Design & Build

We create digital products and services such as websites that play a vital role in delivering a superior customer experience. The platforms and applications we develop use the latest technical architectures, microservices, API integrations and development frameworks that take full advantage of cloud technologies and scalability.


  • Acquia CMS
  • Sitecore CMS
  • Mobile development
  • Enterprise portals
  • Digital asset management
  • Component audit
  • CX journeys and persona creation
  • User testing
  • Rapid Prototyping
  • Digital brand creation


  • scalable cloud-based CMS using open source
  • cloud-based experience management and personalisation
  • iOS and Android development
  • support applications for operational users
  • centralised management of digital assets
  • utilising the building blocks of a new digital product
  • see clear, objective and first hand evidence from customers
  • how products will be used; test content, messaging, findability, design
  • see working prototypes and how likely concepts are to succeed
  • blueprint for businesses to create elements that retain brand ethos


£10000 to £1000000 per instance per month

Service documents

G-Cloud 10



Neil Clayton

0208 239 5080


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Consultancy
Data & Content
Cloud deployment model Public cloud
Service constraints Any constraints would be considered on a case by case basis
System requirements N/a

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We have a breakdown of service response times provided in an agreed SLA with clients. The response times are dependent on the severity of the issue. The minimum response time is 1 hour for a severe issue affecting core functionality of an application. Out of hours the minimum response time is 2 hours.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Onsite support
Support levels We can tailor a support offering to meet the needs of our clients. But in essence we have split ORM support into 3 sections: incident management, maintenance & minor enhancements and continuous improvement. Each of these can be scaled to your individual requirements.

Incident management – this service is required to respond and resolve high priority incidents. ORM can offer this as either an in office hours service or as a 24/7 service

Maintenance & minor enhancements – this service is required to undertake small feature requests, rectify lower priority issues and carry out proactive maintenance

Continuous improvement – this is required to ensure SEO visibility, optimal conversion rates (CRO), optimal UX and design. These initiatives can run as part of the Managed Service retainer, although dedicated resource is required to run the programme - i.e. define the initiatives, deploy the changes, measure and assess the results

Both a technical account manager and cloud support engineer can be provided dependent on the scale of the project.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started ORM initiates a rigorous onboarding process that covers the key elements required for a successful business relationship. We will present our approach and capture any client requirements with the aim of agreeing each of the following:

Working locations
Including visits with the client to locations for work and agreeing any co-location requirements.

Client briefings
The process required for briefing in work, ensuring that all client requirements are documented clearly.

Present and agree templates for scope of work and agree any amendments or additions.

Commercial approvals
Discuss and agree the commercial approval process including key points of contact and expected approval and lead times.

Ramp up times
Discuss ramp up times for different teams and phases of projects.

Project planning and control
Agree the framework for project planning and sprint cycles.

Change control & risk management
Agree process for project changes and how risks / mitigations will be identified, captured and communicated.

Work sign off
Agree approach and schedule for stakeholder reviews and sign off of work.

Status and reporting
Agree format and schedule for status meetings, stakeholder reports and performance reviews.

Present quality assurance process and client user acceptance process.

Agree process for escalation and contact details.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction We can provide data in various forms as required by the client at the end of the contract e.g. encrypted flat file export
End-of-contract process Generally, all deliverables created through the project process are handed over e.g. documentation, digital assets and access details to environments owned by the client, etc. Ad-hoc tasks such as data exports, other application development, etc, or third-party training are all costed separately as part of an exit programme.

Using the service

Using the service
Web browser interface No
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing We design to W3C WAI and WCAG 2.0 AA standards by default, with numerous checks throughout our workflow to ensure compliance. All of the work we have delivered for our clients in the past 4 years have met WCAG 2.0 AA standards.

We recommend a full suite of user testing activities within our design phase (separate and distinct to the audience and stakeholder research we conduct in our ‘Discovery’ phase) to ensure wider accessibility and usability issues are addressed. In order to de-risk our design solution and maximise feedback from key audience groups, we advocate a series of User Centred Design activities throughout the Define and Design phases of the project. In order to best facilitate the completion of these activities, we recommend acquiring a User Testing Panel of 50 users per audience type; this panel is then engaged for all user testing activities. We also recommend a final face-to-face lab-based user testing session with 5 users from the panel per audience group.
Customisation available Yes
Description of customisation For every project we undertake, ORM employs our proprietary, robust 5D process, which includes the phases of Discovery, Definition, Design, Development and Deployment of an initial solution/platform release or Minimum Viable Product (MVP). Discovery and Definition tend to utilise a more traditional waterfall approach; followed by agile design and delivery phases, undertaken and co-created in collaboration with you. We believe that ‘no one size fits all’ and therefore adapt our processes to suit our client’s organisation.


