Tribal Education Limited

ActionPlan+ by Tribal

Tribal’s ActionPlan+ solution is a dynamic and very straightforward online tool which drives your continuous improvement process. The user-friendly software enables you to easily compile and maintain your evidence-based self-assessment and map and monitor a highly detailed improvement plan, all supported by targeted email alerts and notifications throughout.


  • Secure online access based on user permissions
  • Library for evidence mapped across multiple self-assessment frameworks
  • Fully editable self-assessment judgements and grades
  • Impact-focused goal and action plan builder
  • E-mail alerts and notifications for all key activity
  • Assigned ownership with quality assurance and automated audit trail
  • Multi-layered hierarchy for any number of departments, areas, sub-contracts
  • Management overview dashboards showing live progress
  • Hard copy downloads of Self-Assessment Report and Improvement Plan
  • Full face-to-face system training and ongoing consultancy included


  • Streamline self-assessment, transforming it into a truly live process
  • Widen engagement and increase accountability and ownership
  • Easily build your evidence base throughout the year
  • View judgements and grades across multiple departments or areas
  • Improve accuracy through detailed guidance and quality assurance workflows
  • Smarten up actions with success criteria and target dates
  • Quickly monitor and update the progress of actions
  • Improve the timely completion of goals and actions
  • Ensure you are confidently ‘inspection ready’ all year-round
  • Significantly increase the impact of your quality assurance process


£1860 per unit per year

Service documents

G-Cloud 10


Tribal Education Limited

Tribal Bids Team

0845 313 3151

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints N/a
System requirements N/a

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Our response times to queries and incidents is based upon the severity of the incident in question. Critical faults (P1) are responded to within an hour. Major faults (P2) are responded to within two working hours. Important faults (P3) are responded to within four working hours. Minor faults (P4) are responded to within eight working hours. Our working hours are Monday-Friday 0900 to 1700 - therefore there would not be a response on weekends. Customers can provide us with an impact and urgency rating for any issues they raise which we use to help triage and assign priority.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels All services offered will be supported by a Service Level Agreement suitable to the customer and the service ordered. There are three levels of service available; Essential, Enhanced and Enterprise and depending on the level of service required this will include a Service Delivery manager, Technical Project Coordinator and assigned Cloud Consultant. If additional out of hours or onsite support is required then this option is available at additional cost.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started The system is provided with a full suite of user documentation. During initiation of the project a full training plan will be scheduled and delivered according to the project timescales. Training is predominantly carried out on site. However, there are online training manuals and recorded training materials available as well.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction The underlying database containing all customer data would be provided to a customer-accessible destination prior to the contract ending.
End-of-contract process We would work with the customer to define an exit plan which would involve extraction of data and completion of any outstanding services. The exact nature and cost of this exit plan will vary from customer to customer depending on their requirements.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service N/a
Accessibility standards None or don’t know
Description of accessibility In order to allow for a consistent and accessible experience for users on our sites we ensure that all of our markup complies with the W3C guidelines for valid HTML. In addition to following the guidelines in development we also test on an extensive range of browsers including traditional (desktop), mobile and accessible and use the W3C validation service (
Accessibility testing We have done interface testing with our in-house User Interface experts.
Customisation available No


Independence of resources Our Tribal private cloud customers would be running their applications on dedicated virtual servers (including presentation and database tiers) with reserved resources (cpu/ram/disk) which are available only to them. This ensures that other customers demands on the system do not affect the provision and performance of the application, avoiding so called ‘noisy neighbour’ issues.


Service usage metrics Yes
Metrics types Tribal Cloud incorporates an application to provide alerts to relevant teams when issues arise or thresholds are exceeded.  It is a SaaS-based automated IT performance platform.  As it is SaaS-based no processing is done on the monitored node, consequently, it has a minimal performance overhead.
It can monitor any Tribal Cloud service as part of our managed service
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach In-house
Protecting data at rest Other
Other data at rest protection approach Database instances will be encrypted including snapshots at rest using the industry standard AES-256 (SQL TDE). Once the data is encrypted, authentication of access and decryption of the data is handled transparently with a minimal impact on performance
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported in a number of common formats, such as csv and pdf. This is configurable on a user roles basis, so users can only export the appropriate data that they should have access to.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We offer a minimum 99.5% availability, assured by contractual commitments. Exact SLAs will vary from client to client and their desired uptime.
Approach to resilience Our service offers the cost and efficiency advantages that virtualisation brings along with centralised management and control, built in redundancy features like clustering, and a unified set of orchestration tools. The environment is backed by both our 100% Network Uptime Guarantee and our One-Hour Hardware Replacement Guarantee, supported by hundreds of Microsoft Certified experts to create a customised Virtualisation environment base.
Outage reporting Service outages are reported through both our support portal and direct contact from the appropriate service delivery manager who is assigned to the client. The method of communication will be agreed with the specific client, but could include email alerts, direct phone calls etc.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Access in management interface and support channels is managed on a Role based Access Control system (RBAC) as with the rest of the system. In this way you can control which areas of the system and support users have access to.
Access restriction testing frequency Less than once a year
Management access authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register LRQA
ISO/IEC 27001 accreditation date 02/05/2017
What the ISO/IEC 27001 doesn’t cover N/A - our ISO accreditation covers all of our business activities.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications ISO9001:2008

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Tribal has been an ISO27001 certified organisation since 2009 and all of our development and delivery services will be delivered from locations which are specifically ISO27001 certified. The accreditation process included a review of Tribal’s Information Security Management System (ISMS) and our overall policy for handling data including how it is collected, held and maintained.
We have local security forums for all of our offices, which feed into our central Information Security Governance forum which reports to the board. We have permanent Quality and Security Managers who form part of this board.
As well as our regular certification revalidation process (carried out by external evaluators) we regularly test our systems and processes with a series of internal audits to ensure that policies and processes are being followed.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach For our software solutions, Tribal has a structured Change Control process for managing requests for change and enhancements. All Requests for Changes (RFCs) are raised via the Service Desk and go through internal vetting by the respective support team before gaining authorisation from Tribal. Regular Change Advisory Boards meet to review Emergency and non-standard changes. Details of all changes are provided to the Service Manager to review and will obtain final approval from the Contracting Body before proceeding. The Contracting Body will be involved in the change Process at each stage and included in any post implementation review as required.
Vulnerability management type Supplier-defined controls
Vulnerability management approach As part of our ISO27001 processes we have a risk/vulnerability assessment procedure which will be undertaken on any new customer site and service.
Patches will be deployed depending on the severity of the problem and the level of testing required.
Information about potential threats is found based upon initial and recurring risks assessments, internal procedures and known threats highlighted by both the industry and users.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Our managed service includes the proactive monitoring of all services to identify potential compromises.
Based upon the nature of the compromise we would then respond to the agreed SLA.
The speed of the response will be determined by the severity of the incident.
Incident management type Supplier-defined controls
Incident management approach Our ISO27001 processes include a defined Incident Management process. All personnel are responsible for reporting incidents to the Information Governance Committee (IGC) or Security Forum representatives as quickly as possible. We have a formal Incident Report Form which staff use for recording the details of the incidents.
Security weaknesses will be recorded on a spreadsheet for tracking purposes. Any person can identify weaknesses, which will be managed by the Quality team in conjunction with the Security Forums and IGC as appropriate.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £1860 per unit per year
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