Skip to main content

SimpleRisk Hosted

A SaaS Governance, Risk Management and Compliance (GRC) platform that enables you to identify, rank, monitor and track risks through their mitigation life cycle and continually measure the overall progress of your cybersecurity program. 

What is SimpleRisk Hosted?

The SimpleRisk platform is designed to deliver a simple, effective and affordable GRC solution that ensures customers will benefit from the repeatable, scalable and sustainable processes that are the foundation of any successful GRC program. SimpleRisk Hosted combines all of the functionality of our award-winning GRC software with the convenience of a fully managed hosting solution. This allows SimpleRisk to manage the ongoing system administration, such as backups, monitoring and upgrades, so you can focus on the end game – mitigating risks. Our Software-as-a-Service platform (SaaS) is unique to SimpleRisk and builds upon all of the intrinsic security benefits of the Amazon Web Services (AWS) cloud.


What are SimpleRisk Extras?

With hosted deployments, SimpleRisk Extras are plug-and-play modules that provide additional functionality and are available as packaged bundles. Below is a catalog of the licensed SimpleRisk Extras available with our hosted offerings:

Advanced Search

The Advanced Search Extra expands the functionality of the top bar's search box to be able to find risks by doing textual search in risk data.


The API Extra allows customers to use a RESTful API to create scripted interactions with other applications to gain advanced automation and leverage existing infrastructure.

Secure Controls Framework (SCF)

The Secure Controls Framework (SCF) Extra is a direct integration between the Secure Controls Framework and SimpleRisk. Enabling it allows you to select from 190 different frameworks that have been mapped to 1,057 security and privacy related common controls. This includes many frameworks heavily used by organizations today, such as ISO 27001, NIST CSF, PCI DSS, GDPR, COBIT, COSO and more!


The Custom Authentication Extra provides support for Active Directory and SAML Authentication as well as Duo Security as a second factor of authentication. In the SimpleRisk Core product, without this Extra, the only option is to create new users in the SimpleRisk identity repository.


The Customization Extra enables the ability to add and remove different types of fields and dynamically create custom page templates.


The Email Notification Extra enables SimpleRisk to send e-mail notifications when risks are submitted, modified, or otherwise actioned upon. This extra can also be added as a scheduled script to send routine reminders when risks are ready for a management review. In the SimpleRisk Core product, without this Extra, no notifications are communicated outside of the tool itself.


The Encrypted Database Extra generates a random AES-256 bit encryption key and then uses that to encrypt sensitive text prior to it being inserted into the SimpleRisk database. This prevents anyone from being able to view or modify the data without using the SimpleRisk application directly.


The Import-Export Extra provides the ability to import data into SimpleRisk by mapping fields in a CSV file to fields in the SimpleRisk database. It can be used to import audit results from a 3rd party spreadsheet, vulnerability scan results from another tool, assets from your CMDB and more. The Extra also provides the ability to export CSV files from SimpleRisk containing Risks, Mitigations, Reviews, or a Combination report of all three.


The Incident Management Extra is based on the NIST 800-61 Computer Security Incident Handling Guide and provides incident management capabilities from within the SimpleRisk system.


The Jira Integration Extra provides users with the ability to integrate bi-directionally with a Jira instance. It enables connecting risks to Jira issues, as well as syncing their data, status and comments.


The Organizational Hierarchy Extra enables the ability to define multiple Business Units which can include any number of teams. Users can then be assigned across one or more teams under various Business Units. This affects a user's ability to see and use the teams, users, and assets which they are not associated with.


The Risk Assessment Extra provides users with the ability to define contacts, create questions (including logic), assemble multiple questions with a questionnaire template, create questionnaires and send them to contacts, view the questionnaire results, add risks based on those results, and compare the results over time, import and export externally customized assessments, and review the risk assessment audit trail.


The Team-Based Separation Extra restricts risk viewing to only the users who are members of the team that the risk is assigned to. In the SimpleRisk Core product, without this Extra, every user can see every risk.


The Unified Compliance Framework (UCF) Extra is an API-level integration between the Unified Compliance Framework and SimpleRisk. Enabling it allows you to import selected frameworks and control mappings directly from UCF.


