Mott MacDonald Limited

Merlin (strategic issue management service)

Mott MacDonald’s Merlin is a flexible web browser-based issue, crisis and major event management tool enabling strategic collaboration between teams in coordinating city or event operations. Merlin provides the ability to quickly share knowledge, implement coordinated responses to issues, maintain cohesive and clear map-based and tabular views for relevant stakeholders.


  • Issue management including capturing all relevant history.
  • Interactive mapping, supporting geospatial analysis.
  • Document storage, providing access to contingency plans.
  • Stakeholder dashboard, providing a shared status of all issues.
  • Planned event management, enabling impact assessment during crises.
  • Routine and ad-hoc reporting, encouraging information sharing.
  • Full audit trail, supporting post-incident analysis.
  • Secure role-based access from any standard web browser.


  • Internal and external access allows information to be quickly shared.
  • All data stored centrally and safely, reducing administrative overhead.
  • Enables informed decision making and ensures teams are kept up-to-date.
  • Supports cross-organisational collaboration improving communication.
  • Supports rapid and appropriate response and recovery.
  • Fully accessible by desktop, tablet and mobile device.
  • Developed closely with clients and major recent events.
  • Advanced filtering and sorting to find incidents quickly and easily.


£34200 per instance

Service documents

G-Cloud 11


Mott MacDonald Limited

Samantha Lottering-Geeson

+44 (0)141 222 3798

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints None
System requirements Approved web browser version

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times: GOLD Support: 1 support hour | SILVER Support: 4 support hours | BRONZE Support: 8 support hours
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Standard Support: 08:30-17:00 weekdays (excl. bank holidays) | Enhanced Support: 24x7 (by agreement)

Support costs and further details are included in our Service Description and Pricing documents.

We will provide a technical project manager/account manager.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Following agreement of contract, the following onboarding process will be undertaken:

● Initiation of project management methodology
● Clarification session on configuration requirements held on customer premises
● Templates provided for customer data inputs, such as user accounts, organisation names and map data
● Hosting setup and configuration
● Service configuration and commissioning
● Support setup

User training can be provided in the form of classroom-based, hands-on training. User training is provided as a half-day session at the buyer's premises. During such training, users are provided with instruction in using all aspects of the system as an end-user. Attendees are provided with electronic course materials.

Train-the-trainer training can be provided in the form of classroom-based, hands-on training. Train-the-trainer training is provided as a full-day session at the buyer's premises. During such training, trainers are provided with instruction in using all aspects of the system as an end-user, as well as in the underlying system principles, allowing them to confidently provide training and guidance to the ultimate end users. Attendees are provided with electronic course materials. Train-the-trainer training is priced as a unit of five attendees.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction As part of the offboarding process, Mott MacDonald will provide the customer with an extract of all customer data stored in Merlin. This will be provided in Comma Separated Value files. All hosted data will then be securely deleted from the server prior to decommissioning of the service.
End-of-contract process The system will be decommissioned and an export of the data will be provided as part of the contract.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
Application to install No
Designed for use on mobile devices No
Service interface No
Customisation available No


Independence of resources Independent cloud infrastructure is supplied for each client instance to prevent one client service impacting another. Preventative health checks and network checks are undertaken daily for each system to ensure a high level of service at all times.


Service usage metrics Yes
Metrics types Fully audited system recording user access and all changes to data.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency Less than once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach The data stored in Merlin is accessible to users through the application at any time they require. If an export is required it can be provided by the support team. A full export of the data would be provided at the end of the contract as part of the offboarding process.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Service levels can be defined on a client by client basis as part of the call-off arrangements.
Approach to resilience Resilience level is dependent on host service support selected.
Outage reporting Outages are reported internally to our helpdesk, who coordinate and escalate to project managers as required to liaise with client representatives.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Limited access over dedicated link, enterprise or community network.

Username and strong password/passphrase enforcement.

The system supports different roles and responsibilities with respect to access to data held within the system.

Accounts and roles will be assigned to individuals.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL
ISO/IEC 27001 accreditation date 10/5/2019
What the ISO/IEC 27001 doesn’t cover N/a
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials Plus
  • Certified Information Systems Security Professional (CISSP) staff

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Our cloud services are managed under Mott MacDonald's Information Security Management System (ISMS) which is independently audited and certified under ISO27001:2013.

Project Managers are responsible for their Projects’ Security Incident Management for systems that are not connected to Group IT systems. All projects must complete an Information Security Risk Assessment (ISRA) as part of our Project Plan of Work (PPW), which must review risks and provide mitigation strategies.

All serious information security incidents (actual or perceived) must be immediately reported to the Director Business Management Systems and Risk who will form a Response Team and Plan to deal with the situation.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our configuration and change management processes are documented as procedures complying with both ISO9001:2015, TickITPlus and potential security impacts through ISO27001:2013. TickITplus covers our expertise in project management, technical and advisory services in transport engineering, system integration and the development of associated software to Government, Local Authority and the Private Sector. Management and mitigation of risk is an integral part of our system and is monitored and reported through a set of mature project governance procedures designed to identify risks and mitigate against them as soon as possible.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We maintain a broad awareness of cyber threats and techniques by:

• Subscribing to numerous vulnerability and security alert sources e.g.
o Redhat security advisories
o Microsoft security advisories
o Oracle Java advisories
o Cisco security advisories
o General alerts:
 CERT-UK alerts
 US CERT alerts
 News sites
 NCSC threat reports

For specific platforms, we use analysis and reporting tools as one means of keeping track of implementation issues e.g.

• scap-workbench with various profiles.
• OpenVAS mailing list:
• NVT Feed:
Protective monitoring type Supplier-defined controls
Protective monitoring approach We use a number of tools and techniques to monitor systems for signs of compromise:
• Regular network penetration test scans to detect potential vulnerabilities;
• host-based intrusion detection;
• network firewall;
• Web application firewall where justified by the risk assessment; and
• comprehensive system and network monitoring using OpenNMS to detect log events and service issues.
We treat a potential compromise as an information security incident and respond using our Business Management System STEP procedure which details the process for dealing with an information security incident.
Incident management type Supplier-defined controls
Incident management approach External users can report incidents by contacting our Help Desk by phone or email. Internal users use our ServiceNOW system to report information security incidents.
We treat a potential compromise as an information security incident and respond using our BMS STEP procedure, complying with ISO 27001, which details the process for dealing with an information security incident.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £34200 per instance
Discount for educational organisations No
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions pdf document: Modern Slavery statement
Service documents
Return to top ↑