Softcat Limited

Cherwell Service Management

Cherwell Service Management is a powerful, modern IT service
management (ITSM) software solution based on codeless architecture that
provides organisations the flexibility needed for rapid configuration and
customisation, minimal overhead, and frictionless upgrades—at a fraction
of the cost and complexity associated with legacy ITSM tools.


  • 11 ITIL Processes
  • Service Desk
  • SelfService Portal
  • Dashboards & Reporting
  • Modern, Codeless Architecture
  • Service Integration and Management
  • Configuration Management Database (CMDB)
  • Application Dependency Mapping
  • Cherwell Asset Management (CAM)
  • mApps (Mergeable Applications)


  • Take advantage of eleven ITILverified processes OOTB.
  • Single point of contact for the business.
  • Provide business customers with a bestinclass user interface.
  • Real time reporting to provide efficiency in service delivery.
  • Cherwell’s codeless design architecture provides easy integration and seamless upgrades.
  • SIAM functionality is embedded within the core content of CSM.
  • Enabling organisations to better assess risk and impact
  • Minimise downtime, improve change outcomes, and inform decisionmaking.
  • Cherwell Asset Management integrates seamlessly with Cherwell Service Management.
  • Cherwell mApp's provide ITSM enhancements, integrations and Applications


£804 to £1044 per licence per year

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 9


Softcat Limited

Charles Harrison


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints Maintenance is performed on a monthly basis. Maintenance windows
are established by Cherwell and communicated to the customer at the
start of the new calendar year. A notification of upcoming maintenance
will be sent out one week ahead of the scheduled time and on the day
of the maintenance via email.
System requirements
  • IE10+,Microsoft Edge, Mozilla Firefox 27+, Safari 5.0+, Google Chrome 32+
  • Microsoft Windows 7 SP1, 8/8.1, 10

