Marval Software Limited

Marval MSM Integrated ITSM Software Support, Training & Consultancy

Innovative IT Service Management software (MSM) empowers service delivery teams to provide a world class service to its customers. MSM is a secure & scalable, ITIL compliant, ISO/IEC20000, ISO27001 certified & cyber compatible deployed via SaaS or on-premise, enabling organisations to deliver flexible and cost-effective customer, service centric business solutions.


  • Integrated, codeless & configurable service management software solution
  • 100% web-based
  • Intelligent business rules engine, classification and routing
  • Powerful business intelligence tool for dashboards and reporting
  • Customer and service centric service portfolio & service level management
  • Powerful searching 'Google' like searching tool
  • Integrated web self-service portal and mobile capability
  • Extensive security, access controls, audit and views
  • Drag and drop graphical workflows for ease of use
  • Staff usage and resource accounting


  • Improved customer experience and communication
  • Improved control, accountability, governance & compliance
  • Improved service quality & business value of ICT supplier
  • No request or activity lost forgotten or ignored
  • Standardise the way you deliver services to the business
  • Increased control & auditability of the service infrastructure
  • Customer web self-service portal available 7x24x365 days of the year
  • Rapid deployment, easy to maintain & configure
  • Increased Service infrastructure reliability
  • Used in any part of the enterprise requiring service/support


£12 to £72 per licence per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 11


Marval Software Limited

Julian Ratcliffe

01536 711999

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements
  • Windows platform
  • SQL Server
  • Either named, concurrent or a mixture of Marval software licences

User support

User support
Email or online ticketing support Email or online ticketing
Support response times For a P1 our standard response is 2 hours.
For a P2 our standard response is 4 hours.
For a P3 our standard response is 8 hours.
For a P4 our standard response is 1 day.

Our standard business support hours are 0800-1800 Monday-Friday (excluding UK bank holidays).
24 x 5 or 24 x 7 phone support is available at additional cost.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Web chat is accessible via the self-service portal available to all customers.
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels Our standard UK Support is available to all customers Monday to Friday 0800 - 1800 UK time, excluding UK Bank holidays. 24x5x365 and 24x7x365 support are available as chargeable extras outside of the standard support hours.
Customers have access to the Marval self-service portal 24x7x365.
Each customer is provided with a technical account manager who is available during normal business hours.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Discussions with the customer will determine the specific training needs. All customers receive Operational Training: this is either directly from the Marval Product Trainer to the staff involved or, in the case of large numbers of trainees, to a trainer at a customer site who will then relay the knowledge down to their colleagues. In addition, all customers receive System Configuration Training, Service Reporting Training and Web Self-Service Administration Training.

Additional training courses on offer include Service Asset and Configuration Management Training, Technical Administration Training, Surveys Training, and bespoke training relating to specific processes such as Change Management, Knowledge Management and many others.

Every customer will be provided with documentation for all courses in hard and soft copy (PDF) format.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Data is sent upon request via SQL Back up files.
End-of-contract process Once a contract has finished, upon request Marval will send a copy of the data via SQL Back up files back to the customer. All data will then be deleted from our servers as part of the contract. There is no charge for this.
A customer can choose to keep a copy of the data on our servers purely as a storage copy. There is a minimal charge for this on a monthly basis.
As part of GDPR an approved signatory is required to release any data.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service The MSM core application will work as normal on any mobile device via a web browser although not all pages have been optimised to fit the screen size of a mobile device.
To ensure ease of use for mobile users such as engineers who need to raise, update, approve (if required) and close Requests, easily create CIs using the barcode scanner and many other tasks, Marval have developed native iOS and Android mobile applications, enabling users to complete work on the move, over mobile and Wi-Fi connections.
Service interface No
What users can and can't do using the API Our SOAP web service can create, read, update and delete entities in Marval MSM. All the major entities are covered (inc. requests, configuration items and organisational units) and we can provide a WSDL file if required. The new RESTful web API that is currently in progress is being used to provide data for our new mobile application and is being updated frequently to provide more functionality.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Users are able to configure and classify the delivery.
Users can configure the look and feel including colours, layout including widgets.
The ability to configure is defined in the individual's assigned role.
All configuration changes are maintained between updates and fully audited.


