critical Security Controls, HIPAA, NIST 800-171 or PCI DSS 3.2. Those answers are then used to generate pending risks which you can elect to have added into your risk registry, with the click of a button.
Reporting
The SimpleRisk Core includes a wide variety of reports designed to help you make the most out of your risk management program. These include graphical dashboards, reports for identifying risks that fall outside of your level of risk appetite, reports giving you advice on determining how to best prioritize remediation efforts and achieve the strongest return on your investment, reports showing the associations between your risks and your controls or assets, and a truly dynamic report that allows you to create your own custom reporting around the various fields managed by SimpleRisk.
Configure
The SimpleRisk Core is highly configurable and enables you to configure a risk management process that is tailored to your organization. You can change the values in the various dropdowns, edit the risk formulas and manage the risk catalog. You can define an unlimited number of users, map them to roles and make fine-grained changes to their permissions. All changes made in the system are logged and kept as an audit trail for review by your system administrators.
Registering Your SimpleRisk Instance
Technically speaking, anyone could download the SimpleRisk Core, install it and perform manual upgrades for years without us ever knowing who they are. While remaining anonymous is your call, we believe that communication with our customers is key to a successful relationship and we can't do that if we don't know how to reach you. We promise that we won't spam you and we will never sell or give your information to a third-party. Registering your SimpleRisk instance simply means that you'll receive:
- Updates on new product releases
- Tips on how to use features
- Details on events we are attending
- Blog posts about GRC
Don't worry, if you happen to find that it's too much or not relevant, you can unsubscribe at any time.
Customers who register their SimpleRisk instance will receive the following additional features:
Upgrade
The Upgrade Extra is designed to make the process of upgrading SimpleRisk much easier. It provides you with a button that you can click at any point to get a backup of the SimpleRisk database, as well as an upgrade capability that handles the application and database upgrades for you with a single click of the mouse.
Secure Controls Framework (SCF)
The Secure Controls Framework (SCF) Extra is a direct integration between the Secure Controls Framework and SimpleRisk. Enabling it allows you to select from 190 different frameworks that have been mapped to 1,057 security and privacy related common controls. This includes many frameworks heavily used by organizations today, such as ISO 27001, NIST CSF, PCI DSS, GDPR, COBIT, COSO and more!
Paid SimpleRisk Features
Every single feature you see above this paragraph is free to download and use with no restrictions. It doesn't matter if your organization is five people, 50 people or 50 thousand people. We've seen some of the largest organizations on the planet running their GRC programs on our SimpleRisk Core because of just how much functionality it contains. But, our customers demand top notch support and enterprise grade features, and in order to sustain a viable business model, we simply couldn't give it all away.
Instead, we have created what we call "Extras," which are a variety of plug-and-play modules that provide extended functionality for your SimpleRisk instance. You choose the features that will have the biggest impact for your organization and can always add new Extras in the future as your requirements change. Our Starter Package is only $5k USD/year and includes any three Standard Extras, support, and hosting (if desired), which undoubtedly makes SimpleRisk the most cost-effective GRC solution on the market.
What follows is a list of features that you can optionally purchase to add functionality to your SimpleRisk instance:
Advanced Search
The Advanced Search Extra expands the functionality of the top bar's search box to be able to find risks by doing textual search in risk data.
API
The API Extra allows customers to use a RESTful API to create scripted interactions with other applications to gain advanced automation and leverage existing infrastructure.
CUSTOM AUTHENTICATION
The Custom Authentication Extra provides support for Active Directory and SAML authentication . In the SimpleRisk Core product, without this Extra, the only option is to create new users in the SimpleRisk identity repository.
CUSTOMIZATION
The Customization Extra enables the ability to add and remove different types of fields and dynamically create custom page templates.
EMAIL NOTIFICATION
The Email Notification Extra enables SimpleRisk to send e-mail notifications when risks are submitted, modified, or otherwise actioned upon. This extra can also be added as a scheduled script to send routine reminders when risks are ready for a management review. In the SimpleRisk Core product, without this Extra, no notifications are communicated outside of the tool itself.
