Costain Limited

GIS Routing and Proximity Analysis

Web-based multimodal routing (drive and pedestrian) and proximity solutions. Optimised routes and directions, react to real-time traffic conditions, route multiple vehicles to multiple destinations, increasing efficiency of workflows. Discover proximity relationships, including how close is one facility to another, distance between two points of interest, nearest facility from location etc.


  • Web-based mapping
  • Geospatial driving time and distance
  • Geospatial walking time and distance
  • Geospatial route planning
  • Geospatial catchment areas
  • Geospatial mapping of distance between facilities


  • Reduced carbon emissions
  • Reduced fuel costs
  • Reduced travel times
  • Reduced time of asset and data location
  • Improved collaboration across all disciplines
  • Better reporting and metrics for Business Intelligence
  • Improved decision-making process based on evidence and data
  • Reduced cost of unplanned delays
  • Minimised cost of repetitive or abortive work
  • Better, faster, value enhancing planning using location-enabled tools


£4,700 to £25,000 a unit

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

5 0 2 0 2 6 9 0 5 0 9 7 0 3 0


Costain Limited Tim Ellis
Telephone: 01628842444

Service scope

Software add-on or extension
What software services is the service an extension to
Esri ArcGIS
Cloud deployment model
Private cloud
Service constraints
A pre-requisite is Esri's ArcGIS Enterprise or ArcGIS Online (licensed per user via an ArcGIS account, and by system storage capacity). This software can be procured directly from Esri UK (or one of its resellers).
System requirements
  • Esri ArcGIS Enterprise 10.5, 10.6 or 10.7
  • Microsoft Windows
  • Minimum 8Gb RAM
  • Minimum 100Gb storage
  • Modern web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support calls are categorised by urgency and assigned with a corresponding priority, according to impact and severity. Priority is ranked on a scale of 1 to 4, where 1 is most critical.

Response times are:

Priority 1 - 1hr response, 4hr resolution
Priority 2 - 2hr response, 8hr resolution
Prioirty 3 - 24hr response, 48hr resolution
Priority 4 - 24hr response, 168hr resolution

Service times are 9.00am to 17.00 (UK time), Monday to Friday.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Costain provides support and maintenance services, managed and certified to the ISO20000 Service Management standard. This ensures that we can focus on delivering value by being agile and flexible in meeting our clients service needs, whilst continually monitoring and improving our service provision.

Our standard support times are 0900 - 1700 (UK), Monday-Friday and our service desk can be contacted via phone or dedicated gcloud email address (

All service staff are ITIL trained and we follow both the best practices set out by ITIL and required by our ISO certification.

We provide: Mature Service Management process aligned with ISO2000 and ITIL; Service and contract management with dedicated service managers; Service level management and ability to work with clients to design services and define appropriate service requirements; Service management reports and KPI management; ESCROW services to ensure business and service continuity; Continual Service Improvements processes and reports.

On-site support post-handover is based upon SFIA rates.
Support available to third parties

Onboarding and offboarding

Getting started
We provide an on-site handover service to ensure that the client understands how the system works and how to use the tool. This is supplemented by comprehensive documentation to act as reference material to the service; this will also be reviewed as part of the on-site handover process. The handover process is supplemented with remote desktop access where our consultants can guide through use of the service remotely. The on-boarding is further augmented by our Service Desk, through which users can log request calls which are either responded to via email or telephone, once a call has been logged and prioritised.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
We will jointly agree the scope and price for data extraction as part of the initial contract. Based upon the scope we will export the data and provide it as agreed on a case by case basis.
End-of-contract process
At the end of the contract we will manage and maintain the data for a period of 3 months, unless otherwise agreed on a case by case basis. After this initial 3 month period all data, including personal data, will be destroyed. If a client wishes us to hold the data (for future use at an unknown point in time) we can agree a price to hold the data at additional cost per gigabyte.

Using the service

Web browser interface
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The key difference is the layout for mobile devices - with a different appearance, restrictions to certain tool functionality and limitations on amount of data that can be viewed via a mobile device (for example, no 3D capability). To access greater levels of functionality on a mobile device users can switch to the Desktop version in browsers that support this functionality. The capability of the chosen mobile device will govern speed/data.
Service interface
Description of service interface
The services interface is a map or dashboard, with controls designed for ease of use and user friendliness. The map is fully interactive (pan, rotate, zoom) and layers can be switched on or off as required, to give greater amount of geospatial detail or to hide unnecessary information as required.
Accessibility standards
WCAG 2.1 A
Accessibility testing
No testing undertaken.
Customisation available
Description of customisation
Views of information (as opposed to the service itself) can be customised - users can change the base map, expand/collapse layers and switch layers on or off. Users can also show the legend, take measurements and search for locations. All customisation is undertaken within the browser environment, using the interface provided within our service (pre-configured to meet specific client requirements)

All user can customise to this extent; additional customisation would incur further cost.


Independence of resources
The service is installed on our Azure cloud and scales to handle peaks and troughs in demand, with dedicated resources allocated. We monitor the demand on the service and adapt and flex the system according to bandwidth, storage or additional users.


Service usage metrics
Metrics types
Service metrics can be provided on demand in the form of a dashboard.
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Costain encrypts all staff machines using Microsoft Bitlocker and all Azure Servers are built with encrypted disks to ensure Data at Rest is protected.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users can take screen captures and create PDFs - for other data extraction requirements we will agree a scope, price and delivery mechanism for the data with clients on a case by case basis.

