Cornerstone OnDemand

Cornerstone Public Sector Learning and Training Content

Cornerstone Content Services

Cornerstone is uniquely placed to respond to our client’s content needs through our 3-pillar approach; Learning Suite, Learning Experience Platform and Content.


  • Modern Learning Content, mobile learning, social collaboration
  • Reporting
  • Personalised course suggestions to encourage continuous learning
  • Tailored content is integrated into the employee’s workflow
  • Track, manage & report on all training
  • SCORM & AICC compliant & Integration with any LMS system
  • Availability - Public Internet devices, Tablets, Mobiles, PC's
  • Integrated Dashboards and Reporting, no reliance on 3rd Party


  • Deliver modern, prescriptive and mobile-ready content training to every employee
  • Accelerate employee performance and create leaders at all levels
  • Enable talent mobility and engage the entire workforce
  • Ensure compliance and support organisational goals
  • Build a culture of passion and purpose
  • Foster real-time team collaboration and support social learning
  • Solve important business challenges with modern content learning
  • Quarterly releases and no expensive upgrades required
  • One Versionless System, One Support organisation


£3.75 to £35.00 per user per year

Service documents


G-Cloud 11

Service ID

8 8 0 6 5 7 6 5 9 6 7 5 6 9 4


Cornerstone OnDemand

Julian Turner

07788 291438

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Full Integration with the Cornerstone Suite, which can seamlessly tie employee learning and performance metrics to give executives and managers a clear picture of how learning initiatives impact organisational success.
Cloud deployment model Public cloud
Service constraints Cornerstone is a Software-as-a-Service. Users can access the application at any time and from anywhere through the internet. In addition, Cornerstone has broad experience in developing highly stable single sign-on linkages with its clients. End users will be able to access the infrastructure seamlessly with one login and from a specified location on the client’s network.

Cornerstone are happy to provide specific hardware configurations or requirements upon request.
System requirements
  • As a SaaS Service - there are no hardware requirements.
  • Minimum Desktop Requirements: Recommendations upon request
  • Supports Mobile Device Enablement: Recommendations upon request
  • There are no software maintenance, and no network administration requirements

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response time 1 hour. Included Level Support provide as standard in the software subscription fee at no additional cost and includes 24x5 live emergency phone support 24/7 for S1/S2 Level Tickets. Phone Support is available M-F, 24 Hours. In addition, clients can submit an unlimited number of cases and have 24 hour visibility to those cases through our online portal MySuccess.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 A
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support Yes, at extra cost
Support levels Cornerstone offers various support packages, with varying levels of access, availability, and services at an additional cost. Which include enhanced service levels and 24x7 live phone support.

All support options include:
- OnDemand’s self-service resources is available 24/7 through the web interface within the Cornerstone application.
- Case Management Tools:Available 24/7 via self-service portal
- Live Emergency Phone Support:24/7 S1/S2 Emergency Support.

Included Support - provided as standard.
- 2 Named Admins
- Phone Support (M-F):Available Monday through Friday, 24 hours.

Choice Support Includes:
- 5 Named Admins
- Phone Support (M-F):Available Monday through Friday, 24 hours.
- Access to shared Customer Service Manager (CSM).

Preferred Support Includes:
- 5 Named Admins
- Phone Support 24/7/365
Shared GPS Guru: Dedicated GPS Subject Matter Expert

Elite Support Includes:
- 10 Named Admins
- Phone Support 24/7/365
- Prioritized Case Handling: Enhanced case review and resolution.
- Elite Support Performance Scorecard
- Named GPS Guru: Dedicated Global Product Support Subject Matter Expert.
- Weekly Guru Call: A scheduled time to discuss upcoming business projects and/or needs.
- Release Weekend Support: Live support during release weekend.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Once the contract has been executed, Cornerstone will assign the client an Implementation Consultant.

The Implementation Consultant will be the primary point of contact during implementation. In addition, they will be supported by a project team that may include a Program Sponsor, Engagement Manager, Integration Consultant, and Training Consultant, depending on project’s scope and complexity.

We deploy our solution in significantly less time than required for similar deployments of legacy software. Our SaaS model eliminates the need for complex technical requirements such as code customisation, equipment deployment, and unique delivery models.

A typical pragmatic implementation would be done following either or Cornerstone NOW or Realise approach, therefore would take approximately between 3 (Cornerstone Now) and 8 (Realise) weeks for an initial module based on scope and complexity. With years of experience and hundreds of deliveries across various industries, we’ve learned what it takes to ensure our clients can make a successful leap to impact.

