Costain Limited

Artificial Intelligence (AI) Engineering & Consultancy

Costain Artificial Intelligence (AI) technology merges expert engineering and consultancy capabilities with AI, leveraging this combined power to solve many real-world problems currently ignored. We enable insights, innovation, lower costs, shorter time frames and solutions otherwise nearly impossible across the highways, rail, energy, defence, decarbonisation, aviation, water, and hydrocarbons sectors.


  • Asset optimisation
  • Capital and operational programme intelligent procurement
  • Management and cost reduction
  • Business efficiencies
  • Regulation compliance prediction and enhancement
  • Scenario modelling
  • Demand forecasting
  • Universal modelling
  • Azure/AWS deployment


  • Asset optimisation
  • Procurement and cost reduction
  • Productivity improvements
  • Carbon reduction
  • Demand forecasting
  • Operational efficiencies
  • Innovative new AI-based solutions


£15,000 to £250,000 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

1 8 7 0 2 6 4 5 5 7 8 0 3 9 9


Costain Limited Tim Ellis
Telephone: 01628842444

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
Numeric data work is delivered by Costain, other data work is delivered by Costain in partnership with Arundo
System requirements
  • Microsoft Windows
  • Minimum 8Gb RAM
  • Minimum 100Gb storage
  • Modern web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support calls are categorised by urgency and assigned with a corresponding priority, according to impact and severity. Priority is ranked on a scale of 1 to 4, where 1 is most critical.

Response times are:

Priority 1 - 1hr response, 4hr resolution
Priority 2 - 2hr response, 8hr resolution
Prioirty 3 - 24hr response, 48hr resolution
Priority 4 - 24hr response, 168hr resolution

Service times are 9.00am to 17.00 (UK time), Monday to Friday.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Costain provides support and maintenance services, managed and certified to the ISO20000 Service Management standard. This ensures that we can focus on delivering value by being agile and flexible in meeting our clients service needs, whilst continually monitoring and improving our service provision.

Our standard support times are 0900 - 1700 (UK), Monday-Friday and our service desk can be contacted via phone or dedicated gcloud email address (

All service staff are ITIL trained and we follow both the best practices set out by ITIL and required by our ISO certification.

We provide: Mature Service Management process aligned with ISO2000 and ITIL; Service and contract management with dedicated service managers; Service level management and ability to work with clients to design services and define appropriate service requirements; Service management reports and KPI management; ESCROW services to ensure business and service continuity; Continual Service Improvements processes and reports.

On-site support post-handover is based upon SFIA rates.
Support available to third parties

Onboarding and offboarding

Getting started
We provide an on-site handover service to ensure that the client understands how the system works and how to use the tool. This is supplemented by comprehensive documentation to act as reference material to the service; this will also be reviewed as part of the on-site handover process. The handover process is supplemented with remote desktop access where our consultants can guide through use of the service remotely. The on-boarding is further augmented by our Service Desk, through which users can log request calls which are either responded to via email or telephone, once a call has been logged and prioritised.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Data is automatically issued to specified recipients and via a D2 Documentum web interface. All models are exported in ONXX and are suitable for use in PyTorch, TensorFlow and Microsoft products.
End-of-contract process
Models, data, reports and deliverables are exported and issued to specified receipients. Access to the D2 Documentum interface ends. All data and models are either destroyed or archived and kept to the client's requirements for later retrieval if needed.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Service interface
Description of service interface
Web interface and standalone API
Accessibility standards
WCAG 2.1 A
Accessibility testing
No testing undertaken.
What users can and can't do using the API
Use of the API is dependent upon individual client requirements
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Customisation is wholly dependent upon individual client requirements


Independence of resources
The service is installed on our Azure cloud and scales to handle peaks and troughs in demand, with dedicated resources allocated. We monitor the demand on the service and adapt and flex the system according to bandwidth, storage or additional users.


Service usage metrics
Metrics types
Metrics are provided as defined by each Client and typically include cost, earned value, resource usage, programme, progress reporting, accuracy and response times.
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Costain encrypts all staff machines using Microsoft Bitlocker and all Azure Servers are built with encrypted disks to ensure Data at Rest is protected.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Automatic issue to specified recipients and via D2 Documentum web interface
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Costain uses Microsoft365 with TLS 1.2+ to protect data at transit, we also have Microsoft Cloud App Security Broker deployed to monitor data within the network. Costain also uses encrypted VPN connections for when staff are out of the office and needs to communicate back to the corporate network.

