Moebian ARQ

Moebian ARQ is a low cost cloud service providing auditors and information security teams an easy to use comprehensive information security audit tool. Moebian ARQ is ideal for managing and implementing risk based auditing needed to meet ISACA and ISO27001 guidelines.


  • Easy to use and access via standard web browsers.
  • Record information and digital assets.
  • Perform and record risk and threat assessments against your assets.
  • Design and build audits to test security and compliance.
  • Plan, undertake and monitor progress of audits.
  • View and analyse audit results risk impacts in real time.
  • Produce high quality management and operational reports.
  • Add improvement tasks and monitor progress of actions.
  • Online training and help guidance.


  • Real time analysis saves time wading through spread sheet results.
  • Collaborative working to increase audit team performance.
  • Low cost value for money


£49 to £250 per licence per month

  • Free trial available

Service documents


G-Cloud 11

Service ID

7 5 4 0 1 7 2 6 2 0 3 1 4 7 1



Brian Edmondson

+44 7970507628

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Additional enhanced reporting packages.
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints No.
System requirements Clients require a standard internet browser.

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Monday to Friday same working day. Support is only offered between 09.00 and 16.30 weekdays.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support No
Web chat support No
Onsite support Yes, at extra cost
Support levels Support is provided via email and online access to the Moebian Helpdesk. This provides clients with access to technical support engineers.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Online training and online user documentation is provided.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction At the end of the contract data can be exported using built in reports or a request for a full extract can be made via a request to the help desk.
End-of-contract process At the end of contract the system is retained for six months. During this time the system administrator will be allowed access to extract data as xml files via standard export features. A standard extract can be provided in csv format via a request to the helpdesk.

Non standard extracts that are requested by the customer will be considered. If the request requires significant work then a quotation will be provided based on the standard charges for bespoke services.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Access is via internet browsers rather than dedicated apps. Screens automatically adapt to device displays.
Service interface No
Customisation available Yes
Description of customisation The system is configurable to local user requirements. A system Administrator role is provided to with permissions to configure the system.


Independence of resources The Moebian ARQ Architecture is scalable with each customer allocated a separate database. The application is hosted in a secure Microsoft Azure service which is able to be adapted as required.


Service usage metrics Yes
Metrics types We extract and make available as part of the user adoption and education process as well as service reviews.
Reporting types Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a CHECK service provider
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach The system has export tools that export data in XML format.
Data export formats
  • CSV
  • Other
Other data export formats XML
Data import formats Other
Other data import formats XML

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Standard is 99.5. Higher level can be defined as part of enhanced requirements for large organisations.
Approach to resilience Available on request. All components in the solution have multiple redundancy.
Outage reporting Public dashboard.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Access is restricted by role based access security systems.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified No
Security governance approach We ensure alignment with 27001 as well as other standards and are undertaking official compliance in 2020.
Information security policies and processes All access, loging, checking storage processes and threat protection solutions are audited regularly and all align to good practice.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach A common code set is applied to all customers systems when updates are released. The release of updates is applied monthly or as necessary if urgent updates need to be applied. Customers are advised of the changes and any downtime in line with the service contract.
Vulnerability management type Supplier-defined controls
Vulnerability management approach The core systems are provided by Microsoft Azure hosting. Updates are controlled by Microsoft.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Risk assessments are undertaken on a regular basis in accordance to the Moebian security policy. Vulnerabilities will be responded to based on the risk posed by the vulnerability or compromise. This may be immediately or through a controlled urgent patch.
Incident management type Supplier-defined controls
Incident management approach Incidents are logged on the help desk and responded to based on the priority of the incident. The help desk provides feedback mechanisms via email and a knowledge base. In addition messages can be posted on the help desk landing page to alert to serious incidents or outages.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £49 to £250 per licence per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Full access to the system for 28 days.

Service documents

Return to top ↑