Costain Limited

Carbon Insights - Standard

An estimating tool for embodied carbon and associated cost for people with limited or no previous experience of carbon management.


  • Carbon data management
  • Clear and insightful carbon and cost visualisations
  • Embodied carbon calculations
  • Automated carbon and cost calculations and reporting
  • Hot-spotting carbon and cost to support decision making
  • Links to Building Information Modelling (BIM)


  • Enabling carbon reduction and cost savings
  • Recommendations for low-carbon solutions
  • More efficient carbon management
  • Adaptable in line with project requirements


£15,000 to £250,000 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

5 5 9 3 0 6 9 4 2 6 6 9 2 8 7


Costain Limited Tim Ellis
Telephone: 01628842444

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Currently works with Candy but can be reconfigured to work with other estimating systems.
Cloud deployment model
Private cloud
Service constraints
Requires standardised work/cost breakdown structures OR the adoption of Costain's estimating procedures. To use the tool you don't require an estimating package, but the output is currently delivered via Candy (can be reconfigured to other estimating systems)
System requirements
  • Microsoft Windows
  • Minimum 8Gb RAM
  • Minimum 100Gb storage
  • Modern web browser
  • Microsoft Excel

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support calls are categorised by urgency and assigned with a corresponding priority, according to impact and severity. Priority is ranked on a scale of 1 to 4, where 1 is most critical.

Response times are:

Priority 1 - 1hr response, 4hr resolution
Priority 2 - 2hr response, 8hr resolution
Prioirty 3 - 24hr response, 48hr resolution
Priority 4 - 24hr response, 168hr resolution

Service times are 9.00am to 17.00 (UK time), Monday to Friday.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Costain provides support and maintenance services, managed and certified to the ISO20000 Service Management standard. This ensures that we can focus on delivering value by being agile and flexible in meeting our clients service needs, whilst continually monitoring and improving our service provision.

Our standard support times are 0900 - 1700 (UK), Monday-Friday and our service desk can be contacted via phone or dedicated gcloud email address (

All service staff are ITIL trained and we follow both the best practices set out by ITIL and required by our ISO certification.

We provide: Mature Service Management process aligned with ISO2000 and ITIL; Service and contract management with dedicated service managers; Service level management and ability to work with clients to design services and define appropriate service requirements; Service management reports and KPI management; ESCROW services to ensure business and service continuity; Continual Service Improvements processes and reports.

On-site support post-handover is based upon SFIA rates.
Support available to third parties

Onboarding and offboarding

Getting started
We provide a coaching service (typically led through webinars) to help the buyer to understand the information inputs needed for the solution to work, with guidance to upload to the tool. We provide an initial level of training to help buyers with their day to day job, including interpretation of dashboard visualisations.

Documentation is provided to support the on-boarding process.

The on-boarding is further augmented by our Service Desk, through which users can log request calls which are either responded to via email or telephone, once a call has been logged and prioritised.
Service documentation
Documentation formats
  • PDF
  • Other
Other documentation formats
Microsoft Word (.docx)
End-of-contract data extraction
Information is downloaded throughout the contract, through Excel files (estimating-package generated) and dashboards, accessed through the Costain cloud, can be exported as PDF documents.
End-of-contract process
At the end of the contract we will manage and maintain the data for a period of 3 months, unless otherwise agreed on a case by case basis. After this initial 3 month period all data, including personal data, will be destroyed. If a client wishes us to hold the data (for future use at an unknown point in time) we can agree a price to hold the data at additional cost per gigabyte.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Service interface
Description of service interface
The services interface is a web-page that provides access to upload a Bill of Quantities, the carbon library and the resultant Insights Dashboard.
Accessibility standards
WCAG 2.1 A
Accessibility testing
No testing undertaken.
Customisation available


Independence of resources
The service is installed on our Azure cloud and scales to handle peaks and troughs in demand, with dedicated resources allocated. We monitor the demand on the service and adapt and flex the system according to bandwidth, storage or additional users.


Service usage metrics
Metrics types
Service metrics can be provided on demand in the form of a dashboard.
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Costain encrypts all staff machines using Microsoft Bitlocker and all Azure Servers are built with encrypted disks to ensure Data at Rest is protected.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Information is downloaded throughout the contract, through Excel files (estimating-package generated) and dashboards, accessed through the Costain cloud, can be exported as PDF documents.
Data export formats
  • CSV
  • Other
Other data export formats
  • .PDF
  • Excel (.xls)
Data import formats
  • CSV
  • Other
Other data import formats
Excel .xls

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Costain uses Microsoft365 with TLS 1.2+ to protect data at transit, we also have Microsoft Cloud App Security Broker deployed to monitor data within the network. Costain also uses encrypted VPN connections for when staff are out of the office and needs to communicate back to the corporate network.

