Capita Business Services Limited

Capita EvidenceWorks Digital Evidence Management – Microsoft Azure

An enterprise-wide service for EvidenceWorks in the Cloud. The service is a securely hosted, fully managed, open and scalable purpose built digital evidence management solution for UK Police which includes the capability to ingest, catalogue, store, analyse and share media from multiple digital sources.


  • Evidence digitally signed at ingest
  • Record Management System integration capability
  • Flexible workflow module
  • Management of digital evidence and potential evidence
  • Audio and video playback of evidence
  • Capture device agnostic
  • Full evidence and user based audit capability
  • Secure and accredited hosting environment


  • Manage all digital evidence securely and consistently
  • Remove or reduce siloed IT systems and associated business practises
  • Technology agnostic approach e.g. Body Worn Video supplier independence
  • Prepare for Digital First requirements and standards (DETS)
  • Supports MoPI and Evidential Standards
  • Reduced need for DVD burning and physical media handling
  • Supports CCTV, Digital Interview, Forensic Crime Scene Images, BWV files
  • Purpose designed for Police and proven in live operational use
  • Provide every police officer with tools to manage digital evidence


£10.18 to £29.87 per user per month

Service documents


G-Cloud 11

Service ID

8 4 0 8 5 7 7 9 7 2 8 6 4 1 9


Capita Business Services Limited

Capita Business Services Ltd


Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints 1. The buyer is required to procure secure connectivity to the Microsoft Azure data centre.
2. The service can to store information up to OFFICIAL, including OFFICIAL SENSITIVE. The buyer must ensure that no attempt is made to store information with high markings in the solution.
3. There will be planned maintenance and this will be scheduled in agreement with the customer.
System requirements Client PCs must meet specification provided in the Service definition

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Capita enable customers to log faults via 3 means (telephone, portal or email) with all contacts being managed by our 24x7x365 UK based Service Desk. All contacts are logged onto our Service Desk toolset which ensures that details are accurately captured and the most appropriate support teams are assigned to resolve the query within associated service hours.
User queries are responded to within the next business day.
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Our Service Desk captures and manages all requests for support which broadly fall into 2 categories. These are a loss of the EvidenceWorks service or user queries.
All loss of service contacts are managed by our system engineers who are responsible for restoring the operational service in a timely manner to meet service restore and availability targets. Incidents are typically resolved using remote access with support from our UK wide Field Services team if a site visit is required. Services are either delivered 24x7x365 or office hours depending upon the criticality of the call. An annual all-inclusive cost is provided to meet typical EvidenceWorks operational requirements.
Technical queries are managed by our Product Management team who are able to provide telephone support during office hours (Monday to Friday 09:00 to 17:00hrs excluding Public Holidays). A service level manager will be assigned to manage the delivery of the overall service.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started Capita’s on-boarding team will agree with the customer an implementation plan that defines the tasks and responsibilities for implementation of EvidenceWorks in the Cloud.
The on-boarding process includes the following:
• Issue of Welcome pack
• Service Desk commissioning and portal set-up
• Commissioning of a dedicated instance of the EvidenceWorks Repository in the Cloud
• Liaising with the customer for EvidenceWorks Manager and Administration console installation and configuration
• Liaising with the customer for Remote Desktop Support Toolset installation
• Configure access to EvidenceWorks Repository in the Cloud from EvidenceWorks® Manager
• EvidenceWorks in the Cloud instance verification and acceptance approval
• Product demonstration for familiarisation purposes
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Depending on the volume of data the customer stores using the service several options are available for data extraction. These include:
• Copying data from the service to customer storage using the network connection between the customer and data centres. This is only suitable for low volumes of data;
• Copying customer data onto encrypted removable media;
• At the data centre, copying customer data onto a Network Attached Storage unit and physically providing this unit to the customer.
Data extract incurs an optional additional charge that varies based on the method used and the volume of data to be extracted.
End-of-contract process At the end of the contract, Capita will:
1. Agree an exit plan with the customer;
2. Optionally at additional cost, migrate customer data out of the cloud;
3. Delete customer data held in cloud storage;
4. Decommission the cloud environment;
5. Delete user data held in Capita’s Service Now support solution;
6. Decommission network work hardware and software used to connect to the customer’s instance of EvidenceWorks;
7. Issue a certificate of destruction.

