Program Planning Professionals Ltd (t/a MI-GSO | PCUBED)

Pcubed / Microsoft Project Online 'PPM Accelerator', the lowest investment cost for better P3M

PPMA is Pcubed’s rapid deployment solution designed to get your organisation up and running with an end-to-end PPM / EPM platform within a short time frame at a low initial investment. It’s a fast track, fixed price, preconfigured solution using Microsoft Project Online with defined deliverables and low deployment risk.


  • Preconfigured Microsoft Project Online environment based on Pcubed's best practice
  • Envisioning workshop to determine gap analysis
  • Onsite configuration and adjustments to align with client terminology
  • Training for administrators and core resources
  • Post deployment support including a review Workshop
  • Eight automated reports and client specific report enhancements
  • All of the benefits of an online Microsoft deployment
  • Securely hosted datacentres with Security cleared, permanent employees
  • Compatible with several methodologies such as MSP, Waterfall and Agile


  • Rapid mobilisation
  • Consistent project management data and processes
  • Stay on track, on budget and in scope
  • Improved quality, timeliness and cost effectiveness
  • Enterprise-wide governance with standard gateway management
  • Project templates driving consistent planning standards and tracking
  • Built-in capabilities including project dashboards, planning, risk, and issue tracking
  • Microsoft Gold Partner with ISO 27001 certification
  • Keeps investment risk at a manageable level
  • Ensures the most expensive asset (resources) is optimally utilised


£20000 per instance

Service documents


G-Cloud 11

Service ID

7 6 6 4 2 9 8 1 8 2 9 1 6 3 6


Program Planning Professionals Ltd (t/a MI-GSO | PCUBED)

Mark Sorrell

020 7462 0100

Service scope

Software add-on or extension
What software services is the service an extension to
Microsoft Project Online
Cloud deployment model
Public cloud
Service constraints
There are no other foreseeable constraints to the Services (e.g. maintenance windows, level of customisation permitted, schedule for deprecation of functionality/features etc.)
System requirements
  • Microsoft Internet Explorer Version 10 or later, Firefox, Chrome, Safari
  • The consumer must have the ability to access internet
  • Log in accounts (licences)

User support

Email or online ticketing support
Yes, at extra cost
Support response times
Service-desk runs during UK office hours 9-5pm Mon-Fri.

Severity 1; Urgent - A full system outage (Support Manager)
Severity 2; High - A major element of the solution is not working at all(Support Manager)
Severity 3; Normal - A single or small element of the solution is not working and affecting a number of users (Support/Delivery team)
Severity 4; Low - problem which is affecting limited numbers of users (Support/Delivery team)

Response times:
Severity 1: 1 hour-respond, 8 hours-resolve;
Severity 2: 4 hours-respond, 2 days-resolve;
Severity 3: 1 day-respond, 5 days-resolve;
Severity 4: 2 days-respond, 10 days-resolve.
User can manage status and priority of support tickets
Online ticketing support accessibility
WCAG 2.1 AA or EN 301 549
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support levels include Email, Phone, Service desk and Onsite assistance.
Each support request will receive a severity level which is tied to a service level metric. Service-level metrics specify the maximum amount of time to elapse before a customer, after opening an incident, is contacted by a support representative. Initial response goals will be the same for all support package levels but will vary by severity. Initial technical response time is determined by the severity, as follows:
Severity 1; Urgent - A full system outage , none of the system is working and this is affecting all users.
Severity 2; High - A major element of either the Microsoft PPM / EPM or Pcubed solution is not working at all and affecting all / nearly all users or the production of business critical reports.
Severity 3; Normal - A single or small element of the Microsoft PPM / EPM or Pcubed solution is not working and affecting a number of users or multiple teams.
Severity 4; Low -There is a problem which is affecting limited numbers of users or a less frequent part of the solution or regular reports.
Support available to third parties

Onboarding and offboarding

Getting started
Envisioning workshops, training , change management, providing a dedicated delivery team and support where necessary
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats
  • MS Word
  • MS PowerPoint
End-of-contract data extraction
OData - extracting PO data to an excel spreadsheet and saving project plans in Microsoft Project
End-of-contract process
Microsoft and Pcubed are certified in ISO 27001, this enables Pcubed to comply with high standards of all our customer’s data security and integrity. Upon exit, all customer information will be securely destroyed and confirmation will be provided.
Also, Microsoft implements destruction and confirmation of destruction of all data upon exit of contract.
If you terminate a cloud subscription or it expires (except for free trials), Microsoft will store your customer data in a limited-function account for 90 days (the retention period) to give you time to extract the data or renew your subscription. During this period, Microsoft provides multiple notices, so you will be amply forewarned of the upcoming deletion of data.
After this 90-day retention period, Microsoft will disable the account and delete the customer data, including any cached or backup copies. For in-scope services, that deletion will occur within 90 days after the end of the retention period. (In-scope services are defined in the Data Processing Terms section of Microsoft Online Services Terms).