Availability and resilience

Guaranteed availability
Costain uses Microsoft Azure to underpin most of our services, and the inherent resilience that Azure provides is built-upon by us to provide various, bespoke levels of high-availability depending on the requirements of a particular client or service.
Approach to resilience
Costain uses the Azure UK West and UK South datacenters, to provide resilience as well as data residency assurance. In addition to the regional pairing that Azure storage provides to ensure resilience during datacenter failures, Costain also utilises application resiliency in Azure through a mixture of virtual machine pairing, load balancing devices and data replication across UK datacenters.
Outage reporting
Costain uses a number of alerting methods (including but not limited to such things as email, SMS, auto-ticket generation) depending upon the requirements of a particular client or service.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Costain uses Role based Access so any administrative tasks are used by admin accounts rather than standard user accounts and these are individual and not shared. Costain also force all Azure admins to use MFA to help protect the account.
Costain uses Thycotic Privledge Access Management to audit and control any administrative work that is required to be carried out.
Costain also ensures all default accounts on devices are changed to a secure complex password.
Access restriction testing frequency
At least once a year
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Standards Institute (BSI) Certification No. IS557983
ISO/IEC 27001 accreditation date
January 2020 with annual review
What the ISO/IEC 27001 doesn’t cover
Non-production corporate environments and project/development/research environments owned by our own Complex Delivery projects. All controls listed in ISO27001 Annex A are covered.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
CyberEssentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
ISO22301, CyberEssentials Plus
Information security policies and processes
Costain’s internal Information Security and Data Protection policy (published on our Intranet and underpinned by mandatory information- and cyber- security online training modules) summarises Costain’s strategy and can be provided on request. This is reviewed bi-annually via a committee which includes board-level representation.

Costain operates a company-wide information security management system which is certified to ISO 27001: 2013 with BSI Certificate No: IS557983.

Costain’s information security policy is designed to ensure that:

Information will be protected from unauthorised access;
Confidentiality of information will be assured;
Integrity of information will be maintained;
Information is made available to authorised persons;
Regulatory and legislative requirements will be met;
Business Continuity plans will be produced, maintained and tested;
Information security training will be available to all staff and is mandatory in order to continue accessing IT systems;
All breaches of information security, actual or suspected, will be reported, investigated and resolved;

Additionally, Costain are accredited to Cyber Essentials Plus, Certificate No: 8033978929854206.

Costain are a member of the National Cyber-Security Council’s (NCSC) Cyber-Security Information Sharing Partnership (CiSP), which ensures that we keep abreast of the dynamic nature of cyber and information security risks.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
End-User Computing (EUC) – Costain operate a standard-image process for ensuring a consistent configuration of desktops and laptops. This includes removing/disabling unnecessary components in order to more fully harden the device against security threats.

Server/Infrastructure – these are deployed via image templates, again in order to provide standard configuration and attack-surface reduction.

Costain operates an ITIL-based Change Management process to ensure that changes to these baseline configurations (and other systems) are sufficiently assessed and appropriately authorised.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
All operating systems and key applications (both Microsoft and non-Microsoft) are patched automatically within 30 days of updates/patches being released by the vendor (14 days for critical security updates).

Servers and end-user computing operating systems are updated to be no more than 12 months behind the latest vendor release.

Penetration tests are performed by an independent CREST-accredited company (provider is rotated regularly) on an annual basis, and also whenever key systems are upgraded or introduced.

Vulnerability scans using an automated system (Nessus) are run regularly to ensure our security posture is appropriate across all applications, systems and devices.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We use a 3rd party managed SOC (Secure Operations Centre) where all of systems feed into. The SOC filters the events using AI and ML to correlate events and priorites them accordingly. They deal with Priority 2-4 (the lower categories) - P2 notifies Costain and P1 (most critical) are passed to Costain and we work jointly with the SOC to resolve the issue (with the ability to bring staff in from the SOC). We have SLAs with the SOC. P1 is responded to within 4 hours.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We have pre-defined processes and process maps for common events with 100+ different processes designed to respond proactively to user reporting. These are handled internally by our Resolver Group (Service Desk, Infrastructure Team, etc.). Users report incidents via a ServiceNow portal (logging tickets) or call our internal Service Desk. We also have self-service portals for simple queries (e.g. password reset). Major incidents (e.g. Outages) are logged as high priority ticket and our IT Operations Manager requests an incident report from the relevant Team Leader (root cause, remediation to prevent re-occurence). We provide user notification upon service resumption.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£15,000 to £250,000 a unit
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.