End of contract data extraction requirements and scope (or deletion, as appopriate) will be agreed with each client upon entering into a contract.
Data export formats
Other data export formats
  • PNG
  • JPEG
Data import formats
  • CSV
  • Other
Other data import formats
  • GeoJSON
  • Shapefile .shp
  • Excel .xls

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Costain uses Microsoft365 with TLS 1.2+ to protect data at transit, we also have Microsoft Cloud App Security Broker deployed to monitor data within the network. Costain also uses encrypted VPN connections for when staff are out of the office and needs to communicate back to the corporate network.

Availability and resilience

Guaranteed availability
Costain uses Microsoft Azure to underpin most of our services, and the inherent resilience that Azure provides is built-upon by us to provide various, bespoke levels of high-availability depending on the requirements of a particular client or service.
Approach to resilience
Costain uses the Azure UK West and UK South datacenters, to provide resilience as well as data residency assurance. In addition to the regional pairing that Azure storage provides to ensure resilience during datacenter failures, Costain also utilises application resiliency in Azure through a mixture of virtual machine pairing, load balancing devices and data replication across UK datacenters.
Outage reporting
Costain uses a number of alerting methods (including but not limited to such things as email, SMS, auto-ticket generation) depending upon the requirements of a particular client or service.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Costain uses Role based Access so any administrative tasks are used by admin accounts rather than standard user accounts and these are individual and not shared. Costain also force all Azure admins to use MFA to help protect the account.
Costain uses Thycotic Privledge Access Management to audit and control any administrative work that is required to be carried out.
Costain also ensures all default accounts on devices are changed to a secure complex password.
Access restriction testing frequency
At least once a year
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Standards Institute (BSI) Certification No. IS557983
ISO/IEC 27001 accreditation date
January 2020 with annual review
What the ISO/IEC 27001 doesn’t cover
Non-production corporate environments and project/development/research environments owned by our own Complex Delivery projects. All controls listed in ISO27001 Annex A are covered.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
CyberEssentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
ISO22301, CyberEssentials Plus
Information security policies and processes
Costain’s internal Information Security and Data Protection policy (published on our Intranet and underpinned by mandatory information- and cyber- security online training modules) summarises Costain’s strategy and can be provided on request. This is reviewed bi-annually via a committee which includes board-level representation.

Costain operates a company-wide information security management system which is certified to ISO 27001: 2013 with BSI Certificate No: IS557983.

Costain’s information security policy is designed to ensure that:

Information will be protected from unauthorised access;
Confidentiality of information will be assured;
Integrity of information will be maintained;
Information is made available to authorised persons;
Regulatory and legislative requirements will be met;
Business Continuity plans will be produced, maintained and tested;
Information security training will be available to all staff and is mandatory in order to continue accessing IT systems;
All breaches of information security, actual or suspected, will be reported, investigated and resolved;

Additionally, Costain are accredited to Cyber Essentials Plus, Certificate No: 8033978929854206.

Costain are a member of the National Cyber-Security Council’s (NCSC) Cyber-Security Information Sharing Partnership (CiSP), which ensures that we keep abreast of the dynamic nature of cyber and information security risks.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
End-User Computing (EUC) – Costain operate a standard-image process for ensuring a consistent configuration of desktops and laptops. This includes removing/disabling unnecessary components in order to more fully harden the device against security threats.

Server/Infrastructure – these are deployed via image templates, again in order to provide standard configuration and attack-surface reduction.

Costain operates an ITIL-based Change Management process to ensure that changes to these baseline configurations (and other systems) are sufficiently assessed and appropriately authorised.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
All operating systems and key applications (both Microsoft and non-Microsoft) are patched automatically within 30 days of updates/patches being released by the vendor (14 days for critical security updates).

Servers and end-user computing operating systems are updated to be no more than 12 months behind the latest vendor release.

Penetration tests are performed by an independent CREST-accredited company (provider is rotated regularly) on an annual basis, and also whenever key systems are upgraded or introduced.

Vulnerability scans using an automated system (Nessus) are run regularly to ensure our security posture is appropriate across all applications, systems and devices.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We use a 3rd party managed SOC (Secure Operations Centre) where all of systems feed into. The SOC filters the events using AI and ML to correlate events and priorites them accordingly. They deal with Priority 2-4 (the lower categories) - P2 notifies Costain and P1 (most critical) are passed to Costain and we work jointly with the SOC to resolve the issue (with the ability to bring staff in from the SOC). We have SLAs with the SOC. P1 is responded to within 4 hours.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We have pre-defined processes and process maps for common events with 100+ different processes designed to respond proactively to user reporting. These are handled internally by our Resolver Group (Service Desk, Infrastructure Team, etc.). Users report incidents via a ServiceNow portal (logging tickets) or call our internal Service Desk. We also have self-service portals for simple queries (e.g. password reset). Major incidents (e.g. Outages) are logged as high priority ticket and our IT Operations Manager requests an incident report from the relevant Team Leader (root cause, remediation to prevent re-occurence). We provide user notification upon service resumption.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£4,700 to £25,000 a unit
Discount for educational organisations
Free trial available
Description of free trial
Full functionality for a limited time

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.