Simplerisk Pricing

Our pricing is designed to be simple, just like our product. However, if at any point you have questions please don't hesitate to schedule a pricing call to speak with a real person.

Feature-Based Pricing

At SimpleRisk, we believe that there should be a direct relationship between how much a product costs and how much value you derive from it. The majority of GRC products employ a "land and expand" pricing strategy where they license by number of users, knowing that they can charge more as your organization grows. We feel strongly that the more users participating in the GRC process, the more value you will get out of it. That's why every SimpleRisk instance is licensed for an UNLIMITED number of users. All you need to do is pick the features that add value for your organization.

Deployment Model Agnostic

Want to run SimpleRisk on your servers in your data center? No problem!  We have scripted installations, virtual machines and Docker containers to get you up and running quickly.

 

Would you rather us handle all of the installation, backups, monitoring and upgrades for you? We've got you covered! Start with a free 30 day trial and we will migrate your data to our Production environment when you determine that SimpleRisk is the right fit for you.

 

You decide which deployment model works best for your organization and we will support you. The majority of our customers choose our SaaS offering because of its simplicity to get started. However, the decision is yours, and our pricing remains the same no matter which deployment model you choose.

SimpleRisk Core: The Free and Open Source GRC Foundation

Every SimpleRisk installation, regardless of where it is hosted or what features you select, begins with the SimpleRisk Core.  It is the free and open source foundation of SimpleRisk on top of which everything else is built.  The Core includes all of the basic Governance, Risk Management and Compliance (GRC) capabilities that an organization needs to get started with their program. SimpleRisk was started with the altruistic belief that all organizations should be able to manage their GRC program with a purpose-built tool, rather than a spreadsheet. That is why even though SimpleRisk has been embraced by some of the largest organizations in the world, our SimpleRisk Core offering enables every organization to go from ZERO to GRC in minutes.

 

What follows is a list of some of the key functionality that you'll find in the SimpleRisk Core:

SimpleRisk Core Features

icon

Governance

The SimpleRisk Core includes the ability to define your own frameworks and controls. As your risk management program matures, these can be used later on to associate controls with risks under Risk Management or to validate for control effectiveness under Compliance. You can upload documentation for all of your organization's policies, guidelines, standards, and procedures as well as the ability to track exception approvals for your policies and controls. These can then be linked to controls, have owners and approvers defined, and then used to track review dates and status.

icon

Risk Management

The SimpleRisk Core includes the ability to submit new risks and keep a registry to track all of the risks for your organization. You can plan mitigations for your risks by setting mitigation dates, defining the level of effort, assigning ownership, associating with the controls defined in Governance, and tracking changes in residual risk by setting a mitigation percentage. Management will be involved in the risk management process by outlining next steps for your risks in the review process. Risks can be grouped together into higher level projects for batch management and reporting purposes. SimpleRisk will help you with tracking review dates and status for your risks and ensure regular reviews are occurring.

icon

Compliance

The SimpleRisk Core includes the ability to define unlimited tests across all of the frameworks and controls that you've defined in Governance. Audits can then be initiated at the framework, control, or test level. Active audits can be filtered and tracked along with all of their associated documentation and evidence. Past audits can be viewed and access to your testing progress and results can be restricted to only individuals with a need to know.

icon

Asset Management

The SimpleRisk Core includes the ability to do a basic automated discovery of assets in your organization. Assets can also be added manually with the ability to assign valuation to assets and associate them with different teams and locations. Assets can be logically grouped together and associated with risks.

icon

Self-Assessments

The SimpleRisk Core includes the ability to take one of our pre-configured risk assessments by answering a series of Yes / No answers for the CIS Critical Security Controls, HIPAA, NIST 800-171 or PCI DSS 3.2. Those answers are then used to generate pending risks which you can elect to have added into your risk registry, with the click of a button.

icon

Reporting

The SimpleRisk Core includes a wide variety of reports designed to help you make the most out of your risk management program. These include graphical dashboards, reports for identifying risks that fall outside of your level of risk appetite, reports giving you advice on determining how to best prioritize remediation efforts and achieve the strongest return on your investment, reports showing the associations between your risks and your controls or assets, and a truly dynamic report that allows you to create your own custom reporting around the various fields managed by SimpleRisk.

icon

Configure

The SimpleRisk Core is highly configurable and enables you to configure a risk management process that is tailored to your organization. You can change the values in the various dropdowns, edit the risk formulas and manage the risk catalog. You can define an unlimited number of users, map them to roles and make fine-grained changes to their permissions. All changes made in the system are logged and kept as an audit trail for review by your system administrators.

