Program Planning Professionals Ltd (t/a Pcubed)

Microsoft Project Online for better project, programme and portfolio management

Microsoft PPM / EPM (Microsoft Project Online) delivers flexible and easy to use PPM / EPM solutions covering full project lifecycles. It assists organisations in aligning budgets and resources to business objectives and enables them to initiate, prioritise, track and deliver project, programme and portfolio investments to realise business value.


  • Project demand management identifies new ideas and projects-Idea Management
  • Project portfolio definition and optimisation to drive best value selection
  • Project resource management for managing demand and capacity/timesheets
  • Project schedule management for improved tracking and delivery/timesheets
  • Project financial management for budget, planned and actual costs
  • Consolidated View of Projects, Programmes, and Portfolio
  • Project team collaboration for improved working practices and understanding
  • Business intelligence and reporting improves decision management/Management Information
  • Securely hosted in UK datacentres with security cleared, permanent employees
  • Standardisation of PPM Methodologies and Frameworks


  • Consistent project management data and processes
  • Low total cost of ownership
  • Improved quality, timeliness and cost effectiveness
  • Enterprise-wide governance with standard gateway management
  • Improved project investment strategy aligned to business needs
  • Built-in capabilities including project dashboards, planning, risk and issue tracking
  • Microsoft Gold Partner with ISO27001 certification
  • Keeps investment risk at a manageable level
  • Ensures the most expensive asset (resources) is optimally utilised


£5.30 to £41.50 per user per month

  • Free trial available

Service documents

G-Cloud 9


Program Planning Professionals Ltd (t/a Pcubed)

Mark Sorrell

020 7462 0100

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints There are no other foreseeable constraints to the Services (e.g. maintenance windows, level of customisation permitted, schedule for deprecation of functionality/features etc.)
System requirements
  • Microsoft Internet Explorer Version 9 or later, Firefox, Chrome, Safari
  • The consumer must have the ability to access internet
  • Log in accounts (licences)

User support

User support
Email or online ticketing support Yes, at extra cost
Support response times Dependent on the severity level. We can respond to a client within one hour, if the severity level is high
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Support levels include Email, Phone, Service desk and Onsite assistance.
Each support request will receive a severity level which is tied to a service level metric. Service-level metrics specify the maximum amount of time to elapse before a customer, after opening an incident, the user will be contacted by a support representative. Initial response goals will be the same for all support package levels but will vary by severity. Initial technical response time is determined by the severity, as follows:
Severity 1; Urgent - A full system outage , the system is not working and this is affecting all users.
Severity 2; High - A major element of either the Microsoft PPM / EPM or Pcubed solution is not working at all and affecting all / nearly all users or the production of business critical reports.
Severity 3; Normal - A single or small element of the Microsoft PPM / EPM or Pcubed solution is not working and affecting a number of users or multiple teams.
Severity 4; Low -There is a problem which is affecting limited numbers of users or a less frequent part of the solution or regular reports.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Envisioning workshops, training , change management, providing a dedicated delivery team and support where necessary
Service documentation Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction OData - extracting PO data to an excel spreadsheet and saving project plans in Microsoft Project
End-of-contract process Microsoft and Pcubed are certified in ISO 27001, this enables Pcubed to comply with high standards of all our customer’s data security and integrity. Upon exit, all customer information will be securely destroyed and confirmation will be provided.
Also, Microsoft implements destruction and confirmation of destruction of all data upon exit of contract.
If you terminate a cloud subscription or it expires (except for free trials), Microsoft will store your customer data in a limited-function account for 90 days (the retention period) to give you time to extract the data or renew your subscription. During this period, Microsoft provides multiple notices, so you will be amply forewarned of the upcoming deletion of data.
After this 90-day retention period, Microsoft will disable the account and delete the customer data, including any cached or backup copies. For in-scope services, that deletion will occur within 90 days after the end of the retention period. (In-scope services are defined in the Data Processing Terms section of Microsoft Online Services Terms.)

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 9
  • Internet Explorer 10+
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service There are screen user interface differences, however, there are no limited functionality features
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing Microsoft Project Online is an application and meets the published standards as an application. Microsoft accessibility statement on can be found on the Microsoft Accessibility website ( Microsoft publishes Voluntary Product Accessibility Templates (VPAT).
What users can and can't do using the API Microsoft Project Online has an Open API that allows integration with other systems (uni and bi-directional).
The API access of the following types is available: REST, SOAP. For further information, please see:
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The solution allows reports, letters and other communications to be customised with logos, fonts, branding and colours. Advanced customisation using pages, events, web parts and configuration can be provided to meet further requirements (e.g. add extra fields, access to API to build your own interfaces, etc.).