Using the service

Using the service
Web browser interface Yes
Supported browsers Internet Explorer 10
Application to install Yes
Compatible operating systems Windows
Designed for use on mobile devices No
Service interface No
Customisation available Yes
Description of customisation The EvidenceWorks administration console provided to administrative staff to maintain users, groups, views, constrained vocabulary lists and metadata items within the solution.
Using the Administrator console new metadata items can be constructed to mark digital evidence. These additional metadata items can then be made available to staff and maintainable through system administration created metadata edit functions. Access to metadata edit functions are also controlled through the functional access control model within the administrator console.
Within EvidenceWorks views can be created to filter on the evidence. Views are either created by the system’s administrators or individual users. Administrator created views can be based on individual users or groups of users as defined by either Active Directory or the EvidenceWorks Administration console. User views can be created, deleted and modified as required by a user. Additionally, user created views can be nested to group similar views.


Independence of resources Each customer is assigned a single tenant instance of EvidenceWorks in the cloud hosted on Microsoft’s Azure platform.
The critical virtual machines in the EvidenceWorks deployment are assigned uncontended processing power and memory, meaning that the level of resource allocated is not shared hence is not affected by demand placed on the service by other users.


Service usage metrics No


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Microsoft; Optionally E2E Assure

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type Explicit overwriting of storage before reallocation
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported by the customer or alternatively depending on data volumes, the customer may chose to use Capita's data extraction service at the end of the contract.
Data export formats Other
Other data export formats Data exported in native format as originally loaded.
Data import formats Other
Other data import formats There is no restriction on file formats for evidence upload

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks The buyer is required to provide a secure connection between the buyer’s network and the data centres. This may be one of the following:
• A suitably secured private WAN;
• A VPN.
Data protection within supplier network Other
Other protection within supplier network Network traffic at the compute and storage layer, is separated via robust hypervisor controls that ensure each deployment of EvidenceWorks is separated from all other Microsoft customers and exists within its own virtual network.
Microsofts Network Security groups feature is used to provide firewall functionality separating network traffic and protecting from unwanted protocols and network traffic.
Hypervisor level features prevent virtual machines capturing any traffic that is not meant for them and ensure communication between virtual machines is kept private.