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
There are screen user interface differences, however, there are no limited functionality features
Service interface
What users can and can't do using the API
Microsoft Project Online has an Open API that allows integration with other systems (uni and bi-directional).
The API access of the following types is available: REST, SOAP. For further information, please see:
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
The solution allows reports, letters and other communications to be customised with logos, fonts, branding and colours. Advanced customisation using pages, events, web pats and configuration can be provided to meet further requirements (e.g. add extra fields, access to API to build your own interfaces, etc.).


Independence of resources
Availability reports are available via the Admin Portal of Office 365, for the overall platform and by service.
There is a separation in services between consumers; users are not affected by the demand of other users.
By using Office 365 API, further monitoring is possible. The service is based on Microsoft architecture which is fully scalable.


Service usage metrics
Metrics types
Please see the Business admins section found here
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
  • Other locations
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Other
Other data at rest protection approach
For data at rest, the service deploys BitLocker with AES 256-bit encryption on servers that hold all messaging data, including email and IM conversations, as well as content stored in SharePoint Online and OneDrive for Business. BitLocker volume encryption addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers and disks. Your organization’s files are distributed across multiple Azure Storage containers, each with separate credentials, rather than storing them in a single database.
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
Users can use OData to extract or import their data. Out of the box SharePoint allows export of all information to Excel. Pcubed could also develop specific reports relating to more detailed information and saving project plans in Microsoft Project
Data export formats
  • CSV
  • Other
Other data export formats
  • XLS
  • MPP
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Legacy SSL and TLS (under version 1.2)
  • Other
Other protection between networks
For data in transit, all customer-facing servers negotiate a secure session by using TLS/SSL with client machines to secure the customer data. This applies to protocols on any device used by clients, such as Skype for Business Online, Outlook, and Outlook on the web. See also
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Microsoft supports versions 1.0, 1.1, and 1.2 of the Transport Layer Security (TLS) protocol. This protocol is an industry standard designed to protect the privacy of information communicated over the Internet. TLS assumes that a connection-oriented transport, typically TCP, is in use. The TLS protocol allows client/server applications to detect the following security risks:
• Message tampering
• Message interception
• Message forgery

For further information, please refer to:

Availability and resilience

Guaranteed availability
Microsoft provides a contractually backed SLA to a minimum of 99.9%
Backup, disaster recovery and resilience plan in place
Approach to resilience
Office 365 services have been designed around five specific resiliency principles:

There is critical and non-critical data. Non-critical data can be dropped in rare failure scenarios. Critical data should be protected at extreme cost. As a design goal, delivered mail messages are always critical, and things like whether or not a message has been read is noncritical.

- Copies of customer data must be separated into different fault zones or as many fault domains as possible (e.g., datacentres, accessible by single credentials (process, server, or operator)) to provide failure isolation.

- Critical customer data must be monitored for failing any part of Atomicity, Consistency, Isolation, Durability (ACID).

- Customer data must be protected from corruption. It must be actively scanned or monitored, repairable, and recoverable.

- Most data loss results from customer actions, so allow customers to recover on their own using a GUI that enables them to restore accidentally deleted items.

- Backup, disaster recovery and resilience plan in place

Further info:
Outage reporting
Office 365 reports outages via the service status portal, Alert or Mobile Application

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Other
Other user authentication
User access to interfaces is made possible with a user account: O365 account
Without having the O365 account, users cannot gain access to the service.
Access to the service is limited to authenticated and authorised users.
Usernames and password control remain under the buyers control.
Access restrictions in management interfaces and support channels
Access can be restricted based on the role of the user (administrator, team member with edit right, or only viewer).
In addition, if the user does not have a O365 licence, they are restricted from the service.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
No audit information available
Access to supplier activity audit information
No audit information available
How long system logs are stored for
Less than 1 month

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Control: The organisation shall supervise and monitor the activity of outsourced system development.
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
PCI certification
Other security certifications
Any other security certifications
  • Cyber Essentials Plus
  • EU Model Clauses
  • EU-US Privacy Shield
  • ISO 27001, ISO 27018
  • SOC 1, SOC 2
  • FIPS 140-2

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
EU Model Clauses,
ISB 1596,
ISO 27018,

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402.
The service has developed formal standard operating procedures (SOPs) governing the change management process. These SOPs cover both software development and hardware change and release management, and are consistent with established regulatory guidelines including ISO 27001, SOC 1/SOC 2, NIST 800-53, and others.
Microsoft also uses Operational Security Assurance (OSA), a framework that incorporates the knowledge gained through a variety of capabilities that are unique to Microsoft. OSA combines this knowledge with experience of running hundreds of thousands of servers in datacentres around the world.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
Configuration, change management, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.
In addition to Microsoft’s ISO-27001 compliance, and their use of independent 3rd party penetration tests, they operate an assumed breach model and use active red-team penetration testing and vulnerability management as part of their Operational Security Assurance (OSA).
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
Configuration, change management, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
Configuration, incident response and protective monitoring are all demonstrated in Microsoft’s compliance with the ISO-27001 information security standard.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
  • Public Services Network (PSN)
  • Police National Network (PNN)
  • NHS Network (N3)
  • Joint Academic Network (JANET)
  • Scottish Wide Area Network (SWAN)
  • Health and Social Care Network (HSCN)


£20000 per instance
Discount for educational organisations
Free trial available

Service documents

Return to top ↑