Quorum Cyber Limited

Cloud Security Director as a Service

Our Cloud SDaS addresses the issues faced by organisations struggling to mature their security capabilities sustainably, including their cloud position.
Our CSD's embed into your organisation to analyse and document risk exposure, drive the creation and delivery of a resilience-lead security strategy, ensuring a pathway towards improving organisational maturity.


  • Flexible Solution based on usage
  • Protect your business and manage risk
  • Ensure legal and regulatory ICT compliance and best practice
  • Provision of leadership to deal with security incidents and breaches
  • A high breadth and depth of public sector experience
  • ISO 9001 compliant quality management framework governing all delivery
  • Highly experienced staff with all appropriate regulatory requirements


  • Reduced costs through engagement model
  • Increased capability and capacity of information assurance
  • Increased capability to meet the changing demands
  • Reduced management overheads
  • Reduced need for employment costs and utilisation
  • Increased capability and capacity of Cyber Security expertise
  • Increased regulatory compliance through pragmatic advice and delivery


£800 to £1200 per person per day

  • Education pricing available

Service documents


G-Cloud 11

Service ID

5 3 8 9 5 3 2 9 2 6 0 1 6 5 2


Quorum Cyber Limited

Bid Team

+44 333 444 0041


Service scope

Service constraints
System requirements

User support

Email or online ticketing support
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Support levels
For this service we appoint a lead consultant/project manager and, dependent on the size and scope, a service manager.

They endeavour to establish collaborative, productive relationships with the client and ensure continuous dialog.

The service begins with a project definition workshop to agree scope, milestones, resources, deliverables, risks and dependencies.

The lead consultant will then be be responsible for monitoring and reporting on progress.

For larger engagements we also appoint a Service Manager who endeavours to ensure that we are an exemplary partner.

He/She will:

• Construct a Stakeholder Map, which will allow us to understand exactly who needs to be kept informed, updated and consulted about the engagement.
• Work collaboratively with those identified to fully understand the reasons for commissioning this work, and ensure that they receive the desired outcomes.
• Explain clearly and without excessive jargon what we intend to do, and why, at every stage.
• Gain approval for each part of the process as it unfolds, to ensure that that full buy-in is achieved.
• Monitoring and regularly reporting on the service and ensuring that any issues are addressed in a timely and efficient manner.
• Ensuring that agreed service standards are being met.
Support available to third parties

Onboarding and offboarding

Getting started
At the outset of the service we will appoint a lead consultant, and depending on size of the assignment, a service manager.

The service begins with a project definition workshop to agree scope, milestones, resources, deliverables, risks and dependencies.

We favour focussed reporting with this service,which protects against risk and avoids an onerous and time-consuming reporting culture which can, on occasions, hide key issues rather than highlight them.

We agree with the client at the outset how they would like us to manage reporting and governance to ensure an effective working relationship.

This includes format , frequency and content.

As a minimum we normally provide two documents for each report. One technical aimed and one aimed at non technical stakeholders, often in the form of presentation.
Service documentation
Documentation formats
End-of-contract data extraction
Not applicable
End-of-contract process
There are a number of possibilities. In some cases the client simply stops using the service.
In some circumstance, where for example the client has built up an internal team to take over the work, the service can be scaled back gradually to allow a degree of knowledge transfer and support as the internal team take over.

Using the service

Web browser interface
Command line interface


Scaling available
Independence of resources
At the outset of this service we appoint a lead consultant/project manager and a service manager. A key part of there role is in managing resource levels, ensuring that we deliver against timescales and objectives agreed at the outset.
We also number a Resource Manager in our back office team, who works closely with our project and service managers to maintain the required resource levels.
We also ensure that client knowledge resides within the enterprise and not the individual, making sure that our clients have continuity regardless of the resource delivering any specific work parcel.
Usage notifications


Infrastructure or application metrics


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least every 6 months
Penetration testing approach
‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery

Data-in-transit protection

Data protection between buyer and supplier networks
Other protection between networks
Not applicable
Data protection within supplier network
Other protection within supplier network
Not applicable

Availability and resilience

Guaranteed availability
This is a consultancy based assignment with agreed outcomes which do not have a specific SLA
Approach to resilience
Resilience in this service is about ensuring that client knowledge is shared across our consultant teams, making sure that knowledge resides with the enterprise and not the individual.
To deliver this, we have processes and tools in place to ensure that knowledge and information is shared across our teams.

