Quorum Cyber Limited

Cloud Security Director as a Service

Our Cloud SDaS addresses the issues faced by organisations struggling to mature their security capabilities sustainably, including their cloud position.
Our CSD's embed into your organisation to analyse and document risk exposure, drive the creation and delivery of a resilience-lead security strategy, ensuring a pathway towards improving organisational maturity.


  • Flexible Solution based on usage
  • Protect your business and manage risk
  • Ensure legal and regulatory ICT compliance and best practice
  • Provision of leadership to deal with security incidents and breaches
  • A high breadth and depth of public sector experience
  • ISO 9001 compliant quality management framework governing all delivery
  • Highly experienced staff with all appropriate regulatory requirements


  • Reduced costs through engagement model
  • Increased capability and capacity of information assurance
  • Increased capability to meet the changing demands
  • Reduced management overheads
  • Reduced need for employment costs and utilisation
  • Increased capability and capacity of Cyber Security expertise
  • Increased regulatory compliance through pragmatic advice and delivery


£800 to £1200 per person per day

  • Education pricing available

Service documents

G-Cloud 11


Quorum Cyber Limited

Bill Thomson

0131 652 3954


Service scope

Service scope
Service constraints None
System requirements None

User support

User support
Email or online ticketing support No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support No
Onsite support No
Support levels For this service we appoint a lead consultant/project manager and, dependent on the size and scope, a service manager.

They endeavour to establish collaborative, productive relationships with the client and ensure continuous dialog.

The service begins with a project definition workshop to agree scope, milestones, resources, deliverables, risks and dependencies.

The lead consultant will then be be responsible for monitoring and reporting on progress.

For larger engagements we also appoint a Service Manager who endeavours to ensure that we are an exemplary partner.

He/She will:

• Construct a Stakeholder Map, which will allow us to understand exactly who needs to be kept informed, updated and consulted about the engagement.
• Work collaboratively with those identified to fully understand the reasons for commissioning this work, and ensure that they receive the desired outcomes.
• Explain clearly and without excessive jargon what we intend to do, and why, at every stage.
• Gain approval for each part of the process as it unfolds, to ensure that that full buy-in is achieved.
• Monitoring and regularly reporting on the service and ensuring that any issues are addressed in a timely and efficient manner.
• Ensuring that agreed service standards are being met.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started At the outset of the service we will appoint a lead consultant, and depending on size of the assignment, a service manager.

The service begins with a project definition workshop to agree scope, milestones, resources, deliverables, risks and dependencies.

We favour focussed reporting with this service,which protects against risk and avoids an onerous and time-consuming reporting culture which can, on occasions, hide key issues rather than highlight them.

We agree with the client at the outset how they would like us to manage reporting and governance to ensure an effective working relationship.

This includes format , frequency and content.

As a minimum we normally provide two documents for each report. One technical aimed and one aimed at non technical stakeholders, often in the form of presentation.
Service documentation Yes
Documentation formats PDF
End-of-contract data extraction Not applicable
End-of-contract process There are a number of possibilities. In some cases the client simply stops using the service.
In some circumstance, where for example the client has built up an internal team to take over the work, the service can be scaled back gradually to allow a degree of knowledge transfer and support as the internal team take over.

Using the service

Using the service
Web browser interface No
Command line interface No


Scaling available No
Independence of resources At the outset of this service we appoint a lead consultant/project manager and a service manager. A key part of there role is in managing resource levels, ensuring that we deliver against timescales and objectives agreed at the outset.
We also number a Resource Manager in our back office team, who works closely with our project and service managers to maintain the required resource levels.
We also ensure that client knowledge resides within the enterprise and not the individual, making sure that our clients have continuity regardless of the resource delivering any specific work parcel.
Usage notifications No


Infrastructure or application metrics No


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least every 6 months
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process No
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Backup and recovery No

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks Other
Other protection between networks Not applicable
Data protection within supplier network Other
Other protection within supplier network Not applicable

Availability and resilience

Availability and resilience
Guaranteed availability This is a consultancy based assignment with agreed outcomes which do not have a specific SLA
Approach to resilience Resilience in this service is about ensuring that client knowledge is shared across our consultant teams, making sure that knowledge resides with the enterprise and not the individual.
To deliver this, we have processes and tools in place to ensure that knowledge and information is shared across our teams.

