ICS Ingage Limited

iNGAGE - Locum Workforce Direct Engagement Service

iNGAGE is a suite of cloud and physical based services, supported by a number of systems that allow NHS Trusts to Directly Engage their temporary Workforce. The service allows Trusts greater transparency and control over their Flexible workforce and allows them to deliver considerable savings and rate reductions.


  • Dedicated service/platforms facilitating seamless direct/non-direct-engagement of locum workforce
  • Dedicated recruitment, on-boarding and time-sheeting and reporting portals
  • Implementation, change management, business process re-engineering
  • Account managers responsible for compliance, performance, account & supplier management
  • End-to-end recruitment, on-boarding, time-sheeting and self-bill administration
  • Full management report suite supported by bespoke reporting tools
  • Digital contract management and engagement support services
  • Completely bespoke service with automated controls and digitised processes
  • 24/7 service with dedicated account staff and specialist consultants
  • Integrated with current processes and systems delivering a seamless service


  • Large-scale savings, rate reductions, cost management & efficiency gains
  • Automated & streamlined processes delivering enhanced controls and reduced administration
  • Increased transparency & compliance allowing effective planning and reduced risk
  • Greater visibility empowering better performance management of suppliers
  • Processes tailored to Trust staffing, workforce and staffbank needs
  • Allows flexibility to adapt to changing demand and market conditions
  • Understanding of the staffing/workforce market allowing for seamless implementation
  • Improved financial processes including self bill invoicing, reporting and accruals
  • Single System and service provider covering all staff groups
  • Direct engagement of Doctors and Allied Health staff


£1 to £25 per unit per hour

Service documents


G-Cloud 11

Service ID

2 2 0 4 5 7 0 9 8 2 5 1 9 0 6


ICS Ingage Limited

Warren Pegg



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Our service can function as an extension of the client's systems and processes, e.g. Master Vendor system, accounts payable and payroll systems
Cloud deployment model Private cloud
Service constraints Our service operates in line with a pre-planned comprehensive maintenance schedule. Constraints include software access via approved browsers only, which is subject to quarterly updates without notification
System requirements
  • We scope the system requirements on implementation.
  • Client's needs can influence system requirements

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We acknowledge within 2 working hours, resolve low-level issues within 24 working hours, medium-level issues in 48 working hours and technical issues within 14 working days.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels Each customer has an account manager and a dedicated team on-site throughout the lifecycle of the programme. They will deal with all first-line support queries and the day-to-day management and running of the services. They are supported by a dedicated technical team for the escalation of any second-line queries.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started We provide a high level of support -

During implementation we deploy a dedicated implementation team, who will deliver full scoping, design, configuration and deployment of the services and all associated technology and systems. Thereafter we can provide onsite support, and an account manager. Throughout the lifecycle of the programme we provide dedicated onsite and online training, support and analytics to ensure the service is being used correctly and efficiently.
All of the above is supported by dedicated resource libraries, online FAQs, video and webinars.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction We discuss exit planning from the start of the service so that we can establish expectations and agree processes. We can export data in a standard csv format via secure email. Alternative formats and processes may be available and can be discussed during contract negotiations. With respect to the retention of data, it is for customer to determine what retention periods it wishes to establish.
End-of-contract process From the receipt of a notification of intent to terminate we arrange a review meeting, which is followed by a resolution meeting and if needed an exit meeting in which a full exit plan is agreed and then executed.
Exit plan will be conducted over a 12 week period and will ensure full delivery during this process, with agreed milestones and deliverables agreed for all stages.
After 12 weeks any additional service or support will be provided at charge agreed during the exit plan.

On termination of services, the exit plan shall consist of the following:
(a) We will provide Customer with a copy of Customer’s data from, in a manner reasonably requested by Customer (e.g. CSV, HTML, or Excel); and
(b) Access to personnel as required to assist in transfer of Customer Data.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The software has been enhanced to optimise use on a mobile interface. There is a dedicated mobile-enabled microsite. This ensures quick and seamless actions to complete tasks, actions, items and approval chains. Each mobile interface is customisable for each customer. This is supported by dedicated apps for functional input and for approval, commonly used for budget approval and time/expense management.
Service interface No
What users can and can't do using the API The Account Manager works with clients to set up service and relevant API during implementation.

