Costain Limited

Irides Connect - CCTV Video Management

Irides Connect allows secure sharing of assets between disparate CCTV systems, enabling maximum coverage and optimum monitoring. Shareable assets supported include live CCTV feeds, recorded CCTV feeds and NVRs/DVRs recording. Supports integration with multiple Video Management Systems (VMS) out-of-the-box. Can also be integrated with systems where an SDK/API is available.


  • Enables secure sharing of CCTV feeds between organisations
  • Enables secure streaming of video and control of cameras
  • Provides up to 30 transcoded (MPEG4 to H.264) streams
  • Restreams up to 150 H.264 streams (no transcoding)
  • Support for Windows and Linux
  • User-friendly interface
  • Easily configurable for systems integrators and maintainers
  • Updates and new features made available as released


  • Uses DVNP to address linking disparate CCTV systems
  • Low integration risk
  • Easy to setup, configure and maintain
  • Other services in the Irides range are low-cost enhancements
  • Trusted CCTV supplier with 30+ years experience, reducing operating risks
  • Regular enhancements and service updates


£6,000 to £50,000 a unit

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

8 2 8 9 4 1 0 1 5 5 6 6 8 9 2


Costain Limited Tim Ellis
Telephone: 01628842444

Service scope

Software add-on or extension
Cloud deployment model
Private cloud
Service constraints
As a video management solution the service requires integration with back-end CCTV systems. To connect Irides to these systems we will need access to the corresponding API/SDK to these connecting systems.
System requirements
  • Microsoft Windows or Linux
  • Minimum 12Gb RAM
  • Minimum 10Gb storage
  • Intel 2.50Ghz, 4 cores
  • Modern web browser

User support

Email or online ticketing support
Email or online ticketing
Support response times
Support calls are categorised by urgency and assigned with a corresponding priority, according to impact and severity. Priority is ranked on a scale of 1 to 4, where 1 is most critical.

Response times are:

Priority 1 - 1hr response, 4hr resolution
Priority 2 - 2hr response, 8hr resolution
Prioirty 3 - 24hr response, 48hr resolution
Priority 4 - 24hr response, 168hr resolution

Service times are 9.00am to 17.00 (UK time), Monday to Friday.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
Costain provides support and maintenance services, managed and certified to the ISO20000 Service Management standard. This ensures that we can focus on delivering value by being agile and flexible in meeting our clients service needs, whilst continually monitoring and improving our service provision.

Our standard support times are 0900 - 1700 (UK), Monday-Friday and our service desk can be contacted via phone or dedicated gcloud email address (

All service staff are ITIL trained and we follow both the best practices set out by ITIL and required by our ISO certification.

We provide: Mature Service Management process aligned with ISO2000 and ITIL; Service and contract management with dedicated service managers; Service level management and ability to work with clients to design services and define appropriate service requirements; Service management reports and KPI management; ESCROW services to ensure business and service continuity; Continual Service Improvements processes and reports.

On-site support post-handover is based upon SFIA rates.
Support available to third parties

Onboarding and offboarding

Getting started
We provide online training, support and a guidance document. We can also provide on-site training at additional cost and provide email and telephone support in line with our SLA.
Service documentation
Documentation formats
  • PDF
  • Other
Other documentation formats
An online Wiki, included in the cost
End-of-contract data extraction
We don't store data, therefore users do not extract it. Data from camera feeds that are integrated into the system (ie., video streams) can be stored as a recording by the client. We will agree the scope of what is being asked for by the client and based on that we will export the data with an agreed price (based on number of users and amount of data, on a case-by-case basis)
End-of-contract process
Connection to CCTV system is revoked and the system decommissioned

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
Designed for use on mobile devices
Service interface
Description of service interface
Configuration for Connect (config/admin); any other DVNP client could connect to this services.
Accessibility standards
None or don’t know
Description of accessibility
N/A - varies according to whichever video management systems etc. that are connected
Accessibility testing
No testing undertaken.
What users can and can't do using the API
Irides Connect implements the DVNP specification which allows users of the CCTV system to access video streams from other DVNP enabled systems. Users will be able to view video streams, control PTZ cameras, request move to preset positions etc. Users will not be able to perform any administrative functions using this API as DVNP is not designed for this purpose.
API documentation
API documentation formats
API sandbox or test environment
Customisation available


Independence of resources
Bandwidth requirements will be confirmed with the buyer prior to signing the contract to ensure the agreed availability. This will include the confirmation of the number of channels (how many cameras) and users (people logging in at the same time) that are required, etc. The system is scaled according to the agreed number of simultaneous feeds and storage requirements.


Service usage metrics
Metrics types
We provide access via URL; users can see how many feeds are currently being used (i.e., number of cameras being being incorporated into the system), number of users logged in, etc.
Reporting types
Real-time dashboards


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach
Costain encrypts all staff machines using Microsoft Bitlocker and all Azure Servers are built with encrypted disks to ensure Data at Rest is protected.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users don't export data.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Other
Other protection between networks
Secure signins, user-based access rights (groups defined within the service configuration), all requests over HTTPS
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network
Costain uses Microsoft365 with TLS 1.2+ to protect data at transit, we also have Microsoft Cloud App Security Broker deployed to monitor data within the network. Costain also uses encrypted VPN connections for when staff are out of the office and needs to communicate back to the corporate network.