Cornerstone and partners can also engage in further discussion to fine tune the implementation approach (governance, scope, timeline, etc.) to cope with any specific need or stake on client’s side.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction In the event that a client does not renew their contract, Cornerstone will return the client’s data via their secure FTP site in the same format in which the data was originally inputted into the software. Alternatively, the client’s data can be returned in a mutually agreed format at a scope and price to be agreed. Cornerstone will maintain a copy of the client data for no more than six months following termination of the agreement, after which time any client data not retrieved will be destroyed.
End-of-contract process Our agreements are for a term lease period, and software fees are paid in annual installments over that period, during which time Cornerstone recovers costs. Accordingly, during that lease period (as with, say, a rental or car lease), there can be no termination for convenience.

Effect of Termination. Immediately following termination of this Agreement, Client shall cease using all Products. Client may retrieve Client Data any time prior to termination or expiration of the Agreement. If requested, Cornerstone will assist with such data retrieval at a scope and price to be agreed.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Cornerstone Mobile allows users to view their learning transcript and to download, view, and interact with rich, standards-based courseware and knowledge content from their smartphones and tablet devices. Content conforms to SCORM 1.2, SCORM 2004, and AICC standards and is supported for maximum content interoperability and reusability.

Our offline player allows users to complete online courses on their phones and tablets while not connected to the internet. Online classes behave as though they are being used online: bookmarks are kept, progress is saved, etc. After reconnecting to the internet, the results of the training can then be uploaded to Cornerstone.
Service interface No
What users can and can't do using the API Cornerstone has available a number of out-of-the-box API’s as functionality exposed as web services. Currently, four main areas of functionality are offered through our web services.

User and Organisational Unit upload / Edit

a) A feed from your HRIS or system of record can upload and modify new users, Organisational Units and changes.

Transcript and Task retrieval
a) Ability to see the homepage widgets and user transcript

b) Home page widgets available:

Assigned Training
In Progress
Upcoming Sessions
Pending Tasks
c) Also available: View of the entire user transcript

Sections within the curricula available for viewing
d) Web service provides status and IDs for learning objects

Catalog Search
a) Ability to search the catalog by title, description, etc., to see training and sessions available to a given user

Learning Objects
a) Ability to perform general functionality for learning objects

b) Tasks available:

Launch Materials

The web services are a configuration. Cornerstone provides the web service URL and documentation to the client. All the necessary information is provided in the documentation. The client will use standard web service API’s on any platform or any tool that supports web services to consume ours.
API documentation Yes
API documentation formats
  • HTML
  • PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Cornerstone was designed to be administered by the client and not the vendor. G Cloud Clients have complete control to configure the look and feel of the application to your specific business units with specific functionality and branding. Client administrators are presented with an extensive set of web-based controls which enable them to easily configure graphics, colors, key words, layout, and business rules.

Clients can make configuration changes on their own without any assistance from Cornerstone or for any additional costs. Not all vendors can make this claim. The high configurability of the Cornerstone system is one of the distinct advantages that we offer to our customers.

The high configurability of the application allows for the easy creation of custom fields throughout the application, including workflows and reporting. Depending on the type of custom fields you are creating, options include branched dropdown, check boxes, conditional numeric fields, date fields, dropdowns, hierarchy, multiple check boxes, numeric fields, radio buttons, scrolling text boxes, and short text boxes


Independence of resources The Cornerstone application, as per the Software as a Service model, is designed to scale horizontally. It is multi-tenant-efficient, offering a load balanced farm of identical instances known as swim lanes. When additional server equipment is added, the application capacity scales to fill the available hardware.

This allows virtually unlimited growth capacity.

As opposed to a classical behind the firewall or hosted architecture, our application and our hardware platforms are designed to:

• Efficiently support a high number of users and customers

• Redistribute load easily

• Add additional capacity easily and quickly


Service usage metrics Yes
Metrics types Cornerstone provides an SLA for all clients that guarantees initial response and resolution in regards to defined priority and severity levels.

Cornerstone’s SLA also guarantees 99.5% uptime (excluding reasonable and scheduled maintenance periods) per month.

MySuccess enables named client administrators to access Global Care knowledge assets, solutions, and self-service support tools online at any time. MySuccess is powered by a case management system and interface that provides the ability to submit, update, track and manage questions, issues, and other requests. Clients can download a support performance scorecard at any time.
Reporting types Real-time dashboards


Supplier type Reseller providing extra features and support
Organisation whose services are being resold Litmos Heroes content library

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Baseline Personnel Security Standard (BPSS)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Other
Other data at rest protection approach Physical access control, complying with CSA CCM v3.0 and ISO27002 Standards.