Availability and resilience

Guaranteed availability
Costain uses Microsoft Azure to underpin most of our services, and the inherent resilience that Azure provides is built-upon by us to provide various, bespoke levels of high-availability depending on the requirements of a particular client or service.
Approach to resilience
Costain uses the Azure UK West and UK South datacenters, to provide resilience as well as data residency assurance. In addition to the regional pairing that Azure storage provides to ensure resilience during datacenter failures, Costain also utilises application resiliency in Azure through a mixture of virtual machine pairing, load balancing devices and data replication across UK datacenters.
Outage reporting
Costain uses a number of alerting methods (including but not limited to such things as email, SMS, auto-ticket generation) depending upon the requirements of a particular client or service.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Costain uses Role based Access so any administrative tasks are used by admin accounts rather than standard user accounts and these are individual and not shared. Costain also force all Azure admins to use MFA to help protect the account.
Costain uses Thycotic Privledge Access Management to audit and control any administrative work that is required to be carried out.
Costain also ensures all default accounts on devices are changed to a secure complex password.
Access restriction testing frequency
At least once a year
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Standards Institute (BSI) Certification No. IS557983
ISO/IEC 27001 accreditation date
January 2020 with annual review
What the ISO/IEC 27001 doesn’t cover
Non-production corporate environments and project/development/research environments owned by our own Complex Delivery projects. All controls listed in ISO27001 Annex A are covered.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
CyberEssentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
ISO22301, CyberEssentials Plus
Information security policies and processes
Costain’s internal Information Security and Data Protection policy (published on our Intranet and underpinned by mandatory information- and cyber- security online training modules) summarises Costain’s strategy and can be provided on request. This is reviewed bi-annually via a committee which includes board-level representation.

Costain operates a company-wide information security management system which is certified to ISO 27001: 2013 with BSI Certificate No: IS557983.

Costain’s information security policy is designed to ensure that:

Information will be protected from unauthorised access;
Confidentiality of information will be assured;
Integrity of information will be maintained;
Information is made available to authorised persons;
Regulatory and legislative requirements will be met;
Business Continuity plans will be produced, maintained and tested;
Information security training will be available to all staff and is mandatory in order to continue accessing IT systems;
All breaches of information security, actual or suspected, will be reported, investigated and resolved;

Additionally, Costain are accredited to Cyber Essentials Plus, Certificate No: 8033978929854206.

Costain are a member of the National Cyber-Security Council’s (NCSC) Cyber-Security Information Sharing Partnership (CiSP), which ensures that we keep abreast of the dynamic nature of cyber and information security risks.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
End-User Computing (EUC) – Costain operate a standard-image process for ensuring a consistent configuration of desktops and laptops. This includes removing/disabling unnecessary components in order to more fully harden the device against security threats.

Server/Infrastructure – these are deployed via image templates, again in order to provide standard configuration and attack-surface reduction.

Costain operates an ITIL-based Change Management process to ensure that changes to these baseline configurations (and other systems) are sufficiently assessed and appropriately authorised.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
All operating systems and key applications (both Microsoft and non-Microsoft) are patched automatically within 30 days of updates/patches being released by the vendor (14 days for critical security updates).

Servers and end-user computing operating systems are updated to be no more than 12 months behind the latest vendor release.

Penetration tests are performed by an independent CREST-accredited company (provider is rotated regularly) on an annual basis, and also whenever key systems are upgraded or introduced.

Vulnerability scans using an automated system (Nessus) are run regularly to ensure our security posture is appropriate across all applications, systems and devices.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We use a 3rd party managed SOC (Secure Operations Centre) where all of systems feed into. The SOC filters the events using AI and ML to correlate events and priorites them accordingly. They deal with Priority 2-4 (the lower categories) - P2 notifies Costain and P1 (most critical) are passed to Costain and we work jointly with the SOC to resolve the issue (with the ability to bring staff in from the SOC). We have SLAs with the SOC. P1 is responded to within 4 hours.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We have pre-defined processes and process maps for common events with 100+ different processes designed to respond proactively to user reporting. These are handled internally by our Resolver Group (Service Desk, Infrastructure Team, etc.). Users report incidents via a ServiceNow portal (logging tickets) or call our internal Service Desk. We also have self-service portals for simple queries (e.g. password reset). Major incidents (e.g. Outages) are logged as high priority ticket and our IT Operations Manager requests an incident report from the relevant Team Leader (root cause, remediation to prevent re-occurence). We provide user notification upon service resumption.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£15,000 to £250,000 a unit
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.