The key is constant communication. As a service provider with a highly distributed workforce we take this very seriously.

Partly this is achieved by adopting the right culture, but it also includes making sure that we have relevant policies and procedures in place to encourage good practice as well a suite of tools to facilitate.

Quorum Cyber Security is ISO 27001:2013 accredited for Information Security Management, and have ISO 9001:2015 accreditation for Quality Management.

We have an established a Quality Management System (QMS) presented as part of the Company manual.

This QMS identifies our quality processes, their interaction, effectiveness, resource requirements, monitoring, measurement, analysis, knowledge transfer and communication in our distributed environment.

We also make extensive use of cloud collaboration tools such as Dropbox, Zoom Video conferencing and Slack to stay connected and engaged.
Outage reporting
Not applicable to this service

Identity and authentication

User authentication
Username or password
Access restrictions in management interfaces and support channels
Access restriction testing frequency
At least every 6 months
Management access authentication
Username or password
Devices users manage the service through
Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Access to user activity audit information
Users receive audit information on a regular basis
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users receive audit information on a regular basis
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
Certified Quality Systems Ltd
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Our certification covers all areas of our business.
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Quorum Cyber is ISO 27001:2013 and ISO 9001:2015 compliant. We implement and maintain an Information Security Management System (ISMS) which is kept fully up to date at all times. Policies and procedures are an integral part of the overall information security and cybersecurity governance framework within Quorum. They are the rules we implement for secure usage of all our information systems and assets. The purpose of these policies is to protect Quorum from all types of threats, whether internal or external, deliberate or accidental and to ensure compliance with legal requirements, regulatory mandates and industry best practices. All staff are expected to be familiar with these policies and procedures, understand their roles and responsibilities and act on them at all times. The board of Directors of Quorum Cyber (Board) is the ultimate owner of the ISMS and all policies and procedures for Quorum. The Managing Director has been appointed by the Board as the leading authority of the ISMS. The Board has delegated the creation, implementation, management and approval of the ISMS and all policies and procedures to the Managing Director.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We use an ITIL compliant change management process, and we keep track of all changes on our systems. Before releasing each of the components on our development we perform a static source code analysis of the code and we also create the required testcases to provide sufficient code coverage containing unusual scenarios. On top of this we conduct regular internal vulnerability analysis scans and yearly penetration tests on the platform.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We run regular (weekly) authenticated vulnerability scans of our infrastructure and applications using Tenable.IO vulnerability scanner, and remediate issues according to our patching schedule or as required (for medium and above criticality vulnerabilities). We analyse internal logs for abnormalities. Anything unusual triggers an alarm and a standard playbook solution.Bugs that we have detected so far have been resolved within hours at most, and none of them at present have been related to security issues. We are constantly analysing internally different tools and we do not reuse year after year the same vendors for our penetration tests.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Quorum Cyber also provides a Security Operations Centre as a managed service. We monitor all logs using a SIEM platform, which is configured to alert to specific Indicators of Compromise (IoCs) that are relevant to the threats we are exposed to. When an IoC is triggered it is logged as a security incident and assigned a relevant priority. We respond according to our SLA - P1 = 30 mins, P2 = 8 hours, P3 = 24 hours.
Incident management type
Supplier-defined controls
Incident management approach
Quorum Cyber operates a pre-defined incident management process. We utilise an ITIL based service management system to assign each incident a priority and classification. Each incident is then handled according to the pre-determined SLA. Built into the system is a level of automation that ensures that SLAs are never missed (auto-escalation to a team leader) and incidents are never left unresolved. We also utilise automation to automate repeat incidents with standard resolutions.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart

Energy efficiency

Energy-efficient datacentres


£800 to £1200 per person per day
Discount for educational organisations
Free trial available

Service documents

Return to top ↑