Availability and resilience

Guaranteed availability
Costain uses Microsoft Azure to underpin most of our services, and the inherent resilience that Azure provides is built-upon by us to provide various, bespoke levels of high-availability depending on the requirements of a particular client or service.
Approach to resilience
Costain uses the Azure UK West and UK South datacenters, to provide resilience as well as data residency assurance. In addition to the regional pairing that Azure storage provides to ensure resilience during datacenter failures, Costain also utilises application resiliency in Azure through a mixture of virtual machine pairing, load balancing devices and data replication across UK datacenters.
Outage reporting
Costain uses a number of alerting methods (including but not limited to such things as email, SMS, auto-ticket generation) depending upon the requirements of a particular client or service.

Identity and authentication

User authentication needed
User authentication
Username or password
Access restrictions in management interfaces and support channels
Costain uses Role based Access so any administrative tasks are used by admin accounts rather than standard user accounts and these are individual and not shared. Costain also force all Azure admins to use MFA to help protect the account.
Costain uses Thycotic Privledge Access Management to audit and control any administrative work that is required to be carried out.
Costain also ensures all default accounts on devices are changed to a secure complex password.
Access restriction testing frequency
At least once a year
Management access authentication
2-factor authentication

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
How long system logs are stored for

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
British Standards Institute (BSI) Certification No. IS557983
ISO/IEC 27001 accreditation date
January 2020 with annual review
What the ISO/IEC 27001 doesn’t cover
Non-production corporate environments and project/development/research environments owned by our own Complex Delivery projects. All controls listed in ISO27001 Annex A are covered.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
CyberEssentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
ISO22301, CyberEssentials Plus
Information security policies and processes
Costain’s internal Information Security and Data Protection policy (published on our Intranet and underpinned by mandatory information- and cyber- security online training modules) summarises Costain’s strategy and can be provided on request. This is reviewed bi-annually via a committee which includes board-level representation.

Costain operates a company-wide information security management system which is certified to ISO 27001: 2013 with BSI Certificate No: IS557983.

Costain’s information security policy is designed to ensure that:

Information will be protected from unauthorised access;
Confidentiality of information will be assured;
Integrity of information will be maintained;
Information is made available to authorised persons;
Regulatory and legislative requirements will be met;
Business Continuity plans will be produced, maintained and tested;
Information security training will be available to all staff and is mandatory in order to continue accessing IT systems;
All breaches of information security, actual or suspected, will be reported, investigated and resolved;

Additionally, Costain are accredited to Cyber Essentials Plus, Certificate No: 8033978929854206.

Costain are a member of the National Cyber-Security Council’s (NCSC) Cyber-Security Information Sharing Partnership (CiSP), which ensures that we keep abreast of the dynamic nature of cyber and information security risks.

Operational security

Configuration and change management standard
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach
End-User Computing (EUC) – Costain operate a standard-image process for ensuring a consistent configuration of desktops and laptops. This includes removing/disabling unnecessary components in order to more fully harden the device against security threats.

Server/Infrastructure – these are deployed via image templates, again in order to provide standard configuration and attack-surface reduction.

Costain operates an ITIL-based Change Management process to ensure that changes to these baseline configurations (and other systems) are sufficiently assessed and appropriately authorised.
Vulnerability management type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach
All operating systems and key applications (both Microsoft and non-Microsoft) are patched automatically within 30 days of updates/patches being released by the vendor (14 days for critical security updates).

Servers and end-user computing operating systems are updated to be no more than 12 months behind the latest vendor release.

Penetration tests are performed by an independent CREST-accredited company (provider is rotated regularly) on an annual basis, and also whenever key systems are upgraded or introduced.

Vulnerability scans using an automated system (Nessus) are run regularly to ensure our security posture is appropriate across all applications, systems and devices.
Protective monitoring type
Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach
We use a 3rd party managed SOC (Secure Operations Centre) where all of systems feed into. The SOC filters the events using AI and ML to correlate events and priorites them accordingly. They deal with Priority 2-4 (the lower categories) - P2 notifies Costain and P1 (most critical) are passed to Costain and we work jointly with the SOC to resolve the issue (with the ability to bring staff in from the SOC). We have SLAs with the SOC. P1 is responded to within 4 hours.
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
We have pre-defined processes and process maps for common events with 100+ different processes designed to respond proactively to user reporting. These are handled internally by our Resolver Group (Service Desk, Infrastructure Team, etc.). Users report incidents via a ServiceNow portal (logging tickets) or call our internal Service Desk. We also have self-service portals for simple queries (e.g. password reset). Major incidents (e.g. Outages) are logged as high priority ticket and our IT Operations Manager requests an incident report from the relevant Team Leader (root cause, remediation to prevent re-occurence). We provide user notification upon service resumption.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
Connected networks
Other public sector networks
Can connect to client-specified networks (assuming correct authority)


£6,000 to £50,000 a unit
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.