Optional TDE Encryption at rest.
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Clients can export their data at any time through our reporting engine and analytics tool. In addition, an outbound data feed can be established from Cornerstone to an internal client system such as a data warehouse.

Cornerstone does offer data warehouse replication services. A client’s entire Data Warehouse is replicated to a separate server in our data center to allow clients to make direct SQL connections over a Virtual Private Network (VPN). Clients can report against all data in the replicated data warehouse directly without having to use our Analytics module.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network VPN, restricted access (SSO) and dedicated lines.

Availability and resilience

Availability and resilience
Guaranteed availability Cornerstone provides an SLA for all clients that guarantees initial response and resolution in regards to defined priority and severity levels.

Cornerstone’s SLA also guarantees 99.5% uptime (excluding reasonable and scheduled maintenance periods) per month.

In the event that Cornerstone has not complied with its "Resolution" obligations set forth above, then, for each calendar day (or portion thereof) that Cornerstone has not so complied, Client shall be entitled, as its sole and exclusive remedy therefor, to a credit against Client's next invoice equal to 1/365th of the annual fees for Software set forth in the Agreement.
Approach to resilience Cornerstone’s Disaster Recovery/Business Continuity Plan defines plans, procedures, and guidelines for the Company in the event of disaster. Specifically, this document establishes procedures for recovering business operations, internal data; systems, and critical internal functions to maintain Cornerstone as an on-going concern in the face of unexpected events.

The plan has the following primary objectives:
•Identify critical systems, services, and staff necessary to maintain and/or restore Cornerstone business operations and internal functions.

•Provide guidelines for the communication of activities and status to both Cornerstone staff and client personnel during the recovery period.

•Present an orderly course of action for restoring critical computing capability to Cornerstone and for maintaining and/or restoring client service and support.

Cornerstone performs site-to-site replication of data to protect client data in the event of a disaster. There are two dedicated disaster recovery sites distant from each of the production data centers. Disaster recovery testing is performed semi-annually at each DR site.

Further available information is available upon request.
Outage reporting Outages occur during scheduled maintenance/releases. Otherwise, the system is not likely to experience any outages, however in the unlikely event of an unexpected outage, clients will receive email alerts.

Downtime is scheduled for planned quarterly releases at least 4 months in advance and deployed during off-peak hours, typically 8:30PM EST Fridays to 1AM EST Saturday (4.5 hours). Patch fixes typically occur every two weeks between 8:30PM EST and 12:00AM EST. The typical downtime for a patch deployment is approximately 10 minutes.

Client administrators can access a calendar of upcoming release and patch dates at any time through our client portal, Success Center. In addition, multiple email reminders are sent in advance.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication Users access the Cornerstone application either through a username and password, or through Single Sign-On (SSO). Cornerstone does not offer two factor authentication to clients for logging into their portal. However, clients that use SSO are able to implement two factor authentication within their own network prior to sending the SAML token to Cornerstone.
Access restrictions in management interfaces and support channels Users need a unique username, password to access the application. Alternatively, clients can be authenticated using security tokens, utilising a symmetric algorithm, passed by the client’s local authenticator for Single Sign-On functionality.

Passwords represent a fundamental and significant security mechanism at Cornerstone. Passwords are required to access the production network (via Active Directory) and applications (SQL Server). User accounts are created that employ individual user ID and passwords to identify and authenticate a given user. Users cannot access any Cornerstone system without a valid user ID and password. The SQL server logon groups are each configured to use Windows authentication.
Access restriction testing frequency At least every 6 months
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNV GL Business Assurance accredited the ISO/IEC 27001 certification
ISO/IEC 27001 accreditation date 07/05/2015
What the ISO/IEC 27001 doesn’t cover Please note that our IT service management policies and procedures are informed by many sources, including the cohesive set of best practices covered by ITIL, as well as other standards and best practices such as SSAE 16, ISAE 3402, ISO 27001, and FISMA. These certifications cover all the main security requirements
ISO 28000:2007 certification Yes
Who accredited the ISO 28000:2007 Cornerstone is not ISO 28000:2007 certified
ISO 28000:2007 accreditation date N/A
What the ISO 28000:2007 doesn’t cover Please note that Cornerstone has received certification for the following programs:

• SSAE 16, ISAE 3402 Type II Audit, SOC 2 Type II
• PCI Certification
• Privacy Shield (previous EU Model Clauses, previous Safe Harbor)
• EU GMP Annex 11 and 21 CFR Part 11
• Federal Information Security Management Act (FISMA)
• ISO 27001:2013
• Equinix SSAE16 Audit, ISO 27001, ISO 22301, ISO 9001, OHSAS 18001, ISO 14001
• Equinix Telecity ISO 27001, ISO 22301, ISO 9001, OHSAS 18001, ISO 14001
CSA STAR certification Yes
CSA STAR accreditation date 07/05/2015
CSA STAR certification level Level 5: CSA STAR Continuous Monitoring
What the CSA STAR doesn’t cover Cornerstone can provide upon request a copy of the CSA questionnaire with all the Cornerstone compliant specifications.
PCI certification Yes
Who accredited the PCI DSS certification Trustwave accredited the PCI certification for Cornerstone
PCI DSS accreditation date 2014
What the PCI DSS doesn’t cover Cornerstone is categorized as PCI Level 4 SAQ D under the Payment Card Industry Data Security Standards. Standards include: building and maintaining a secure network, protecting cardholder data, and maintaining an information security policy.
Other security certifications Yes
Any other security certifications
  • SSAE 16, ISAE 3402 Type II Audit, SOC 2 Type11
  • Privacy Shield (previous EU Model Clauses, previous Safe Harbor)
  • EU GMP Annex 11 and 21 CFR Part 11
  • Federal Information Security Management Act (FISMA)
  • ISAE 3402
  • WCAG 2.0 and Section 508
  • FedRAMP
  • SSAE16 Audit, ISO 27001, 22301, 9001, OHSAS 18001, 14001
  • Equinix Telecity ISO 27001, 22301, 9001, OHSAS 18001, 14001

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards
  • CSA CCM version 3.0
  • ISO/IEC 27001
Information security policies and processes Security is of paramount importance to Cornerstone due to the sensitive nature of employee data. We designed our solution to meet rigorous industry security standards and have ISO27001:2013 including ISO27018 for privacy, plus conduct annual SSAE 16 SOC1 and SOC2 third party audits to verify continuously Cornerstone Technical and operational controls to assure clients that their sensitive data is protected across the system. We ensure high levels of security by segregating each client’s data from the data of other clients and by enforcing a consistent approach to roles and rights within the system. These restrictions limit system access to only those individuals authorised by our clients.

We employ multiple standard technologies, protocols, and processes to monitor, test, and certify the security of our infrastructure continuously.

Security responsibilities are handled by our IT operations team and overseen by our Deputy CISO, who works in concert with our Sr. Director of Technology Operations and Chief Technology Officer and is responsible for securing information in accordance with industry best practices and for implementing the recommendations of the various 3rd party audits.

Cornerstone does not publish these documents. However we can provide a secure online account, where you can access and view these documents.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach As a SaaS company, we release software frequently and regularly so that our clients may benefit from our on-going R&D. Cornerstone follows a defined SDLC (Software Development Lifecycle) that contains a number of important quality steps, an abridged version of which can be provided upon request. Development and Project Management are tasked with ensuring that these steps are followed:
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach Cornerstone contracts leading third party information security consulting and services companies to run external penetration tests against our production environments to coincide with major code releases throughout the year. Vulnerability classes tested for include the following:
•Cross Site Request Forgery (CSRF)
•Cross Site Scripting (XSS)
•Command Injection (including SQL, LDAP, and OS command injection)
•Server Side Includes (SSI) Injection
•Forced Browsing
•Format String Vulnerabilities
•Response Splitting
•Directory Traversal and Data Exposure
•SSL/TLS Cipher Strength Analysis
•Cookie Analysis
•HTTP Method Analysis
•Hostile Link attacks
•Cookie Injection Attacks
•Session Fixation
•Session Management (Subversion, Timeouts/Logouts)
•Vulnerabilities Within the Username/Password Recovery Method
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach Security is of paramount importance to Cornerstone due to the sensitive nature of employee data. We designed our solution to meet rigorous industry security standards and to assure clients that their sensitive data is protected across the system. We ensure high levels of security by segregating each client’s data from the data of other clients and by enforcing a consistent approach to roles and rights within the system. These restrictions limit system access to only those individuals authorised by our clients.

Cornerstone include best in class multiple standard technologies, like SPLUNK to help manage our security monitoring.
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Cornerstone maintains an ISO27001 based Security Incident Response Plan in order to organise resources to respond in an effective and efficient manner to an adverse event related to the safety and security of a computer resource under Cornerstone’s management. An adverse event may be malicious code attack, unauthorized access to Cornerstone managed networks or systems, unauthorised utilisation of Cornerstone services, denial of service attack, or general misuse of systems.

The plan clearly defines the appropriate steps and processes in communication. Clients will be notified within 24 hours of the identified issue.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks No


Price £3.75 to £35.00 per user per year
Discount for educational organisations No
Free trial available No

Service documents

Return to top ↑