Independence of resources Availability reports are available via the Admin Portal of Office 365, for the overall platform and by service.
There is a separation in services between consumers; users are not affected by the demand of other users.
By using Office 365 API, further monitoring is possible. The service is based on Microsoft architecture which is fully scalable.


Service usage metrics Yes
Metrics types Please see the Business admins section found here
Reporting types Real-time dashboards


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach For data at rest, the service deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM conversations, as well as content stored in SharePoint Online and OneDrive for Business. BitLocker volume encryption addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers and disks. Your organization’s files are distributed across multiple Azure Storage containers, each with separate credentials, rather than storing them in a single database.
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Users can use OData to extract or import their data. Out of the box SharePoint allows export of all information to Excel. Pcubed could also develop specific reports relating to more detailed information and saving project plans in Microsoft Project
Data export formats
  • CSV
  • Other
Other data export formats
  • XLS
  • MPP
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks For data in transit, all customer-facing servers negotiate a secure session by using TLS/SSL with client machines to secure the customer data. This applies to protocols on any device used by clients, such as Skype for Business Online, Outlook, and Outlook on the web. See also
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Microsoft supports versions 1.0, 1.1, and 1.2 of the Transport Layer Security (TLS) protocol. This protocol is an industry standard designed to protect the privacy of information communicated over the Internet. TLS assumes that a connection-oriented transport, typically TCP, is in use. The TLS protocol allows client/server applications to detect the following security risks:
• Message tampering
• Message interception
• Message forgery

For further information, please refer to:

Availability and resilience

Availability and resilience
Guaranteed availability Microsoft provides a contractually backed SLA to a minimum of 99.9%.
Backup, disaster recovery and resilience plan in place
Approach to resilience Office 365 services have been designed around five specific resiliency principles:

There is critical and non-critical data. Non-critical data can be dropped in rare failure scenarios. Critical data should be protected at extreme cost. As a design goal, delivered mail messages are always critical, and things like whether or not a message has been read is noncritical.

- Copies of customer data must be separated into different fault zones or as many fault domains as possible (e.g., datacentres, accessible by single credentials (process, server, or operator)) to provide failure isolation.

- Critical customer data must be monitored for failing any part of Atomicity, Consistency, Isolation, Durability (ACID).

- Customer data must be protected from corruption. It must be actively scanned or monitored, repairable, and recoverable.

- Most data loss results from customer actions, so allow customers to recover on their own using a GUI that enables them to restore accidentally deleted items.

- Backup, disaster recovery and resilience plan in place

Further info:
Outage reporting Office 365 reports outages via the service status portal, Alert or Mobile Application

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Other
Other user authentication User access to interfaces is made possible with a user account: O365 account.
Without having the O365 account, users cannot gain access to the service.
Access to the service is limited to authenticated and authorised users.
Usernames and password control remain under the buyers control.
Access restrictions in management interfaces and support channels Access can be restricted based on the role of the user (administrator, team member with edit right, or only viewer).
In addition, if the user does not have a O365 licence, they are restricted from the service.
Access restriction testing frequency At least every 6 months
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information No audit information available
Access to supplier activity audit information No audit information available
How long system logs are stored for Less than 1 month

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 BSI
ISO/IEC 27001 accreditation date 17/01/2017
What the ISO/IEC 27001 doesn’t cover Control: The organisation shall supervise and monitor the activity of outsourced system development.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date 29/04/2016
CSA STAR certification level Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover None
PCI certification No
Other security accreditations Yes
Any other security accreditations
  • Cyber Essentials Plus
  • EU Model Clauses
  • EU-US Privacy Shield
  • ISO 27001, ISO 27018
  • SOC 1, SOC 2
  • FIPS 140-2

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes FISMA/FedRamp,
EU Model Clauses,
ISB 1596,
ISO 27018,

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402.
The service has developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1/SOC 2, NIST 800-53, and others.
Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft. OSA combines this knowledge with experience of running hundreds of thousands of servers in datacentres around the world.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Configuration, change management, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.
In addition to Microsoft’s ISO-27001 compliance, and their use of independent 3rd party penetration tests, they operate an assumed breach model and use active red-team penetration testing and vulnerability management as part of their Operational Security Assurance (OSA).
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Configuration, change management, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Configuration, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £5.30 to £41.50 per user per month
Discount for educational organisations No
Free trial available Yes
Description of free trial 30 Day Trial of Office 365


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