Registering Your SimpleRisk Instance

Technically speaking, anyone could download the SimpleRisk Core, install it and perform manual upgrades for years without us ever knowing who they are. While remaining anonymous is your call, we believe that communication with our customers is key to a successful relationship and we can't do that if we don't know how to reach you. We promise that we won't spam you and we will never sell or give your information to a third-party. Registering your SimpleRisk instance simply means that you'll receive:

  • Updates on new product releases
  • Tips on how to use features
  • Details on events we are attending
  • Blog posts about GRC

Don't worry, if you happen to find that it's too much or not relevant, you can unsubscribe at any time.

 

Customers who register their SimpleRisk instance will receive the following additional features:

Registered Features

icon icon

Upgrade

The Upgrade Extra is designed to make the process of upgrading SimpleRisk much easier. It provides you with a button that you can click at any point to get a backup of the SimpleRisk database, as well as an upgrade capability that handles the application and database upgrades for you with a single click of the mouse.

icon icon

Secure Controls Framework (SCF)

The Secure Controls Framework (SCF) Extra is a direct integration between the Secure Controls Framework and SimpleRisk. Enabling it allows you to select from 190 different frameworks that have been mapped to 1,057 security and privacy related common controls. This includes many frameworks heavily used by organizations today, such as ISO 27001, NIST CSF, PCI DSS, GDPR, COBIT, COSO and more!

Paid SimpleRisk Features

Every single feature you see above this paragraph is free to download and use with no restrictions. It doesn't matter if your organization is five people, 50 people or 50 thousand people. We've seen some of the largest organizations on the planet running their GRC programs on our SimpleRisk Core because of just how much functionality it contains. But, our customers demand top notch support and enterprise grade features, and in order to sustain a viable business model, we simply couldn't give it all away.

 

Instead, we have created what we call "Extras," which are a variety of plug-and-play modules that provide extended functionality for your SimpleRisk instance. You choose the features that will have the biggest impact for your organization and can always add new Extras in the future as your requirements change. Our Starter Package is only $5k USD/year and includes any three Standard Extras, support, and hosting (if desired), which undoubtedly makes SimpleRisk the most cost-effective GRC solution on the market.

 

What follows is a list of features that you can optionally purchase to add functionality to your SimpleRisk instance:

Paid Features

Advanced Search Extra Advanced Search Extra

Advanced Search

The Advanced Search Extra expands the functionality of the top bar's search box to be able to find risks by doing textual search in risk data.

API Extra api

API

The API Extra allows customers to use a RESTful API to create scripted interactions with other applications to gain advanced automation and leverage existing infrastructure.

custom-authentication custom-authentication

CUSTOM AUTHENTICATION

The Custom Authentication Extra provides support for Active Directory and SAML authentication . In the SimpleRisk Core product, without this Extra, the only option is to create new users in the SimpleRisk identity repository.

icon icon

CUSTOMIZATION

The Customization Extra enables the ability to add and remove different types of fields and dynamically create custom page templates.

email-notification email-notification

EMAIL NOTIFICATION

The Email Notification Extra enables SimpleRisk to send e-mail notifications when risks are submitted, modified, or otherwise actioned upon. This extra can also be added as a scheduled script to send routine reminders when risks are ready for a management review. In the SimpleRisk Core product, without this Extra, no notifications are communicated outside of the tool itself.

