Cloud Hosting TIBUS PaaS

TIBUS PaaS allows you to create, build and scale Virtual Servers with selected O/S and database on demand. Typically these are used for Production, Test and Development environments, priced on an Annual, Monthly, Daily and Per Hour basis. All services are ISO27001 accredited (equivalent IL2/IL3)


  • Secure ISO27001 platform
  • 99.999% Availability. No single points of failure
  • Fully Managed IaaS Platform proactively monitored 24x7x365
  • Fixed, Burstable & Elastic models available
  • Discount Scheme


  • Peace of mind. ISO27001 accredited platform managed 24x7x365
  • Data Sovereignty UK Datacentres
  • Service Guarantee. SLA & Service Credits regime
  • Competitive pricing & Discount Scheme


£35 to £1,260 a unit a month

  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@tibus.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

9 3 8 4 2 2 3 3 1 4 9 9 2 3 7


TIBUS Steven Wright
Telephone: 02890331122
Email: info@tibus.com

Service scope

Service constraints
System requirements
Internet Access

User support

Email or online ticketing support
Email or online ticketing
Support response times
Our ticketing system is monitored 24 hours / 365 by our in house support team. Once a fault has been detected / logged it will be classed according to to priority codes and allocated a resolution target time.
Standard response times for lower priority tickets may not be applicable at weekends.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Our approach is to work with clients to determine a matrix for all service issues and create a prioritised target response time for each category. All targets are documented in a comprehensive and bespoke SLA.
Priority 1 - Client Service non-functional with high impact
Response 15 minutes. Resolution 1 hour.
Priority 2 - Client Service functional but with impact
Response 15 minutes. Resolution 1 hour.
Priority 3 - Minor Problems, low impact
Response 15 minutes. Resolution 4 hours.
Priority 4 - Cosmetic, documentation errors
Response 60 minutes. Resolution 4 hours.
Priority 5 - Change Control
Request dependent. Agreed with client.

Service calls logged via telephone, email and self-service portal. Each call is logged at the Tibus Service Desk and a unique call reference number issued to the caller so that the call can be identified throughout the support process. The initial priority of the call will be agreed with the caller, based on the predefined impact and urgency matrix. Where there is a specific business need, a call may be assigned a higher priority level at the caller’s request. Proactive support 24x7x365. Service desk 0800-1800 normal business days. Optional 24x7x365 access to engineer £100/Month.
Support available to third parties

Onboarding and offboarding

Getting started
The Tibus support desk will be available to assist as required and take you through our Technical Migration process. Equally if required we can manage the transition for you.
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
As part of the Exit Management process we will assist with the smooth transition of the service to another platform and provide a snapshot of the latest build.
End-of-contract process
No additional cost.

Using the service

Web browser interface
Using the web interface
Access via Internet to set up or make server changes. There are no limitations.
Web interface accessibility standard
WCAG 2.1 AA or EN 301 549
Web interface accessibility testing
We use Selenium to test web interfaces.
Command line interface


Scaling available
Independence of resources
Our capacity planning process monitors our entire network resource and will increase capacity as we reach 70% usage.
Usage notifications
Usage reporting
  • Email
  • Other


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • Network
  • Number of active instances
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
Hardware containing data is completely destroyed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
What’s backed up
  • All data
  • Virtual Server build
  • Databases
Backup controls
Backups can be tailored as required and the support desk will be available to assist.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Users contact the support team to schedule backups
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
We provide a 99.999% availability supported by service credits. If unavailable for over 0.001% time within a month, upon the Customer's request, we will credit the Customer's account the pro-rated cost for one-day's charges for each hour of unavailability, up to a maximum of 1 week’s charges within any one month. For the purpose of this Service Availability Commitment Remedy, a Week shall mean the period from 12:00:01 AM Monday, until 12:00:00 AM the following Sunday.
Approach to resilience
Cloud and hosting services are delivered from our Tier 3 and 4 ISO 27001 accredited datacenters. All datacenters operate to ISO27001, ISO22301, ISO 50001, ISO9001, ISO 14001, OHAS 18001, PCI DSS standards and are audited and operated to the EU Code of Conduct’s best practice for datacenters. VESDA detection technology is installed and all infrastructure monitored 24x7x365 by the Network Operations Centre (NOC). There are dual 10G connections between each of our datacentres for resilience and we peer with 5 different Tier 1 telecoms to provide for the best connectivity and internet routes worldwide. In addition we are a member of INEX, LINX and LONAP for further capacity and resilience. There are no single points of failure, with redundancy built in at every layer of the load balanced platform, as well as within the core. Tibus can facilitate any frequency of backups e.g. hourly, daily or anything in between. All data, including server configuration, application data and configuration, is backed up on minimum a daily basis, and retained for a minimum of 30 days.
Outage reporting
Direct contact from Service Desk or email.