Any changes to the API are logged with the Account Manager, who works with systems engineers to facilitate changes wherever possible.

Data within our system may be imported or exported through HTTPS either via the user interface or using our bespoke Integrator.

The bespoke Integrator, a light-weight Java-based integration tool, can be used to integrate to third-party applications. Several pre-built connectors exist currently for the following applications: JD Edwards; Oracle; PeopleSoft; and SAP; along with various other applications, including HRMS; project management, time collection, e-Procurement solutions; and other legacy applications.
API documentation Yes
API documentation formats
  • HTML
  • ODF
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Every implementation of our service is unique. Our service is fully bespoke - users can agree to customise any aspect, including: services, processes, configuration, goals, objectives.

Users can customise user interface, home page layout, reporting work flow, user access, approval hierarchy, organisational structure, corporate calendar, cost centres, performance indicators, thresholds, dashboards, system variables, onboarding, offboarding, custom fields, task codes, classifications, rate groups, rate schedules, classifications.

Customisation is available via in-technology customisation buttons and/or via our onsite system administrator.

Basic customisation can be accessed by all users, and during implementation dedicated system administrators would be agreed for more technical configuration/ customisation items. All of this is agreed by user role permissions, as agreed in implementation.


Independence of resources We give each client a client-specific environment, enabling separation and no impact by demand of other users. Each client receives its own dedicated team, support-networks and account manager, further ensuring they receive a quality service at all times.

As a software-as-a-service, SAP Fieldglass automatically and transparently handles scaling and redundancy based on SLAs governing performance and availability. It monitors application-servers, database-servers, bandwidth, and infrastructure for average and maximum utilisation with Orion.

Current utilisation averages c20% across all components with a goal of scaling component vertically or horizontally (depending on specific component) upon reaching 60% threshold, including web-servers, database-servers, and storage.


Service usage metrics Yes
Metrics types We provide fully bespoke metrics, configured and designed during implementation with client input.

The system provides:
-Analytical tools aid workforce management and planning
–Integrated reporting throughout the process allowing budgetary/spend controls and oversight
–Supplier management; dedicated supplier dashboards
Supported by a suite of MI including:
–Fill-rate reports
–Accrual reporting
–Direct engagement uptake reports
–Commission reports
–Payment files including breakdowns of VAT payable
–Savings reports
–Tenure Reporting
–Exception reporting
–Multiple other bespoke reports
The tool facilitates tracking/reporting of:
–Vacancy Rates
–Approval chains
Reportable by:
–Cost centre
–GL Code
–Reason codes
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest Other
Other data at rest protection approach SSAE 18 / ISAE 3402 Type 2 SOC1 since 2005. And finally, we offer a Type 2 SOC2 for all five principles.
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach We offer seamless exports in multiple formats, bespoke reporting suite, a dedicated analytics tool; data manipulation will be carried out in the system, or externally via raw exports. In addition we can facilitate bespoke data reporting and export requests via our account manager who will facilitate in line with performance indicators as standard.
In addition, clients have the ability to directly export any list or chart views likewise any analytical or statistical data in any of the following modules which can be exported with ease: PMO dashboard, visuliser, rota management tool, shift management tool, reporting accountancy.
Data export formats
  • CSV
  • Other
Other data export formats PDF
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Availability and resilience
Guaranteed availability We aim to provide a service accessible 24/7, excluding emergency maintenance windows (if taken during hours of 5am-8am GMT) weekly maintenance windows, and extended maintenance windows
We would offer clients a KPI of 98% availability
Service credits would be agreed during contract negotiations
Approach to resilience We do not wish this information to be public. Details of our datacentre setup and service design for resilience are available on request.
Outage reporting We communicate any issues clearly and quickly. Our onsite staff ensure reporting. We use email notifications to ensure ongoing communication throughout any outage.
In our experience, our system has had no unplanned outages, just planned maintenance.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels The system is fully configerable and we have the ability to provide 'chinese walls' and restricted access in multiple ways including but not limited: 1: user role permissions, 2: cost centres, 3: sites, regions and location. We can manage access via our account management team or train clients' own staff as system administrators and allow them access to manage access rights of others. Additionally, supervisors can be given access to manage the rights of their teams. All of the above is scoped during implementation and delivered inlive with pre-agreed business rules that form part of agreed KPIs.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 QMS International
ISO/IEC 27001 accreditation date 12/06/2013
What the ISO/IEC 27001 doesn’t cover To our understanding nothing is not covered, but for the avoidance of doubt our technology delivers "associated services" as addressed below:
"The approved information security management systems apply to the following:-
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 10/11/2016
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover All parts of our technology solution are covered
PCI certification No
Other security certifications Yes
Any other security certifications
  • SSAE16/ ISAE3402 Type 2 SOC1: Audited since 2005,
  • Enterprise Security Policy Manual is based on ISO27002 controls.
  • SSAE16 Type 2 SOC2: successfully audited
  • SSAE16 SOC 3 : a system description and auditor’s opinion

