Catalyst IT Europe Ltd

Koha Library Management System

Koha is a purpose-built, web-based library management system. Used by 15,000+ libraries globally, Koha provides a single discovery platform for multiple content sources. Interoperable by design, libraries can choose to use Koha's inbuilt content management facility, integrate with their full website, document repository, or any other online services.


  • Full featured enterprise standard ILS
  • Supports consortia of all sizes, single and multi-branch libraries
  • Library Standards Compliant. MARC 21, UNIMARC, z39.50, SRU/SW, SIP2, SIP/NCIP.
  • Full text searching
  • Plug-in architecture supports acquisitions, circulation, cataloging, serials management.
  • Plug-ins supporting flexible reporting, label printing, multi-format notices, offline circulation
  • Multi-lingual and translatable.
  • Web-based Interfaces - built in XHTML, CSS and Javascript
  • Open source code offers core functionality and bespoke development options.
  • Higly configurable interface


  • Easy access for library staff and users through web browser.
  • Catalogue details of any library item - physical and digital.
  • Automation of standard processes including notifications on overdue/new items.
  • Efficiencies in processing due to MARC and z39.50 compatibility.
  • More effectively manage budgets through the acquisition module.
  • Start small and scale quickly with no user license costs.
  • Customise themes to your organisation's requirements to support user engagement.
  • Manage internal and externally curated resources.


£3000 per instance per year

Service documents

G-Cloud 10


Catalyst IT Europe Ltd

Joey Murison

01273 929450

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints None.
System requirements Devices (laptop / desktop / mobile ) with internet connection.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard application support offered UK business hours (M-F, 9-5) with option for 24/7 at additional cost.

Response times: Critical incident response within 2 hours, standard within 8 hours
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support No
Web chat support No
Onsite support No
Support levels Catalyst offer level 2-4 technical support of cloud hosted Koha LMS. Pricing is subject to negotiation relative to requirements including how mission critical systems are, scale of support need, support hours and geographic location. Catalyst are able to offer dedicated technical account management or onsite support subject to scale of requirements.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Koha has extensive on-line user documentation and support community. Additional bespoke support or training by Catalyst is available if required and on request.
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction Catalyst will provide copies of all data to clients upon request at the end of a service contract. Individual users can export their own data at any time.
End-of-contract process At the end of a contract the Koha site will be closed, removed from service and all data purged. Costs for this are included in the base contract. If a client requires copies of data this can be extract at an additional cost.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Full functionality on desktop through to mobile devices is supported by fully responsive design.
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing Catalyst has an in-house accessibility consultant and can work with individual customers on Koha themes that further support users of assistive technologies and accessibility tools.
What users can and can't do using the API Koha has a Rest API and supports multiple external APIs. These enable reporting, circulations management, exchange of bibliographic and authority records. There are no limitations to how these are set up.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The service may be customised as follows:
- adapt the look and feel of the application through custom theme.
- add specific features to meet bespoke requirements.
- apply 3rd party plug-ins to support specific requirements.
- levels of hosting (user numbers and storage) and support.
Customisations are generally delivered by Catalyst, but can also be configured to be managed by the customer.


Independence of resources The underlying cloud infrastructure is architected with elastic auto-scaling characteristics to minimise performance impacts resulting from other users of the service.


Service usage metrics Yes
Metrics types Catalyst are able to provide web analytics on the usage of the Koha service on request. User logs are accessible by default to administrative users of the system.
Reporting types Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach In-house destruction process

Data importing and exporting

Data importing and exporting
Data export approach Koha provides users with the ability to export their data through CSV within the standard interface.
Data export formats CSV
Data import formats CSV

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Data is encrypted at rest and in transit. Strong security principles and governance ensure proper role separation, minimal privileges granted to each role, and strong defensive security posture.

Availability and resilience

Availability and resilience
Guaranteed availability The Koha service will use commercially reasonable efforts to ensure a Monthly Uptime Percentage of at least 99.90%, in each case during any monthly billing cycle. Service credits for failure to meet guaranteed availability targets can be agreed as part of individual contract negotiations.
Approach to resilience Full redundancy is built into the system architecture with no single point of failure. Additional detail are available on request.
Outage reporting Catalyst use multiple channels to communicate planned and unplanned service outages including on-line support ticketing system, email and phone.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels Configurable permissions within each user group restrict access to site functions as appropriate.
Access restriction testing frequency At least once a year
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for User-defined
How long system logs are stored for Between 1 month and 6 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach Security governance approach
Closely aligned with ISO/IEC 27001:2013, but not formally certified.
Information security policies and processes Catalyst has formal, documented policies and procedures that provide guidance for operations and information security management within the organisation. The policies clearly define scope, roles, responsibilities and management commitment. Staff maintain the policies in a centralised and accessible location, subject to review by the Security Manager. Senior management provides visible support for security initiatives, and ensures appropriate prioritisation and resource allocation in order to maintain good security posture. Policies are reviewed at least annually.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Changes to Catalyst services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is limited.

Teams set bespoke change management standards per service, underpinned by standard practices.

All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party.

Exceptions to change management processes are documented and subject management review.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Catalyst monitors potential threats from a variety of sources including CERT and upstream project channels such as the Debian Security Advisories (DSA).

Supplier notifications and industry updates are assessed by technical team and Critical patches are deployed as soon as possible.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Catalyst use a combination of intrusion detection methods to identify potential security incidents. IDS alarms alert the infrastructure support team immediately.

Upon detection, the affected systems are isolated and analysed, followed by service restoration using fresh cloud infrastructure.
Incident management type Supplier-defined controls
Incident management approach Yes, standard incident response processes are defined for Catalyst staff. Users may report incidents using telephone or the online ticketing system. Incident reports and root cause analysis are published to the customer as PDF documents upon completion.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks Joint Academic Network (JANET)


Price £3000 per instance per year
Discount for educational organisations No
Free trial available Yes
Description of free trial Limited access (user) to a demo instance - refreshed daily. Extended access to a sandbox environment with admin privileges can be negotiated on request.
Link to free trial


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Terms and conditions document View uploaded document
Return to top ↑