Independence of resources We have dedicated client services teams on every project. Our approach to client services is the foundation of our success, illustrated by the growth and longevity of our client relationships.


Service usage metrics Yes
Metrics types Insight, analysis and optimisation: specific “deep dives” into transactions, site performance, conversion rate optimisation, multivariate testing and PCI compliance post launch, falls under the remit of our ‘continuous improvement’ team. As well as Google Analytics, we are proficient in a range of other tools such as clickstream analytics (SessionCam, Decibel Insight), survey tools and basket abandonment solutions.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Please see response to end-of-contract approach – ORM can provide data in various forms.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability We have in place a 4-tier SLA, dependent on the severity of issues:

P1 – Issue renders core functionality inoperative or security breach that affects the Application
P2 – Functionality inoperative, but does not prevent the core application functioning
P3 – An issue which has little impact on operability, for which a workaround exists
P4 – Ad-hoc change requests or Helpdesk queries

Our response times on the issues can be provided to each client; we offer in and out-of-office availability too.
Approach to resilience Information available on request
Outage reporting We work with third-party hosting providers to guarantee a service uptime in line with the underlying SLAs. In the case of cloud providers such as Amazon Web Services, these SLAs are a minimum of 99.95%. When architecting systems, we ensure that reliability and resilience is designed from the start, removing single points of failure and configuring for high availability (e.g. database replication and failover, instance availability split across data centres etc).

Automated tools that monitor the uptime and security of our systems will alert our team (and your product owners if required) through a dashboard, and using our issue management system together with email and telephone notification channels. The same will apply for any detected cyber security breaches.

We work with clients at the start of projects to define a business continuity (BC) plan in the event of a disaster recovery (DR) event. The plan typically covers:
- Backup methodology
- Key contact details and escalation process
- Data verification procedures
- Identification of potential disaster recovery scenarios and recovery process
- Role and responsibilities
- Deployment details (hosting partner, network, hardware etc)
- Service level agreements

Identity and authentication

Identity and authentication
User authentication needed No
Access restrictions in management interfaces and support channels We use a range of tools, such as JIRA (Atlassian) and access levels for different staff within departments is agreed at the onboarding stage.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 QAS International
ISO/IEC 27001 accreditation date 21/04/2018
What the ISO/IEC 27001 doesn’t cover Information available on request
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications ISO 9001

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ORM is ISO 27001 and 9001 accredited and we conform to industry standard security policies.

We also have an internal Cyber Security team tasked with final assurance of applications and releases prior to launch and responding to cyber related incidents should they arise. The incident escalation process is defined and communicated internally with all staff encouraged to raise security issues whenever and wherever they are located. The Cyber Security team then responds and coordinates the technical changes and where necessary liaises with external teams or other security partners.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Business change consultancy, planning and support are fundamental strands of any digital transformation engagement ORM undertakes. They are baked into our process from discovery through to delivery, as well as forming a dedicated stream in the digital roadmaps we create.

A solution design pack forms part of the change management process that we often “roadshow” in various forms around an organisation to gain shared understanding and adoption. Once the change management plans outlined are agreed with the client, ORM supports with their delivery.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Security is taken seriously on every project, with a secure-by-default approach taken to both the user experience and technical platform – e.g. recaptcha, encryption-at-rest, SSL by default etc. We insist on external security partners to validate major releases before launch and can either work with partners supplied or can make recommendations if required. In addition, we can configure 3rd party security tools such as CloudFlare and AWS Shield to help protect against DDoS and other forms of attack. Our support teams also configure centralised logging tools such as Kibana so that access and error logs can be regularly analysed.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Appropriate layers of Prediction, Detection, Prevention and Response will be implemented for a project. We will work with 3rd party security test companies to assure the approaches we implement. We will verify their test methodologies and scope. We insist on whitebox testing and will provide access, test data and documentation (under NDA) to maximise the effectiveness of testing. Identified issues will be scored, triaged and verified. Scheduled testing and reviews will be implemented across the lifetime of project to ensure the measures implemented remain current and appropriate.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Our incident management process enables us to respond and resolve high priority incidents. ORM can offer this as either an in office hours service or as a 24/7 service.

Break / fix issue resolution covering P1 and P2 incidents will be undertaken to agreed SLAs. All issues are logged and tracked via an issue management system, providing an audit trail of activities.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10000 to £1000000 per instance per month
Discount for educational organisations No
Free trial available No


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