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Cherwell Support is available 24 hours a day Monday through Friday. We will
provide 24x7x365 support for all Priority 1 Incidents. Incident Response time
expectations. Priority 1, Critical Severity Level, 2 Clock hours Priority 2, High
Severity Level, 4 Business hours Priority 3, Normal Severity Level, 1 Business
day Priority 4, Low Severity Level, 2 Business days
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support No
Support levels Cherwell Support is designed to assist customers with specific product issues resulting from the normal use of the Cherwell Service Management software* on supported platforms, and to provide resolutions/ answers to those issues or questions. Cherwell is dedicated to partnering with customers to answer questions and resolve issues. Customers are expected to properly install, implement and use the software and comply with reasonable troubleshooting tasks as recommended by the Cherwell Support team. Cherwell Support’s
primary responsibilities are:
• Troubleshooting issues related to the Cherwell Service Management software when unexpected results occur
• Reproducing product defects and providing assistance in alternative solutions or workarounds to help maintain stability until such time as a defect is addressed/corrected
• Assisting with software maintenance updates and upgrades that offer solution fixes and minor or major product releases
Cherwell’s support analysts are trained to support the licensed software and may not possess the qualifications to support Incide Cherwell provide 3 levels of support which are all included within a subscription concurrent license. For perpetual licenses, support and maintenance is charged annually. Cherwell provide a dedicated Account Manager at no extra cost.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started The core success of implementations starts with trained professionals. Cherwell University delivers training solutions for individuals and businesses from large enterprises to small organisations, in multiple learning formats. Whether they are new to the industry or an established professional, Cherwell’s training options will give our customers the product expertise they need to succeed. Trained professionals deliver results, across the business, using their newly gained knowledge and expertise with the design, implementation, administration, and support of Cherwell Service Management solutions. Cherwell University
provides training options via onsite (Cherwell/Customer), online
(Self Paced/Virtual Led) and user documentation. Cherwell recommends the foundation course for potential power users/administrators which is a 4.5 day instructorled training course. This enable customers to learn about the highlights of CSM including: The webenabled selfservice portal, configuration using Cherwell Codeless Business Application Technology (CBAT), metrics and reporting and realtime dashboards. Course Objectives include: Navigate and use the basic functionality in
CSM effectively. Evaluate the default content in CSM. Make considerations for specific modifications to the OOTB content.
Create a list of questions and considerations for your selfservice
portal. Create simple dashboards and reports. Start filling out your
Preparing to Implement Guide and to discuss the implementation
with your consultant.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats Online
End-of-contract data extraction Termination of this Addendum shall not terminate the Agreement
nor Customer’s right to use the Licensed Software as set forth in
the Agreement. Termination of this Addendum will likewise not
obligate Cherwell to reinstall the Licensed Software on
Customer’s own systems or premises or provide professional or
“migration” services related thereto, except as mutually agreed
upon by the parties. Upon termination of this Addendum,
Customer will have 30 days to request a copy its data, and if
requested, Cherwell shall provide such data in an industrystandard
format such as a XML or .csv file. After the 30day
period, Cherwell has no obligation to maintain or provide
Customer Data and will destroy all Customer Data in its
possession or under its control in accordance with industry
standard data destruction methods, unless such destruction is
legally prohibited
End-of-contract process Effective Date. This Addendum is effective as of the Effective
Date of the Agreement and the initial term of this Addendum shall
be one year, unless otherwise agreed to in writing by the parties.
Following the initial term, Customer may renew this Addendum for
one or more additional one year terms by providing notice to Cherwwll. Payment by Customer of Cherwell’s renewal invoice for the hosting service fees, which will be sent to Customer at least 30 days prior to the end of any term, shall constitute notice of Customer’s election to renew. Termination. Customer may terminate this Addendum at any time, without cause, by providing written notice to Cherwell, but this does not entitle Customer to any type of refund. Either party may terminate this Addendum upon written notice to the other party if the other party fails to cure a material breach of this Addendum within thirty (30) days of
written notice of the breach from the terminating party. Upon termination by Customer for an uncured breach by Cherwell, Cherwell will pay Customer a prorata refund of any prepaid but unused hosting fee, plus any unpaid service credits payable to Customer.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install Yes
Compatible operating systems
  • Android
  • IOS
  • Windows
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Cherwell Mobile is a mobile platform that provides access to CSM via
mobile devices, either through native applications or appropriate browser support. Cherwell Mobile runs on a variety of mobile devices so that realtime CSM data can be accessed and updated anytime, anywhere by a CSM User. Features include:
•Mobile Records
•Mobile Forms
•Mobile Dashboards
•Mobile Alerts
•Mobile Pinboards
•Mobile searching for records
•Mobile drilldown into Dashboard Widgets and record data
•Mobile Actions/OneSteps
•Mobile camera to view/attach photos to records, and scan barcodes
•Mobile record Attachments to view files
•Mobile record mapping and location awareness
Accessibility standards None or don’t know
Description of accessibility To support Users with disabilities, many Browser Client and Portal
features are accessible using a keyword and screen reader. Web pages
are completely accessible using keyboard navigation only, without the
use of a mouse. Font size can be made larger or smaller. Form design,
Portal layout etc. is 100% configurable. Text can be accessed using
assistive technologies that provide audio output, highlighting. All form
controls and fields have associated text label elements. Foreground and background colour combinations provide sufficient contrast for people with low vision, including elders. Text equivalents are supplied for all nontext
Accessibility testing The Web Applications have been tested with NVDA (NonVisual Desktop
Access), but other screen readers may provide full or partial capabilities
with CSM. For best results with keyboard navigation, use Chrome web
What users can and can't do using the API The Cherwell REST API provides programmatic access to many CSM
functions via an HTTPbased RESTful API. Operations are available for:
•Finding, creating, and updating Business Objects
•Finding and running search queries
•Managing Users
•Getting Mobile Forms The REST API
Discovery Tool provides comprehensive API documentation with an
intuitive user interface that enables you to discover and test operations using your CSM data. The Cherwell REST API supports basic CRUD (create, read, update, and delete) operations on all Business Objects.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available No


Independence of resources At the data centre, each customer has their own dedicated front end server with an installation of Cherwell Service Management, and their own SQL database with unique access control — ensuring that the customer’s data is completely isolated. Hostbased firewalls isolate communications from all other servers and VPN endpoints. Each server has hostbased intrusion detection, intrusion prevention and antivirus/antimalware agents installed. Cherwell monitor resource usage of all customer servers and will dynamically modify resources as required.


Service usage metrics Yes
Metrics types The CSM License Usage mergeable application (mApp) provides
functionality that allows you to track Cherwell Service Management® license data related to the number of total licenses, used licenses, and remaining licenses. It also allows you to track usage counts for features that do not require a license, such as the Dashboard Viewer. Use the CSM License Usage Form to view, manage, and track usage data. Performance status reports are available upon request. These reports include the following metrics:
• Performance
• Average processor
• Average memory
• Average network
• Database size
• Uptime Statistics
Reporting types
  • Real-time dashboards
  • Reports on request


Supplier type Reseller (no extras)
Organisation whose services are being resold Cherwell

