Capita Business Services Limited

Capita Student Information System (SIS) in the Cloud.

Capita’s SIS captures and maintains data that educators need to support their students’ success along their academic journey. It does this by enabling more informed and effective collaboration between students and employees, as well as facilitating more beneficial and timely stakeholder engagement between parents, other institutions, agencies and employers.


  • Provides an Integrated Single or Multi-Company database platform.
  • Tracks the ‘Learner Journey’ from enquiry to completion.
  • Promotes ‘Self-Service’ for prospective new and existing learners.
  • Allows branding, customisation and local workflow-based business process mapping.
  • Facilitates a Mobile 1st platform for staff, learners and stakeholders.
  • Eliminates data errors by validating student data at source.
  • Reduces Statutory ILR/HESA maintenance overheads with efficient bulk error correction.
  • Promotes staff ‘Self-Service’ and improves learner engagement and outcomes.
  • Powerful reporting tools to interrogate/manipulate information from multiple data sources.
  • Provides ‘One version of the Truth’ from one system.


  • Reduces the cost of maintaining more than one database instance.
  • Reutilises data many times during the learner journey avoiding duplication.
  • Improves/increases revenue generation adopting a learner self-service e-business model.
  • Provides an off-the-shelf adapted tailored solution for local customisation.
  • Provides a smart mobile platform reducing cost of learner engagement.
  • Improves accuracy and validity of ILR/HESA data and thereby funding.
  • Reduces ILR/HESA maintenance costs and improves returns timeliness & accuracy.
  • Improves retention and achievement by achieving better/smarter learner engagement.
  • Improved decision-making by consolidating/comparing data from multiple data sources.
  • Reduces time/effort spent on cross-comparison of multiple systems.


£40 per user per month

  • Education pricing available
  • Free trial available

Service documents


G-Cloud 11

Service ID

4 6 1 2 1 5 6 4 3 8 4 7 7 0 7


Capita Business Services Limited

Capita Business Services Ltd


Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
We can offer the same solutions and services as an on premise solution. All the same product benefits and features are available in the on-premise solution and we can also offer a managed service for this type of deployment.
Cloud deployment model
Public cloud
Service constraints
The service provided is based on a Windows stack as a SaaS solution and is delivered to the Customer via RDS for back office power user applications and Browser for front office applications. This requires the power user client to be able to run a RDP client which comes as standard on Windows O/S and is available as an option for non-Windows clients. The service costs include the RDS licences required to fully implement the solution.
System requirements
  • RDS Client for back office applications.
  • Web-facing applications require recent web-browser and is device independent.
  • All licensing has been incorporated into the SaaS solution costs.

User support

Email or online ticketing support
Email or online ticketing
Support response times
Target response times are based on the severity of the issue as follows:

Priority 1 and 2 within 4 working hours.
Priority 3 within 8 working hours.

Priority 1 – This indicates that the system is down or inoperable and no workaround can be found.
Priority 2 – Urgent but does not affect the whole system, or a business-critical function.
Priority 3 – Standard, problem needs a fast turnaround, but does not threaten any business-critical functions.

The above response times are for Monday to Friday working hours and do not apply to weekends.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Consultant Project Manager:

•Definition of detailed remits for Supplier services, monitoring delivery and actions.

•Providing detailed objectives information, preparation, expected outcomes, attendees, and outlines for consultancy sessions.

•Providing project management resource to co-ordinate the work of the functional groups.

•Providing expert advice and support for the implementation of software and related changes to working practices.

Lead Consultant: Responsible for the delivery of consultancy workshops and training during implementation. They understand the requirements and are able to provide support, advice and guidance.

Key responsibilities include:

•Conduct workshops to provide an overview of the application, review processes and establish the deliverables for the following consultancy and training sessions for each functional area.

•Develop process-driven training following any decisions reached during the workshop sessions to establish procedures.

•Deliver consultancy and training sessions ensuring all specified objectives are met.

Business Analyst/Developers: Their role is to gather information and confirm for the development of portals, reporting, workflows and data migration.

Installation Engineer: The installation engineer is responsible for installation and support of products on preconfigured servers.

Daily rate of up to £1095 per day with discounts for bulk purchases of days.

Capita provides a FOC Technical Account Manager to deal with support and application issues.
Support available to third parties

Onboarding and offboarding

Getting started
An initial project management meeting is held to establish the boundaries and to plan whether delivery has a big-bang or phased approach. Once the plan is established taking account of the Customer’s milestones, training and consultancy workshops are scheduled and delivered on-site. Training is module-based and can be clearly divided into technical and business areas. As it is process-based, it increases the effectiveness of the training and is relevant to staff roles. Training in modules for functional areas is provided following consultancy workshop and process review sessions so that the training follows any decisions reached that impact the implementation of a module. Proficiency is measured by constant reviews with the Lead Consultant and Project Manager to ensure that all objectives are being met and are understood by the relevant staff.