Identity and authentication

User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Limited access network (for example PSN)
  • Dedicated link (for example VPN)
  • Username or password
Access restrictions in management interfaces and support channels
Our Access Control Policy ensure that the principles of ‘least privilege’ and ‘need to know’ are applied consistently across the management of authorised access to information assets including management interfaces and support channels.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
  • Dedicated device on a segregated network (providers own provision)
  • Dedicated device on a government network (for example PSN)
  • Any device but through a bastion host (a bastion host is a server that provides access to a private network from an external network such as the internet)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Certification Europe
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
All Tibus business processes are covered by ISO27001
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
PCI DSS via Datacentres

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
TIBUS ISO27001 scope includes but not limited to: Secure Engineering Principles Supplier Assurance Training and Awareness Information Security Metrics & KPIs Remote Working Removeable Media Security Education and Awareness Access Control Policy Accounting and Audit Anti Malware Operating System Hardening Business Security Continuity Management Business Security Continuation Plan Change Management Policy Cryptography Policy Customer Access Management Email Usage Forensic Readiness IA Policy Incident Identification Reporting and Management Information Classification Information Security in Project Management Information System Backup Information Transfer Internal Audit IT Account Management - Users IT Account Policy – Administrator Mobile Device and Telephony Network Security Patch Management Physical and Environmental Controls Secure Information Asset Disposal Virtual Private Network Document Control Employee Arrivals Employee Exit Employee Movers Security Operating Procedures Corrective Action. There is a IT Security Working group chaired by the SIRO and including ITSO, Change Managers, Systems Manager. Reporting structure is available as an Organisational Chart detailing ISMS.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We have a bespoke change management tool to enable all change requests to be logged, tracked, approved/rejected and reported on. The change management process includes:
• Documented Change Requests;
• Identification, prioritisation and initiation of change;
• Proper authorisation of change;
• Requirements analysis;
• Inter-dependency and compliance analysis;
• Business Impact Assessment;
Change approach;
• Change testing;
• UAT and approval;
• Implementation, release planning and roll back procedures;
• Documentation;
• Change monitoring;
• Defined responsibilities of all users and IT personnel;
• Emergency change parameters.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Patch management is part of ISO27001. There are resources available for monitoring status of vulnerabilities and patches including vendor/3rd party websites, mailing lists, vulnerability databases, Network management tools scanning for vulnerabilities, provide information regarding needed patches and other software updates on those computers. Patch deployment should be conducted under direction of the Change Manager. They must be applied in a structured and methodical way, based on a determination of priority and within pragmatic timeframes: Emergency 24 hours, High priority 7 days, Medium within 30 days.
Systems are in place to alert NOC to potential issues as soon as they develop.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Systems are in place to alert NOC to potential issues as soon as they develop. The G Cloud platform sits behind perimeter enterprise-class, redundant core routers, firewalls and intrusion prevention systems. This includes Syslog, Netflow use of MD5 passwords. Perimeter firewalls are configured with ports locked down. Other ports are locked down to individual fixed IP addresses. Cisco IPS provides for real-time traffic analysis and packet logging on our IP networks to perform protocol analysis, content searching/matching to detect buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting. Regular vulnerability assessments of core network are undertaken.
Incident management type
Supplier-defined controls
Incident management approach
We provide a consolidated incident management process. The primary objective of the process is to restore normal operation as soon as possible, in accordance with service levels. The Incident Manager responsibilities include:

o Ensuring that issues are accurately recorded and that investigation is undertaken in a timely manner;
o Agreeing an appropriate priority with impacted users;
o Communicating relevant information about the incident and resolution progress to impacted users;
o Ensuring that business and technical escalations are managed in line with agreed best practice and service level targets;
o Communicating, resolution and closure of the incident to impacted users.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Virtualisation technologies used
How shared infrastructure is kept separate
Each organisation has its own VPN. Private Cloud clients are also on their own physical hardware.

Energy efficiency

Energy-efficient datacentres
Description of energy efficient datacentres
Equinix is a Corporate Participant in the European Code of Conduct for Energy Efficiency in Data Centres programme.

Telehouse holds ISO standards 14001 (Environmental Management) and 50001 (Energy Management).


£35 to £1,260 a unit a month
Discount for educational organisations
Free trial available
Description of free trial
So you can gain confidence in our ability to deliver, Tibus are offering a free trial for 1 Month service use in a development and/or test environment. Please contact us for details.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at info@tibus.com. Tell them what format you need. It will help if you say what assistive technology you use.