Encrypted Database Encrypted Database

ENCRYPTED DATABASE

The Encrypted Database Extra generates a random AES-256 bit encryption key and then uses that to encrypt sensitive text prior to it being inserted into the SimpleRisk database. This prevents anyone from being able to view or modify the data without using the SimpleRisk application directly.

icon icon

IMPORT-EXPORT

The Import-Export Extra provides the ability to import data into SimpleRisk by mapping fields in a CSV file to fields in the SimpleRisk database. It can be used to import audit results from a 3rd party spreadsheet, vulnerability scan results from another tool, assets from your CMDB and more. The Extra also provides the ability to export CSV files from SimpleRisk containing Risks, Mitigations, Reviews, or a Combination report of all three.

icon icon

INCIDENT MANAGEMENT

The Incident Management Extra is based on the NIST 800-61 Computer Security Incident Handling Guide and provides incident management capabilities from within the SimpleRisk system.

icon icon

JIRA INTEGRATION

The Jira Integration Extra provides users with the ability to integrate bi-directionally with a Jira instance. It enables connecting risks to Jira issues, as well as syncing their data, status and comments.

icon icon

ORGANIZATIONAL HIERARCHY

The Organizational Hierarchy Extra enables the ability to define multiple Business Units, including any number of teams. Users can then be assigned across one or more teams under various Business Units. This enables you to restrict a user's ability to only see and use the teams, users, and assets within the Business Units they are associated with.

Risk Assessment Risk Assessment

RISK ASSESSMENT

The Risk Assessment Extra provides users with the ability to define contacts, create questions (including logic), assemble multiple questions with a questionnaire template, create questionnaires and send them to contacts, view the questionnaire results, add risks based on those results, and compare the results over time, import and export externally customized assessments, and review the risk assessment audit trail.

icon icon

TEAM-BASED SEPARATION

The Team-Based Separation Extra restricts risk viewing to only the users who are members of the team that the risk is assigned to. In the SimpleRisk Core product, without this Extra, every user can see every risk.

icon icon

UNIFIED COMPLIANCE FRAMEWORK (UCF)

The Unified Compliance Framework (UCF) Extra is an API-level integration between the Unified Compliance Framework and SimpleRisk. Enabling it allows you to import selected frameworks and control mappings directly from UCF.

icon icon

VULNERABILITY MANAGEMENT

The Vulnerability Management Extra provides customers with the ability to integrate their SimpleRisk instance with Tenable.io, Rapid7 Nexpose/InsightVM and Qualys, enabling you to import both asset and vulnerability data into SimpleRisk. From there, you can select which sites you want to cover, determine which vulnerability scores should be imported and triage which vulnerabilities are turned into risks to track them.

Discounts

While the majority of vendors artificially inflate their product pricing so that they can apply huge discounts later, it's one of many examples of disingenuous business practices that we avoid here at SimpleRisk. Our pricing is transparently displayed on our website. Every customer pays the same price for the same product, and we offer the same discounts to everyone.

 

There's no need for complicated negotiations and our "What You See is What You Get" approach has been embraced across the board. SimpleRisk customers are never concerned about missing out on "special deals" where vendors often arbitrarily slash prices at the end of their sales period. In short, at SimpleRisk we don't play pricing games.

 

The discounted pricing below is available to all SimpleRisk customers and includes:

  • A Starter Package consisting of any three Standard Extras, support and hosting (if desired) for only $5k USD/year. (Save $10k!)
  • An automatic 15% discount for all orders over $25k USD/year or 25% for all orders over $35k USD/year.
  • A 10% discount for allowing us to place your organization's link and logo on our website.
  • Up to a 20% discount for multi-year contract commitments or advanced payments.

Pricing

SimpleRisk Standard Extras represent the majority of all available Extras and are a flat $5k USD/year. Incident Management and Organizational Hierarchy are considered Premium Extras, each priced at $10k USD/year. It's that simple.

 

All SimpleRisk purchases include:

  • Unlimited Users
  • On-Premise or Hosted Deployments
  • Subscription Fees which Include Support and Updates
  • Customizable Packages with Automatic Discounts
  • Quarterly "Ask the Expert" Calls

 

If you're still not sure which Extras will benefit your organization the most, you can start a free 30 day trial that includes all of our Extras or schedule a demo to see SimpleRisk in action and discuss your organization's requirements.


 

Ready to create your custom SimpleRisk package? Let's get started!


 

STEP 1: Choose your Standard Extras

Annual pricing before any discounts are applied.

 

$5,000 USD
$5,000 USD
$5,000 USD
$5,000 USD
$5,000 USD
$5,000 USD
$5,000 USD
$5,000 USD
$5,000 USD
$5,000 USD
$5,000 USD