The key is constant communication. As a service provider with a highly distributed workforce we take this very seriously.

Partly this is achieved by adopting the right culture, but it also includes making sure that we have relevant policies and procedures in place to encourage good practice as well a suite of tools to facilitate.

Quorum Cyber Security is ISO 27001:2013 accredited for Information Security Management, and have ISO 9001:2015 accreditation for Quality Management.

We have an established a Quality Management System (QMS) presented as part of the Company manual.

This QMS identifies our quality processes, their interaction, effectiveness, resource requirements, monitoring, measurement, analysis, knowledge transfer and communication in our distributed environment.

We also make extensive use of cloud collaboration tools such as Dropbox, Zoom Video conferencing and Slack to stay connected and engaged.
Outage reporting Not applicable to this service

Identity and authentication

Identity and authentication
User authentication Username or password
Access restrictions in management interfaces and support channels Password
Access restriction testing frequency At least every 6 months
Management access authentication Username or password
Devices users manage the service through Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for Between 1 month and 6 months
How long system logs are stored for Between 6 months and 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 Certified Quality Systems Ltd
ISO/IEC 27001 accreditation date 23/8/18
What the ISO/IEC 27001 doesn’t cover Our certification covers all areas of our business.
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications CREST

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Quorum Cyber is ISO 27001:2013 and ISO 9001:2015 compliant. We implement and maintain an Information Security Management System (ISMS) which is kept fully up to date at all times. Policies and procedures are an integral part of the overall information security and cybersecurity governance framework within Quorum. They are the rules we implement for secure usage of all our information systems and assets. The purpose of these policies is to protect Quorum from all types of threats, whether internal or external, deliberate or accidental and to ensure compliance with legal requirements, regulatory mandates and industry best practices. All staff are expected to be familiar with these policies and procedures, understand their roles and responsibilities and act on them at all times. The board of Directors of Quorum Cyber (Board) is the ultimate owner of the ISMS and all policies and procedures for Quorum. The Managing Director has been appointed by the Board as the leading authority of the ISMS. The Board has delegated the creation, implementation, management and approval of the ISMS and all policies and procedures to the Managing Director.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach We use an ITIL compliant change management process, and we keep track of all changes on our systems. Before releasing each of the components on our development we perform a static source code analysis of the code and we also create the required testcases to provide sufficient code coverage containing unusual scenarios. On top of this we conduct regular internal vulnerability analysis scans and yearly penetration tests on the platform.
Vulnerability management type Supplier-defined controls
Vulnerability management approach We run regular (weekly) authenticated vulnerability scans of our infrastructure and applications using Tenable.IO vulnerability scanner, and remediate issues according to our patching schedule or as required (for medium and above criticality vulnerabilities). We analyse internal logs for abnormalities. Anything unusual triggers an alarm and a standard playbook solution.Bugs that we have detected so far have been resolved within hours at most, and none of them at present have been related to security issues. We are constantly analysing internally different tools and we do not reuse year after year the same vendors for our penetration tests.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Quorum Cyber also provides a Security Operations Centre as a managed service. We monitor all logs using a SIEM platform, which is configured to alert to specific Indicators of Compromise (IoCs) that are relevant to the threats we are exposed to. When an IoC is triggered it is logged as a security incident and assigned a relevant priority. We respond according to our SLA - P1 = 30 mins, P2 = 8 hours, P3 = 24 hours.
Incident management type Supplier-defined controls
Incident management approach Quorum Cyber operates a pre-defined incident management process. We utilise an ITIL based service management system to assign each incident a priority and classification. Each incident is then handled according to the pre-determined SLA. Built into the system is a level of automation that ensures that SLAs are never missed (auto-escalation to a team leader) and incidents are never left unresolved. We also utilise automation to automate repeat incidents with standard resolutions.

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart No

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £800 to £1200 per person per day
Discount for educational organisations Yes
Free trial available No

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