Ivar Jacobson Consulting Limited


Enabling the definition, tailoring, internal publication and communication of your Corporate IT Development Methods and Practice standards. Supplied preloaded with starter Methods and Practice Sets including - AGILE ESSENTIALS - AGILE AT SCALE ESSENTIALS - ESSENTIAL UNIFIED PROCESS. A must for organisations struggling for method excellence / improvement.


  • Agile Essentials - Practice Pack (AE)
  • Agile at Scale - Practice Pack (AAS)
  • Essential Unified Process - Practice Pack (EUP)
  • Practice Library (Preloaded with AE, AAS, EUP and extensible)
  • Practice Workbench (Amend and bespoke your own Methods)
  • Alpha State Cards and Games
  • Alpha State Explorer App


  • Create modular IT practices to then independently select and apply
  • Create ‘pluggable’ practices from different sources
  • Build extensible practice libraries
  • Present ‘modularized’ processes that consist of connected modular practices
  • Select the appropriate practices to achieve the best business results
  • Rapid health and progress feedback
  • Way of working transparent to meet regulatory & compliance requirements
  • Change out practices to respond to changing demands


£11500 per licence per year

  • Education pricing available

Service documents

G-Cloud 9


Ivar Jacobson Consulting Limited

Richard Lindsay

0207 953 9784


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints Yes: Please refer to terms and conditions document
System requirements
  • Microsoft Windows 7
  • Microsoft Windows 10
  • Mac OS X 10.10 Yosemite (or later) desktop clients

User support

User support
Email or online ticketing support Email or online ticketing
Support response times ASAP with reasonable effort
User can manage status and priority of support tickets No
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels Please refer to Terms and Conditions, Schedule A: Maintenance and Support
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Through support and help documentation
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Download from service
End-of-contract process Service terminates (please refer to Terms and Conditions)

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • MacOS
  • Windows
Designed for use on mobile devices No
Accessibility standards None or don’t know
Description of accessibility Users access the service via default Website (Drupal generated) renditioning.
Accessibility testing None to-date. Our service is constructed using Drupal.

Drupal is an accessible tool for building websites that can also be accessed by people with disabilities. Drupal is committed to ensuring that all features of Drupal core conform with the World Wide Web Consortium (W3C) guidelines: WCAG 2.0 and ATAG 2.0.
Customisation available Yes
Description of customisation By default Practice Libraries for:

1. Agile Essentials
2. Agile at Scale Essentials
3. Essential Unified Process
4. AgilePM and Digital Services” (AgilePMDS)

are supplied.

User can use the Practice Workbench tool to tailor theses practice or to created their own unique practices.


Independence of resources Upgrades to the hosting service can be enabled if required by demand. Upgrades to the hosting service being a separately quotable option.


Service usage metrics No


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Pantheon Hosting Services

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Download from service
Data export formats Other
Other data export formats
  • HTML
  • PDF
  • ZIP
  • DOCX
Data import formats Other
Other data import formats
  • HTML
  • PDF
  • ZIP
  • DOCX

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability No specific level guaranteed.
Approach to resilience Data backup service, https/ssl encryption, content delivery network
Outage reporting General service availability report

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Users must provide a valid user name and password
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information No audit information available
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Secure Infrastructure, Resource Isolation, One-Click Core Updates, Network Intrusion Protection, Denial of Service Protection, Anti-Malware, Datacentre Security, Redundancy, Content Durability, Backups, Disaster Recovery

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach The implementation of the Practice Exchange service in terms of Drupal configurations and source code is version controlled using the Git system (https://en.wikipedia.org/wiki/Git ) and common version control best practices are adopted. All team members accessing and contributing to this system are authenticated and authorized. Using this system, there are three instances of the Practice Exchange service: development, testing, and production instances. Any changes are assessed in the development and testing instances before they are deployed into production.
Our change management feature allows site owners to manage organization-wide settings and selectively grant or deny developer access to deploy to production.
Vulnerability management type Undisclosed
Vulnerability management approach The Practice Exchange service is built on Drupal (www.drupal.org) and security vulnerabilities are thereby handled according to Drupal best practices. Security updates and corresponding “patches” are continuously deployed when made available; this is done as soon as possible and with reasonable effort. The primary source of information regarding threats is the official Drupal security updates.
In addition, we periodically deploy new container host instances with the latest supported kernel, OS and packages. Containers are migrated to the updated instances automatically.
Protective monitoring type Undisclosed
Protective monitoring approach The intrusion prevention system (IPS) in use provides an additional layer of protection against vulnerabilities by using a x.509-based public key infrastructure to provide authentication and encryption.

IPS runs for any services with user-chosen passwords, detecting failed logins via multiple ingress points. At the server layer, IPS detects and prevents unauthorized host access. A logging infrastructure records the identity of blocked accounts for later investigation. Security logs from the servers are centrally collected, processed and stored for a year. Responses to incidents are handled on an ongoing basis, as soon as possible and with reasonable effort.
Incident management type Undisclosed
Incident management approach Security incidents are communicated to affected parties as soon as possible. Incident reporting is primarily done through the support channel (and email) for the Practice Exchange service. There is a pre-defined “process” for all events, but no particular process for some (or common) events.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £11500 per licence per year
Discount for educational organisations Yes
Free trial available No


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