ENCRYPTED DATABASE
The Encrypted Database Extra generates a random AES-256 bit encryption key and then uses that to encrypt sensitive text prior to it being inserted into the SimpleRisk database. This prevents anyone from being able to view or modify the data without using the SimpleRisk application directly.
IMPORT-EXPORT
The Import-Export Extra provides the ability to import data into SimpleRisk by mapping fields in a CSV file to fields in the SimpleRisk database. It can be used to import audit results from a 3rd party spreadsheet, vulnerability scan results from another tool, assets from your CMDB and more. The Extra also provides the ability to export CSV files from SimpleRisk containing Risks, Mitigations, Reviews, or a Combination report of all three.
INCIDENT MANAGEMENT
The Incident Management Extra is based on the NIST 800-61 Computer Security Incident Handling Guide and provides incident management capabilities from within the SimpleRisk system.
JIRA INTEGRATION
The Jira Integration Extra provides users with the ability to integrate bi-directionally with a Jira instance. It enables connecting risks to Jira issues, as well as syncing their data, status and comments.
ORGANIZATIONAL HIERARCHY
The Organizational Hierarchy Extra enables the ability to define multiple Business Units, including any number of teams. Users can then be assigned across one or more teams under various Business Units. This enables you to restrict a user's ability to only see and use the teams, users, and assets within the Business Units they are associated with.
RISK ASSESSMENT
The Risk Assessment Extra provides users with the ability to define contacts, create questions (including logic), assemble multiple questions with a questionnaire template, create questionnaires and send them to contacts, view the questionnaire results, add risks based on those results, and compare the results over time, import and export externally customized assessments, and review the risk assessment audit trail.
TEAM-BASED SEPARATION
The Team-Based Separation Extra restricts risk viewing to only the users who are members of the team that the risk is assigned to. In the SimpleRisk Core product, without this Extra, every user can see every risk.
UNIFIED COMPLIANCE FRAMEWORK (UCF)
The Unified Compliance Framework (UCF) Extra is an API-level integration between the Unified Compliance Framework and SimpleRisk. Enabling it allows you to import selected frameworks and control mappings directly from UCF.
VULNERABILITY MANAGEMENT
The Vulnerability Management Extra provides customers with the ability to integrate their SimpleRisk instance with Tenable.io, Rapid7 Nexpose/InsightVM and Qualys, enabling you to import both asset and vulnerability data into SimpleRisk. From there, you can select which sites you want to cover, determine which vulnerability scores should be imported and triage which vulnerabilities are turned into risks to track them.
Discounts
While the majority of vendors artificially inflate their product pricing so that they can apply huge discounts later, it's one of many examples of disingenuous business practices that we avoid here at SimpleRisk. Our pricing is transparently displayed on our website. Every customer pays the same price for the same product, and we offer the same discounts to everyone.
There's no need for complicated negotiations and our "What You See is What You Get" approach has been embraced across the board. SimpleRisk customers are never concerned about missing out on "special deals" where vendors often arbitrarily slash prices at the end of their sales period. In short, at SimpleRisk we don't play pricing games.
The discounted pricing below is available to all SimpleRisk customers and includes:
- A Starter Package consisting of any three Standard Extras, support and hosting (if desired) for only $5k USD/year. (Save $10k!)
- An automatic 15% discount for all orders over $25k USD/year or 25% for all orders over $35k USD/year.
- A 10% discount for allowing us to place your organization's link and logo on our website.
- Up to a 20% discount for multi-year contract commitments or advanced payments.
Pricing
SimpleRisk Standard Extras represent the majority of all available Extras and are a flat $5k USD/year. Incident Management and Organizational Hierarchy are considered Premium Extras, each priced at $10k USD/year. It's that simple.
All SimpleRisk purchases include:
- Unlimited Users
- On-Premise or Hosted Deployments
- Subscription Fees which Include Support and Updates
- Customizable Packages with Automatic Discounts
- Quarterly "Ask the Expert" Calls
If you're still not sure which Extras will benefit your organization the most, you can start a free 30 day trial that includes all of our Extras or schedule a demo to see SimpleRisk in action and discuss your organization's requirements.
Ready to create your custom SimpleRisk package? Let's get started!