The Vulnerability Management Extra provides customers with the ability to integrate their SimpleRisk instance with or Rapid7 Nexpose/InsightVM and import both asset and vulnerability data into SimpleRisk. From there, you can select which sites you want to cover, determine which vulnerability scores should be imported and triage which vulnerabilities are turned into risks to track them.

Why Choose SimpleRisk Hosted?

A common complaint amongst organizations who have invested in a tool to aide in managing their Governance, Risk Management, and Compliance (GRC) efforts is the amount of time it takes before the tool is operational and providing a return on their investment. With our On-Premise SimpleRisk offering, the time to get up and running is measured in minutes, and that value can be demonstrated quickly, but there are still routine maintenance activities that the organization is responsible for such as backups, upgrades, and monitoring.

SimpleRisk Hosted takes care of all of this for you, and more, so that your organization can focus your limited resources on managing your Governance, Risk Management and Compliance program, rather than the tool used to support it. SimpleRisk's Founder and CEO, Josh Sokol, discusses this topic in more detail in his blog post titled SimpleRisk On-Premise or Hosted – Which Deployment Model is Right for You?

Is SimpleRisk Hosted Secure?

SimpleRisk Hosted was created by a security practitioner with over a decade of experience in designing, implementing and testing security controls for a global, publicly-traded, enterprise. Security has been built throughout the service offering and includes:

  • "A" graded transport layer security configurations  (HTTPS / TLS / SSL) validated with SSLLab  
  • Application code written around secure coding best practices  and validated with a HackerOne Bug Bounty program
  • Dedicated virtual private cloud (VPC) environments with  strict access controls
  • ISO 27001 certified and SOC2 validated datacenter
  • Layered security controls for defense-in-depth



If you're interested in learning more about the security of SimpleRisk, we have a more detailed Product Security Document that we can provide to you under NDA.

Does SimpleRisk Offer Professional Services?

We find that SimpleRisk is so simple and intuitive that our customers don't normally require any professional services to get started. We encourage our customers to reach out to our Support Team should they ever encounter any issues or if they have questions about how to do something. All of our SimpleRisk Hosted packages also include quarterly "Ask the Expert" calls with SimpleRisk's Founder and CEO, Josh Sokol.

With over a decade of experience running the Information Security Program for a large, global, publicly traded enterprise, we've found that giving customers the opportunity to speak with him on a regular basis has been invaluable in helping to jump start their GRC programs, as well as helping them to avoid some of the pitfalls experienced along the way.


How is SimpleRisk Hosted Priced?

Our SimpleRisk Hosted SaaS platform is offered in one of three packages. These packages are broken down into the functionality most commonly used by organizations of different sizes and it is not currently possibly to customize the Extras available in each package. The Small Enterprise package is perfect for individuals or small teams just getting started with their GRC program. The Medium Enterprise package is geared towards organizations who require additional access controls preventing one team from seeing another's risks. The Large Enterprise package includes all of our SimpleRisk Extras (Incident Management and Organizational Hierarchy available for an additional fee) and is the most cost-effective comprehensive GRC platform on the market:

30-day trial Small
  Dedicated Container on Shared Host Dedicated AWS Virtual Private Cloud Dedicated AWS Virtual Private Cloud
  $4,995 / yr $9,995 / yr $19,995 / yr

All packages include Quarterly "Ask The Expert" calls, Silver Support, Daily Database Snapshots, Governance, Risk Management and Compliance capabilities and are licensed for an unlimited number of users and risks.


Secure Controls Framework (SCF) Extra


Email Notification Extra


Import-Export Extra


Vulnerability Management Extra


Risk Assessment Extra


Team-Based Separation Extra


Custom Authentication Extra


Encrypted Database Extra


API Extra


Customization Extra


Advanced Search Extra


Jira Integration Extra


UCF Extra


Incident Management Extra

    $9,995 / yr

Organizational Hierarchy Extra

    $2,995 / yr / BU
  Quote Quote Quote

How do I Get Started with SimpleRisk Hosted?

Getting started with SimpleRisk hosted is extremely simple. There is no credit card required, absolutely nothing to install and it works on all modern web browsers. You'll have complimentary access to try out all of our SimpleRisk functionality for 30 days. Just click the "Free 30 Day Trial" link below, submit the form and we'll be in touch soon.