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our robust suite of policies underpin our ISO27001, IG Toolkit and Cyberessentials accreditation. Our Information Security Management System has processes for all governance and security aspects, including staff training, data protection and retention, data transfer, hardware and access procedures.
Senior Managers (e.g. HR, IT, Operations) form our Information Governance committee, which reports to the Board, ensuring a whole-group and multi-role focus, and reviews performance and procedures.
Procedures for suspected/ actual information security incident (including near miss) mandate how each staff member should report, and what action is needed. We record all incidents on Datix to ensure a consistent approach to collecting information, and mandatory steps ensure escalation to appropriate managers, and undertaking investigations within agreed timescales. Our Clinical Director and Caldicott Guardian reports to ICO/ relevant third parties. Information Governance committee reviews incidents to verify actions were appropriate actions and lessons are learned.
To ensure policies are followed, all staff undertake training on Information Governance during induction, ensuring a baseline of knowledge. Responsibility for Information Governance is included in staff code of conduct. This is reinforced by system protocols (e.g. mandatory password resets to approved complexity level). ISMS and documentation are available on intranet, not hard copy, ensuring version control.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach The technology we use and its supporting infrastructure are governed by strict change control policies and procedures throughout thier lifetime. These controls are audited by a SSAE 16 audit to validate the operating effectiveness. Changes are assigned a risk category and are tested thoroughly by following a formal testing methodology.

The technology we use has procedures, processes, and technology such as VM templates, GPO, and DSC to deal with OS configuration management. The application follows strict life cycle management as well as source control management to ensure builds are properly processed and deployed.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach The technology we use follows a Risk Based Vulnerability Assessment Method, with internal and external weekly vulnerability scans. Vulnerabilities are rated on criteria, e.g. internally/externally facing, age, ease of exploitation, etc. The rating determines remediation.
Two departments address vulnerabilities: the security team scans for internal, external, credentialed and non-credentialed vulnerabilities and delivers a list of vulnerabilities with a defined risk level. The IT team patches systems based on vendors' patch cycles throughout their lifetime. Once the security team communicates vulnerabilities, the IT team works to remediate, testing in the staging infrastructure when possible, and deploying during the next suitable window.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach All devices and servers on the network log to an enterprise SIEM tool. The security team monitors this tool to ensure activity does not exceed the expected baseline. The application uses the LOG4J framework for logging system exceptions and issues. These system logs are reviewed by the Quality Assurance team to ensure silent failures and other problems are forwarded to the development team for resolution. The system audit trail provides customers the ability to monitor all actions in their company instance including failed login attempts and other actions taken by their users.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach SAP Fieldglass’s mature and tested incident response process is based on NIST standards and ensures that data breach notifications are make within the 72-hour period as stipulated by GDPR.
Please note that SAP Fieldglass already comply with the SOC 2 Privacy Principle, which address the most common privacy requirements. In addition, SAP Fieldglass added the ISO 27018 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII Processors to our ISO 27001 security program (ISMS), as well as the Cloud Security Alliance STAR certification.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1 to £25 per unit per hour
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