Consult SMB Limited

NHS Website Design, Development and Hosting

CSMB's website design services include the planning, design, build, configuration and management of websites and online applications delivered in the cloud on a Content Management System you control. CSMB work to understand your business drivers, target audiences and objectives thus helping our clients deliver the best possible first impression.


  • Website & Brand Design
  • Website Development
  • Website Hosting & Support
  • Fully Responsive Website Working Across Desktop, Tablets and Mobiles
  • Testing Across all Browsers & Devices
  • Fast & Agile Project Delivery
  • Online Enquiry & Other Forms, Questionnaires, Surveys & E-Commerce
  • Flexible User Security & Publishing Rights Giving You Full Control
  • Umbraco Content Management System
  • Tier 1 UK Based Data Center for Hosting and Support


  • Experiences Delivery Team
  • Custom Design Helping You Stand Out
  • Easily Update & Manage Your Website 24/7
  • Projects Are Delivered On Time & On Budget
  • Range Of Support Options Available


£350 to £750 per person per day

  • Education pricing available

Service documents


G-Cloud 11

Service ID

6 9 2 8 6 8 0 1 7 9 7 0 8 4 3


Consult SMB Limited

Stephen Bear


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None
System requirements Windows Enviroment

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Within 1 Hour, Mon - Fri 9 am - 5.30 pm
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Users can't send and receive files or video.
Web chat accessibility testing We use a market leading web chat tool so rely on their in house testing
Onsite support Onsite support
Support levels Severity Level 1
CSMB Acknowledgement (not to exceed) One (1) hour
Resolution Plan Available (not to exceed) Four (4) hours
Resolution Target (not to exceed) Two (2) business days*

Severity Level 2
CSMB Acknowledgement (not to exceed) Two (2) hour
Resolution Plan Available (not to exceed) Eight (8) hours
Resolution Target (not to exceed) Four (4) business days

Severity Level 3
CSMB Acknowledgement (not to exceed) Three (3) hour
Resolution Plan Available (not to exceed) Two (2) business days
Resolution Target (not to exceed) Five (5) business days

Severity Level 4
CSMB Acknowledgement (not to exceed) Eight (8) hour
Resolution Plan Available (not to exceed) Four (4) business days
Resolution Target (not to exceed) as agreed by CSMB and CLIENT
*Where is it possible to resolve the issue.
Note 1: Work hours are 9.00 –17.30 Local UK Time, Monday to Friday, excluding English Public Holidays
Note 2: Apart from severity 1 calls, that will always be responded to via phone, the default response communication route will be the same as the incoming communication, unless the initial escalation request states a specific response requirement e.g. instant Message, telephones, e-mail or specific Client site contact point, etc.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Full UAT support leading into Onsite and Offsite training as well as ongoing Online training. Crib sheet documentation is also provided.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction Standard Extract tools are available for users to extract and download their data. Data can also be supplied upon request.
End-of-contract process The users terminates their contract and is free to move away without any penalty charges. If specific professional services are requested they can be purchased at the rate card prices.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service None
Service interface Yes
Description of service interface Full CMS Access
Accessibility standards WCAG 2.1 AAA
Accessibility testing Standard UAT testing
Customisation available No


Independence of resources Load balanced server environment with bandwidth which up scales on demand.


Service usage metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach There is an interface in the content management system.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Private network or public sector network
Data protection within supplier network IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability We utilise an ISO accredited cloud platform, which has been built using the latest technologies to ensure high availability and resilience across multiple UK data centres. Uptime is quoted at 99.99%. The Datacenter is ISO 27001 , ISO 14000, ISO 9001 accredited.
Approach to resilience All servers are hosted within a replicated load balanced environment. The environments are virtual allowing for rapid deployment either initially or in the event of a failure. The environment is replicated in real time to a second back up site location to allow for fail over in the event of a failure.
Outage reporting Email Alerts and Updates as well as a updating postings on the support portal.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Usernames and Passwords have roles assigned to them. These roles control the elements of the service that are made available to that user. The Support portal is also access by username and password which in turn provides the permissioned user with information, the knowledge base and gives the ability to raise a support ticket.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information No audit information available
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Whilst we don't hold a BSI accreditation, our operations and solutions are delivered in line with BSI 9001, BSI 1400 and internal audits are carried out to ensure continued adherence to these standards.
Information security policies and processes We have an in house Information Security Policy that will be provided to prospective clients upon request. The policy covers all aspects of our business, and is reviewed quarterly in our management meetings. The policy includes: Introduction, Objectives, Aim and Scope, Objectives, Responsibilities for Information Security, Legislation, Policy Framework, Management of Security, Information Security Awareness Training, Security Control of Assets, Access Controls, User Access Controls, Computer Access Control, Application Access Control, Equipment Security, Computer and Network Procedures, Information Risk Assessment, Information security events and weaknesses, Classification of Sensitive Information, Protection from Malicious Software, User media, Monitoring System Access and Use, Accreditation of Information Systems, System Change Control, Intellectual Property Rights, Business Continuity and Disaster Recovery Plans, Reporting, Policy Audit.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach All changes are managed through an internal CRM / Support Desk system. Changes are evaluated, designed, built and tested. When available for deployment, scheduled maintenance windows are created and updates are deployed, all of which are audit tracked and documented in the CRM / Support Desk system.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Penetration testing by the data center and regular firewall updates are the primary method to protect against vulnerability. Monitoring of logs gives insight into the source of potential threats, if any are identified then any recommended updates or patches are deployed as a matter of urgency. Regular internet research is also used to locate domestic and global threats.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Spikes in traffic, increases on port blocks enable us to identify potential compromises. Any identification is dealt with immediately with senior management being involved in any responses to an incident.
Incident management type Supplier-defined controls
Incident management approach We have an incident and corrective action policy which outlines the internal process for dealing with an indecent. The policy includes the escalation process, the communication process all based on a severity level. Incidents are reported via the Support portal and they are issued a severity level. Depending upon the severity level the correct escalation and response targets are assigned and then tracked against the initial support ticket that was raised. Regular updates are provided to clients for all incidents that are reported

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £350 to £750 per person per day
Discount for educational organisations Yes
Free trial available No

Service documents

Return to top ↑