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Managed by a third party
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Other
Other data at rest protection approach Cherwell provides the option for customers for additional cost to use Transparent Data Encryption (TDE) to perform real time I/O encryption and decryption of data and log files.
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Users can export data from CSM using a variety of methods. Grids displaying data from search results can be easily exported to a flat file such as (csv, txt, rtf, xml, htm, html). Users can export report data manually or automated to the following formats. ((csv, txt, rtf, xml, htm, html, PDF, Image ). Use the Export Data option in CSM Administrator to export a selected CSM Database to a compressed Cherwell Archive Repository (.czar) file. Export a/an:
•Single Business Object.
•Entire system (full backup). •Log file to capture the details of the database export.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability The Licensed Software shall be available 99.98% of the time per
month, except for Excused Outages. Excused Outages are defined as
unavailability of the Licensed Software caused by (i) Scheduled
Maintenance, as defined below; (ii) Customer’s systems or
Customer’s actions or inactions; and (iii) circumstances beyond
Cherwell’s control or the control of Cherwell’s authorised agent or
service provider, including without limitation, acts of God, acts of
government, flood, fire, earthquakes, civil unrest, acts of terror, strikes
or other labour problems, and equipment and telecommunications
failures, delays, attacks or intrusions that are external to the Cherwell
hosting environment and/or otherwise not reasonably under
Cherwell’s control, provided Cherwell or its authorised agent or
service provider takes reasonable and commercial care to prevent
such failures, delays, attacks or intrusions. In the event the Licensed
Software is not available as set forth above, Customer shall be
entitled to a Service Credit equal to the value of the down time (on a
prorata basis, using Customer’s annual subscription fee or annual
hosting fee, as the case may be) applied as a credit on Customer’s
next invoice.
Approach to resilience Information is available on request.
Outage reporting Notifications will be sent upon discovery of a service outage via email.
Notifications will include a recovery time estimate. Upon resolution of the outage, an additional notification will be sent advising the customer that the services have been restored. A postoutage incident review will be conducted, and the findings, including any remediation steps, will be sent to the customer via email.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Access to the hosted environment is restricted using a private, ondemand VPN by Cherwell Datacentre Administrators to manage the
datacentres. Hosting service provider employees do not have direct
access to Cherwell servers or to customer data. They maintain the
physical infrastructure and managed services only, and are under strict
contractual agreement not to access customer data. The concept of
least privilege is also practiced and enforced:
• All computers are domain joined, and security policies are enforced via group policy and scripts.
• Cherwell’s password policy employs twofactor authentication.
• Static accounts are only on certain networking devices where required.
Access restriction testing frequency At least once a year
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations Yes
Any other security accreditations RC please complete

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation Yes
Security governance standards ISO/IEC 27001
Information security policies and processes ADCON/TACON is under VP of IS/IT OPCON under ISMS Committee Chair/ General Council.

We use KPI’s to monitor in addition to auditing and training

EU Data Privacy Shield, State Data privacy laws, ITAR, GLBA and Country Laws,.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All production hosted environments follow a strict change control process where the risk of any change is evaluated against the business justification. Change requests are reviewed to receive appropriate authorisation prior to the scheduled change. This includes a two review process and a postimplementation review. A Change Control Board manages the change process and is made up of representatives from Support, IT SaaS, and Security. The Change Control Board is chaired by the VP of IT and Security.
Planned, unplanned, emergency, and exception changes to existing Cherwell SaaS infrastructure are authorised, logged, tested, and approved in accordance with best practices.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Cherwell performs continuous monitoring to identify vulnerabilities,
maintain security, and protect customer data from security breaches. Cherwell’s Security team has dedicated resources to monitor security technologies for anomalies and suspicious behaviour, triaging events before escalating to Cherwell’s Computer Incident Response Team (CIRT). Emergency patches or zeroday security risks are evaluated prior to installation outside of the maintenance windows. Security patches are applied to the hosted environment during the monthly maintenance timeframe. Cherwell applies approved critical and recommended patches, as well as third party patches, and checks for successful application of the patches using an automated patch manager.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We use OSINT, as well as standard security tools such a to generate SIGINT from SEIM, IPS/IDS, AV/AntiMalware, and a MSSP to watch and alert when events are triggered. We follow standard SANS best practices and we respond as quickly as the threat warrants.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach We have predefined processes for common events and train the
CIR Team regularly to handle uncommon items. Users report incidents through email, phone, or in person. Incident reports are provided through secure means

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £804 to £1044 per licence per year
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Cherwell can offer hosted evaluation environments which would
be an exact replica of the same environment if the user was a
customer and include the same functionality and platform
capabilities. Typically the trials are arranged on a limited time
period agreed between Cherwell and the prospect.


Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