All training will be provided using the train-the-trainer approach. This will ensure that employees can continually update their skills via training programmes in the workplace. It also ensures that the trainer continually improves upon the design, delivery and management of training programmes.

A training database is installed and all training documentation is provided in hard copy and electronic format. Handbooks are also supplied with each module.
Service documentation
Documentation formats
End-of-contract data extraction
All critical data for the operation of our Hosted and SaaS solutions resides within the RDBMS within the solution. The data within the solution remains the property of the Customer.

Capita’s SIS provides a set of data extraction tools (Report Generator) that enable users to extract data they wish to retain at the end of the Contract. This can be done at any time prior to the Contract end date.
End-of-contract process
Capita will work closely with the Institution in the Project Initiation phase to capture all requirements and dependencies and feed these into an agreed service transfer plan. It is also important that during this phase we identify and mitigate the issues and risks associated with this exit. At Capita, we are keen to work in partnership with all customers to ensure delivery of a successful solution. Once the data extract scope has been agreed, Capita is happy to liaise directly with the successor provider. If the leaving customer requires assistance in defining the scope, Capita will provide this support and would reserve the right to charge for this if the data is to be transferred in a format other that CSV.

At the end of Contract the system will no longer be accessible for operational use. We can however provide read-only access to the database server along with a report generator licence to allow for data access or extraction beyond the Contract period subject to an additional annual reoccurring cost.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Compatible operating systems
Designed for use on mobile devices
Differences between the mobile and desktop service
Capita's SIS provides two front-facing solutions for mobile devices.

Online Services – This provides a web-based set of services for enquiries, applications and enrolments including payment options for new prospective and returning students. These services support the use of tablets and through responsive templates can be configured for smartphone use.

Advantage – Provides a suite of web-based information service apps for students, staff, parents and senior managers. These are designed for appropriate mobile applications with the student app supporting smartphone and the others, tablet devices.
Service interface
What users can and can't do using the API
Capita's SIS Web API takes the form of a REST API that can be called from within any third party product, based on an environment that supports the use of the HTTP protocol.

The API provides export and import data using a report writer tool, CRUD (Create, Read, Update and Delete) methods on all data classes and specific functionality for business processes such as creating an enrolment.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Capita’s SIS is highly customisable; it is possible to modify all data entry screens and web screens or create entirely new screens. We provide the ability to modify all standard reports and to design and deploy those defined by the Customer.

We provide a set of tools called Information Interface and Internet Builder that can be used to modify and design data entry screens and a Report Generator engine for the modification and design of reports that can be deployed to SQL Reporting Services or Office Applications. We also provide APIs to enable further extensibility.

Customers can be trained to use all the customisation tools, we also provide consultancy services to assist in bespoking and extending the solution, through a partnership programme third parties can also be endorsed to integrate with our solution using the supplied APIs.


Independence of resources
Each Customer is individually hosted with their own designated services and therefore isolated from the demands of other users.

Service availability is assured by contractual commitment on a Customer by Customer basis. Capita will use all reasonable efforts to make the system available with an annual uptime percentage of 99.5% during the Service year of 365 days. Availability is checked using a third party monitoring service, these carry out checks against monitoring targets reporting both availability and response times from numerous locations around the world. This guarantees that availability is not adversely affected by the demand of other users.


Service usage metrics
Metrics types
Customers are provided with a Service Statement either monthly or weekly depending on the Contract. The statement lists:

- Open Cases Backlog as at report date.
- Cases Raised in the Last Month.
- Cases Closed in the Last Month.
- Disk usage, Utilisation and Performance report.
- Index and tables checks.
- Backup checks.
- Server Availability (uptime) in the Last Month.
- Server Availability (uptime) in the Last Twelve Months.
- Average Server Availability in the Last Twelve Months.
- Summary of Licences and Products (Active and Expired).
- Useful Links to find additional information.
- Forthcoming events.
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Other data at rest protection approach
Microsoft uses industry standard access mechanisms to protect Windows Azure’s physical infrastructure and data centre facilities. Access is limited to a very small number of operations’ personnel, who must regularly change their administrative access credentials. Data centre access, and the authority to approve data centre access, is controlled by Microsoft operations personnel in alignment with local data centre security practices.
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Customers are provided with a range of tools for the import and export of data. During the onboarding process we will work closely with you to import data from your legacy system through a set of CSV imports and at the off-boarding stage to extract data as defined as part of the Implementation Project.

During operation we provide tools for one-shot, scheduled or real-time data import/export using our Report Generator, Scheduler, XML Exporter and RESTful APIs.
Data export formats
  • CSV
  • Other
Other data export formats
  • XLS
  • XML
  • JSON
  • Specified separator/delimiters - +, | etc
  • MDB
Data import formats
  • CSV
  • Other
Other data import formats
  • XML
  • JSON
  • Specified separator/delimiters - +, | etc

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
Other protection within supplier network
Connections between the data centres, and access to the servers themselves, if needed, are provided over an AES128/192/256 encrypted VPN. Data centres are located either in the UK, Dublin or other centres specifically requested by the Customer. Capita can therefore guarantee that all data for our customers will be located within the EEA and will not be transmitted outside of the EEA.