Independence of resources Each customer gets their own set of web servers; there is no overlap with other users. Other components that are shared are carefully monitored with automatic alerting when performance starts to degrade before it impacts any user or service.


Service usage metrics Yes
Metrics types All standard ITSM reports as required by ITIL, ISO/IEC20000, ISO27001 and the Service Desk Institute (SDI). Users can modify existing standard reports or can create their own.
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be downloaded in .csv format at any time.
Analytics can be exported further into DOC, DOCX, XLS, XLSX, PDF, HTML and PPT.
Data export formats
  • CSV
  • Other
Other data export formats
  • DOC
  • DOCX
  • XLS
  • XLSX
  • PDF
  • PPT
  • HTML
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Marval standard SLA for all customers regarding availability is 99.95%.
Any refunds are as per contract.
Approach to resilience Resiliency within iland (our hosting provider) is managed through the use of ITIL v3 frameworks and validated through third party auditory reviews and incorporated within the SOC2, CSA STAR and ISO 27001 certifications and attestations. iland’s approach to resilience includes but is not limited to support for distributed processing, storage and communications with the use of extensive redundancy and multi-carriers.
Outage reporting If Marval's software suffers any form of outage then we will inform our customers via telephone or email alerts.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Roles can be assigned to each user in the system giving them permissions to potentially view, create, update and delete entities in MSM. In addition, some resources can be further restricted by their groups within the organizational structure, access groups and access levels.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL
ISO/IEC 27001 accreditation date 06/02/2019
What the ISO/IEC 27001 doesn’t cover Annex 14.2.7 Outsourced Development.

This control was not included in our ISO 27001 scope as it is not applicable. No outsourced development takes place.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Since being certified with ISO 27001 a lot of changes have been made to existing security policies; new policies have been introduced to ensure the confidentiality, integrity and availability of our data is kept. We have a specific policy document for each of the ISO 27001 controls (Organisation of Information Security, Human Resources, Asset Management, Access Control, Cryptography, Physical and Environmental, Operations, Communications, System Acquisition Development and Maintenance, Supplier Relationships, Information Security Incident Management, Information Security aspects of Business Continuity, and Compliance.), and these policies are enforced by our Information Security Officer. This is backed up further by quarterly internal audits of processes and training courses provided to staff.

Information security risks and weaknesses, internal audits and recurring tasks are all recorded using our own service management software. This can then be easily reported on and data used to facilitate more thorough risk assessment and management of future projects and changes.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Marval’s Configuration Process controls and audits the changes in the service/ infrastructure. All assets and configurations are recorded in the CMDB. Scheduled internal audits ensure all records are upto date. Change requests are recorded and approved as required. The impact and risk assessment of Changes is done in conjunction of the Configuration and Release Manager and any stakeholders. The Configuration Management system is used to identify relationships, dependencies and risks between items within the infrastructure. When the change is completed the outcome is recorded, reportable and required persons automatically notified.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerability management is handled in several stages of the software development lifecycle. At the planning stages of new features or bug fixes, security implications are assessed and a framework of best practice is followed. Due to our agile development process, security patches can be implemented and tested in a matter of weeks if required. Internal and external penetration testing and vulnerability assessments are carried out on all major release builds. Information about potential threats come from several security forums and known frameworks.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Iland (our hosting provider) maintains adherence to DPA, ISO27001, PCI DSS , CSA STAR as well as BS 10012:2017 standards for monitoring which includes the use of SOC and NOC operations to ensure real-time staffed oversight.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach In addition to standard incident, Marval supports security incidents and associated workflow and classifications. Marval is certified against ISO/IEC 20000 and ISO27001 for all service management processes and functions.
Users can report incidents through multiple channels, including self-service portal, telephone, e-mail, live chat, API's and a range of systems management and automation tools. All incidents are treated with the same level of expertise no matter which channel they originated from.
Reports can be automatically scheduled to be dispatched to a customer or are provided upon request via their assigned account manager.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £12 to £72 per licence per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Full user functionality based on a temporary licence key on either a named or concurrent licence basis. User guides are included as no training is offered during the trial period.
Time period for the trial is usually limited to one month.

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