Availability and resilience

Availability and resilience
Guaranteed availability Our service is designed to provide a minimum availability of 99.90% which is measured on a monthly basis and excludes outages caused by the customer, planned maintenance work or events outside of Capita’s control. Non availability is termed as any unplanned period when the entire system is not delivering its core functionality.
If the target availability measure falls below a set level then the customer’s monthly invoice will contain a reduction of 5% of the monthly fee where the cumulative monthly service outage is 10% or more below the service level target for the service. This mechanism is managed by our Service Level Management team.
Service Reports are provided monthly which include details of incidents raised and the level of availability achieved for that period.
Approach to resilience All evidential data and virtual machines are replicated from a primary to a geographically separated secondary data.
Virtual machines are kept in a cold standby state at the secondary data centre and a manual process will reinstate the service from cold standby with minimal loss of data within the specified recovery period.
Capita’s business continuity plan describing how support services provided by Kennington Park and Methuen Park will be maintained in the event of a disaster is available upon request
Outage reporting Our Service Desk agents will inform users if the service is unavailable on point of contact and an expectation of when the service will be stored.
Monthly service reports are provided containing details of any outages during the measurement period, causes and corrective actions taken to prevent a reoccurrence. These reports are email to customers within 10 working days from the end of the previous month.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password
  • Other
Other user authentication Users accessing the service are subject to several control measures.
User access to the service is only possible via the secure network connection provided by the buyer. The control measures applied to this connection are dependent on the connection mechanism used.
Having connected to the service, each individual user needs to provide two factor authentication which is verified against the buyers identity and access management solution.
Access restrictions in management interfaces and support channels Any administrator connecting to the service for management purposes faces initial authentication at the ingress to the building and further authentication for access to the secure support room.
Capita’s administrator will access the solution for support and maintenance using a secure remote access facility accessed via a VPN. The administrator will be logically authenticated when accessing the support machine. Further authentication will be required depending on the management and support functions performed.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Lloyd's Register Quality Assurance Ltd
ISO/IEC 27001 accreditation date Transition to ISO27001:2013 14/09/15; triennial re-assessment 11/15; Surveillance visits 05 & 11/16
What the ISO/IEC 27001 doesn’t cover The Hosted environment is outside the scope of our ISO27001 certification. Additionally, the Service Desk provided at Kennington Park, which provides 1st line support is not within the scope of the ISO27001 certification. However, staff there undertake the same information security training and operate to the same information security procedures. Moreover, they are certified to ISO20000-1 for service management, which relies upon the same information security system certified to ISO27001.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Capita complies with the following standards: ISO27001, ISO 27002:2013, ISO 22301, BS25999, ISO9000, and Cyber Essentials.
At a group level Capita has a Cyber and Information Security Policy, and the following security standards:
• Data Security Standard
• An IT Security Standard,
• A Physical Security Standard
• An Acceptable Use Security Standard.
Capita Communication and Control Systems (CCS) has an accredited ISO 27002:2013 Information Security Management System (ISMS), which is aligned with HMG Security Policy Framework (SPF) and CESG Good Practice Guides (GPGs).
Capita staff are given information security training which is refreshed on an annual basis.
CCS has a head of security overseeing security matters within CCS who reports into a Divisional Security Officer

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach Our Service Management toolset is used to support a suite of mature configuration and change management processes. Component details are stored with the toolset as Configuration Items (CI) which are managed by change management through to their end of life. Any change to a CI is initiated by raising a Request For Change which is assessed, approved, built/tested, implemented, closed on completion and reviewed.
Any potential security impact is assessed during the assessment phase by our Security Manager and appropriate actions or safeguards identified as required. These actions/safeguards will need to be approved and tested before implementation.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Capita is a member of the Cyber Information Sharing Partnership through which Capita receives and shares notices of threats and vulnerabilities.
At a system level Capita will perform vulnerability scans to detect new vulnerabilities.
A risk assessment will determine the impact and risk to the solution of each vulnerability. The nature of the risk determines how quickly the vulnerability will be patched. Critical patches may be applied immediately if the risk outweighs inconvenience to customers. Less critical patches will applied during planned maintenance, if necessary additional maintenance may be planned to apply the patch.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Microsoft provides Protective Monitoring at the Hypervisor level.
Optionally, protective monitoring can be provided at the application level and operating system level using e2e Assure’s CPG13 conformant Protective Monitoring and SOC Service.
If a potential compromise is detected, a security incident will be raised and Capita will investigate and resolve the incident using Capita ISO20000 conformant incident management processes.
Capita will restore service within 8 hours if the fault is with the Capita supplied service. Service Hours are 24x7x365.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Capita operates an incident management process which conforms to the ISO20000 standard. Users report incidents via our 24x7x365 Service Desk who assess the impact of the incident and assign a priority within the Service Management toolset. The incident is then assigned to the support team for resolution. Once the incident has been resolved the Service Desk contacts the users to confirm resolution before the call is closed within the toolset. Our problem management team produces resolution details to any common events.
A monthly Service Report is provided containing incident details including what was done to resolve the incident.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £10.18 to £29.87 per user per month
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