Availability and resilience

Guaranteed availability
The solution is available 24 hours a day, 7 days a week, 365 days a year outside of regular and planned maintenance windows for routine upgrades which will be scheduled in consultation with the Customer.

Capita will use all reasonable efforts to make the solution available with an annual uptime percentage of at least 99.5% during the Service year.

Availability is checked by both Capita and an independent third party monitoring service. These systems carry out identical checks against dedicated monitoring targets to report both availability and response times from numerous locations around the world. The SLA agrees to a 99.5% uptime and Capita would be pleased to discuss the requirements for service credits should an organisation wish for these.
Approach to resilience
The solution has been designed to be as resilient as possible to avoid the need to invoke a disaster recovery process. There would need to be a very significant incident to trigger the disaster recovery process. Capita tests our disaster recovery procedures at least once a year.

During the implementation stage Customers may request a DR test for their environment, which can be incorporated as part of the Go Live sign-off.

Microsoft uses industry standard access mechanisms to protect Windows Azure’s physical infrastructure and data centre facilities. Access is limited to a very small number of operations’ personnel, who must regularly change their administrative access credentials. Data centre access, and the authority to approve data centre access, is controlled by Microsoft operations personnel in alignment with local data centre security practices.
Outage reporting
Where an incident results in a major outage, all Customers affected by the outage will be notified by email as the problem becomes known. In cases where the delivery of emails between the Service Desk and the Customer may take longer than 60 minutes, every effort will be made to contact the Customer by telephone.

The Service Desk will take responsibility for restoring full service as soon as possible and will provide updates on the resolution of the problem and estimated time of restoration of full service, both by email and via the website, during Scheduled Service Hours. In the event that the outage is predicted to last more than one working day, this will be escalated to the Support and Education Manager.

In the event of a critical system failure, the Service Desk will liaise with all necessary parties to resolve the problem and keep all Customers informed of the situation.

Identity and authentication

User authentication needed
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Capita’s SIS provides a user access control system, database manager – users, allows access restrictions to both applications but also column and row level locking, which will limit the users/group access to records (only students within a specific department for example) or field level (no access to NI Number for example). These rules are applied throughout the system and so can apply to management interfaces.
Access restriction testing frequency
At least once a year
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Assessment Bureau
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
The Information Security Management System is applicable to: Provision of data centre and connectivity services, and those aspects of associated ‘cloud’ managed services under the company’s control Statement of Applicability, version 5. Anything outside of the certification is not included or covered
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
The solution is designed to comply with all the legislative requirements such as the ones mentioned above. Wherever possible, the solution will meet and exceed the UK legislative requirements. Capita conforms to the data protection requirements for our hosted solution and is registered with the Information Commissioner’s Office. Our hosting supplier Microsoft Azure is certified to ISO 27001:2013. The certification scope is as follows: The management of information security in relation to the supply of data centre hosting, co-location, support and managed services. This is in accordance with the current version of the Statement of Applicability.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
All reports of incident and changes to the Service Desk are assigned a priority dependent upon an assessment by the Service Desk of the severity of the problem and the impact it has on the user base and the Customer.

The Service Desk will contact the originator of the call within one hour of receipt of the incident through the Service Desk. All changes made to the system, whether hardware or software related, will be made using the standard Capita’s Assist Managed Services change control process; this has been written in accordance with ITIL.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We assess threats in accordance with the Capita Security Standard by undertaking continual risk assessments of the Azure platform.

Patches are deployed via an automated process within the standards’ agreed guidelines: 30 days within tolerance, 7 days at tolerance and 24 hours at the critical limit.

A monitoring solution (Operations Management Suite) uses a Microsoft knowledge base and scans the servers and identifies any patches that need to be applied and the tolerance level.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our service makes use of the Security Information and Event Management (SIEM) this provides a real-time analysis of security and potential threats and compromises.
When potential risk is identified, the following process is undertaken using Capita Cyber Security Guidelines:
 Identify what happened and determine the implications.
 Limit the effects of the incident and then eliminate its cause.
 Recover from the incident and resume normal business operation.
 Review the incident to help prevent recurrence.

Vulnerability notifications are transmitted in real-time to the Hosting Operations Team, assessed and responded to in line with the incident management SLA.
Incident management type
Supplier-defined controls
Incident management approach
Capita has defined processes in place to ensure that effective communication between ourselves and our Customers takes place at all times, and recognises that this is especially important should there be an incident affecting our Customers.

The Customer will log incidents with the Capita Service Desk via the Support Portal, by email or via the direct support telephone number.

Monthly summary of all cases is provided to the Customer. In the event of a major incident a specific report is issued.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£40 per user per month
Discount for educational organisations
Free trial available
Description of free trial
As part of a procurement process it is possible to provide access to a sandbox should it be required.

Service documents

Return to top ↑