Quod Orbis

Cybersecurity Controls and Automation

Via the Digital Risk Engineering, Analytics and Management platform we deploy real-time monitoring and automation of controls, security metrics, threat modelling and continuous reporting. Working closely with our clients in alignment with their business priorities we:

Identify real risk, vulnerabilities.
Automate measures and controls.
Monitor and continuously improve.


  • Control Identification using scientific, quantitative and proven methodologies
  • Organisational Compliance
  • Automate and measure controls and maturity in key control areas
  • Monitor and Continuously reduce risk


  • Improve and continually assess effectiveness of controls against defined objectives
  • Identify areas for improvement at the micro and macro levels
  • Demonstrable improvements to the organisations treatment of risk
  • Define and prioritise controls to close exposures and ensure compliance
  • Pragmatic guidance for Cyber/Digital Risk Management


£5,000 a licence a year

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ami.penolver@quodorbis.com. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

4 7 0 6 7 1 0 2 6 0 7 8 7 9 3


Quod Orbis Ami Penolver
Telephone: 02039622206
Email: ami.penolver@quodorbis.com

Service scope

Service constraints
None that we are aware of at this stage
System requirements
  • None
  • None

User support

Email or online ticketing support
Email or online ticketing
Support response times
Immediately (inc weekends)
User can manage status and priority of support tickets
Online ticketing support accessibility
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Onsite support
Support levels
Support levels and costs depend on the customer requirement and the number of security controls that are being defined and monitored. This can range from 0 - 250 controls in line with our mandate to continually monitor and improve.
Support available to third parties

Onboarding and offboarding

Getting started
Every Quod Orbis Cyber Security Controls and Automation project is delivered using our team of service specialists. All the onboarding requirements are defined during the initial service workshop
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Once the contract ends Quod Orbis can provide all service data held on behalf of the client. All data held by Quod Orbis will be destroyed 30 days after the end of contract unless otherwise previously agreed.
End-of-contract process
If required Quod Orbis can provide end of contract migration services at an additional cost. That is, costs that fall outside of the initial contract.

Using the service

Web browser interface
Using the web interface
Web interface provides full functionality.
Web interface accessibility standard
Web interface accessibility testing
None at this stage
Command line interface


Scaling available
Scaling type
Independence of resources
As well as continuously monitoring the environment, Quod Orbis offers a SLA of 99.9% across the service.
Usage notifications
Usage reporting


Infrastructure or application metrics
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
Reporting types
Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
Physical access control, complying with SSAE-16 / ISAE 3402
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Backup and recovery

Backup and recovery
What’s backed up
  • Virtual machines
  • Data
  • Databases
Backup controls
Part of the service not user controlled.
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Guaranteed availability
Service availability SLA is 99.9%. A percentage of the monthly service charged is paid back to the client for missing the agreed SLA
Approach to resilience
Available on request
Outage reporting
For any outages we will email and SMS any service administrators

Identity and authentication

User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
Access restrictions in management interfaces and support channels
Management interfaces only accessible to Quod Orbis using IP whitelisting and secure authentication.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials Plus

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance approach
We have aligned our ISMS to ISO/IEC 271001. We are a new company and we are working towards accreditation
Information security policies and processes
Quod Orbis is working towards ISO 27001 and is developing a full information system

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
The Quod Orbis portal provides a full ticketed change management system. All changes are logged and available for viewing in the portal. Before any change is implemented a security risk assessment is performed.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Quod Orbis has a three stage Vulnerability Management process.

1. Continuous automated vulnerability assessment by a 3rd party service
2. Quarterly vulnerability testing by Quod Orbis internal team
3. Bi-annual testing by a CREST or Tiger accredited organisation
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our protective monitoring processes are based and run in accordance with the service and customer requirements.

The Quod Orbis service is monitored 24x7 for potential service compromises and breaches. If such an occurrence would happen we will notify the client or clients immediately we are aware of the impact identify potential compromises.
Incident management type
Supplier-defined controls
Incident management approach
We have a number of pre-defined process for common events and ones specific to the Quod Orbis service. If a user were to need to report an event we have three methods: Portal, email or for urgent events telephone. We provide incident report reports via the Quod Orbis portal.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Who implements virtualisation
Third-party virtualisation provider
How shared infrastructure is kept separate
The underlying virtualisation technology deployed by our cloud provider ensures the separation of client instances.

Energy efficiency

Energy-efficient datacentres


£5,000 a licence a year
Discount for educational organisations
Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ami.penolver@quodorbis.com. Tell them what format you need. It will help if you say what assistive technology you use.