Cora Systems

Cora PPM

Cora PPM is a mature project and portfolio management software solution; providing organisations with the control, governance and insight required to plan, prioritise, execute and evaluate their project portfolios. Cora PPM eliminates the time and frustration around decision making, report generation, resource allocation, financial tracking and benefits management.


  • Real time enterprise reporting
  • Web/cloud based remote access
  • User, project and portfolio dashboards
  • Strategic resource and capacity management with timesheet functionality
  • Financial management (budget, forecast, actual, committed)
  • Project, programme and portfolio governance
  • Benefits realisation and cost saving management
  • Integration capabilities with multiple systems
  • Risk/issue/change request/project actions management
  • Project prioritisation aligning to strategies and organisations


  • Full audit trail provides governance around project and programme delivery
  • Complete control of project workflow, stage gates and approval
  • Exception reporting provides support for informed decision making for portfolios
  • Visibility of risks and issues to ensure they are mitigated
  • Concise, professional and tailored executive dashboards and reports
  • Effective financial management leading to a reduction in budget overspend
  • Align projects to corporate strategy
  • Customisable smart forms that underpin your current processes and technology
  • Planning and capacity management with comprehensive what-if analysis
  • Easy-to-use, intuitive platform that will mature with your organisation's processes


£600 per user per year

  • Education pricing available

Service documents

G-Cloud 11


Cora Systems

Paul Rees

0800 043 2078

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Private cloud
Service constraints N/a
System requirements N/a for SaaS

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Support is available during business hours Monday to Friday unless enhanced support has been procured. Each ticket will receive a severity level based on the impact, and response times range from Immediate for Severity 1 (Major Issue) to <2days for Severity 5 (Minor Issues).
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 A
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 A
Web chat accessibility testing N/a
Onsite support Yes, at extra cost
Support levels Cora provide level 1 (Helpdesk), level 2 (Technical Support) and level 3 (Advanced Technical Specialists) support for Cora PPM.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Cora PPM implementations include necessary consulting scope for on-boarding; including user training, data migration and documentation.
Service documentation Yes
Documentation formats
  • ODF
  • PDF
End-of-contract data extraction Upon service expiry, Cora will work with the users to ensure they have a complete set of company data in an agreed format.
End-of-contract process Upon service expiry, Cora will work with the users to ensure they have a complete set of company data in an agreed format.. In accordance with their data disposal policy, Cora will also purge and destroy any client data held on our infrastructure 30-days following contract expiry.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service N/a
What users can and can't do using the API Cora PPM has a standard RESTful API. This API uses a JSON format for output. The API is stateless: all requests are validated against an API key. There are two API keys: one for read requests and one for update requests.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Admin users can customise features available within Cora PPM; including methodologies, stage gates, registers, Project Manager Reporting, KPI’s etc.


Independence of resources Service separation is achieved by assurance of service design


Service usage metrics Yes
Metrics types User login and usage metrics, including pages viewed per period
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with another standard
Data sanitisation process No
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Users can export report and dashboard data from Cora PPM in a number of formats including Excel, Word, PDF and PowerPoint.
Cora PPM also provides a built-in interface for the import and export of:
- schedule information to and from Microsoft Project.
- schedule information via Microsoft Excel
- financial information via Microsoft Excel or CSV files
Additionally, Cora PPM has a standard RESTful API that can be used to export data to a variety of systems.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 99.99% availability
Approach to resilience Available on request
Outage reporting Outages are communicated to users via pre-agreed channels, including email alerts and phone calls.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • Username or password
  • Other
Other user authentication Users can be authenticated onto the system using a number of methods.
• Manual Login – the user must enter their user name and password. The password can be controlled by the administrator in terms of level of complexity and frequency of change
• ADFS – Active Directory Federate Services can be used to authenticate the user directly in to the application
• Third party authentication using the SAML 2.0 protocol
Access restrictions in management interfaces and support channels 2-Factor authentication is used to access our hosted client sites for support and maintenance. This access is restricted to the relevant personnel in our CCS team. The access is locked down to Cora Systems IP address range.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for Between 1 month and 6 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications
  • Cyber Essentials
  • Netskope Enterprise-Ready Cloud Confidence Index
  • Qualys SSL Labs A-Rating

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Cora Systems have a Security committee which meets on a monthly basis to carry out risk assessment on any governance issues that need to be addressed in relation to security around both the product, processes and the people within the organisation.
Information security policies and processes Cora Systems has a set of established security policies and processes that are overseen by the Security committee. All employees of Cora Systems sign NDAs and confidentiality agreements on joining the company and all users are continually informed of their security responsibilities, remote access policy and data privacy awareness.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Cora System's configuration and change control processes ensure that new features and functionality are analysed, estimated, scheduled and approved for release in a future iteration of Cora PPM. Any changes which could affect security are identified and managed through their lifecycle. Our overarching objective is to enable fixes and enhancements to be made with minimal operational impact.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Cora Systems utilises network and application vulnerability assessment tools to proactively identify security threats and vulnerabilities. Procedures are in place to assess, validate, prioritise and remediate identified issues.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Cora Systems' protective monitoring processes aim to identify compromises through attack, misuse and malfunction. Monitored components include: CPU, memory, storage, database, network components and transactions.
Incident management type Supplier-defined controls
Incident management approach Cora Systems evaluate and respond to incidents that create suspicions of unauthorised access to or handling of customer data. Cora's Security Committee is informed of such incidents and will decide on the appropriate escalation path depending on the nature of the incident.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £600 per user per year
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Skills Framework for the Information Age rate card pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