v-CISO Package

Virtual Chief Information Security Officer

A virtual chief information security officer (vCISO) is a C-level consultant, who provides cyber security support as per an in-house senior executive. The vCISO acts as an extrinsic force for evaluating a firm’s security systems – they pull no punches in their appraisal and they offer great value to SMEs, as well as larger organisations.

High Level Process Overview

Reconnaissance & Scoping

Duration: up to 3 months

Deliverable: Reconnaissance Phase Questionnaire (500+ questions answered with a 1-5 COBIT 5 maturity score)

Benefits: Reconnaissance phase allows customer to understand their security posture against best practice standards. Understand which compliance requirements apply (GDPR, PCI, etc.) and increase organizational transparency.

Requirements – First week on site to meet the following key stakeholders:

  • Head of Security (for policy/strategic questions)
  • Data Protection Officer (to understand Privacy posture)
  • Enterprise Architect (for overview of technology landscape)
  • Sec Architect (for overview of security solutions landscape)
  • Someone with deep technical knowledge of IT systems (5+ years in the company)
  • HR Head or manager (for joiners, movers, leavers policies and processes)
  • Compliance lead (to understand awareness of any external drivers)
  • Internal Audit lead (to understand true posture and any pain points)
  • Team Leads for typical business processes (sales for PCI, etc.)

All relevant questions will be posed to the specific stakeholders, and they can either answer themselves, or point us in the right direction for a follow-up meeting with the relevant stakeholder. Questions may be presented ahead of time, to speed up the reconnaissance phase.


Duration: up to 1 month

Deliverable: Maturity Assessment report with key threats to your industry. Scores based on COBIT 5 (best practice maturity model) and benchmarked to other similar orgs.

Benefits: Know what your security posture looks like versus the specific threats within your industry, as well as other orgs within your industry. Know where you are the most and least mature. This enables us to develop a risk-based security improvement roadmap.

Security Improvement Roadmap

Duration: up to 2 months

Deliverable: A fully prescriptive information security strategy, in the form of a risk-based roadmap with cost estimates as well as estimate timelines. Additional project budget will be required for the next phase.

Optional extra: Struggling to get the boards attention? We can help you attain budget by drafting up a business case with clear ROIs for each item on the roadmap. This will be preceded by some awareness raising around why security is important, in order to influence the appetite of the board. We will include a number of oganisational KPIs to track and report back on, post project implementation. These KPIs will provide the board with the assurance that the security investments were worthwhile.

Benefits: This roadmap will help you address the most critical organisational risks and control gaps first.

Each proposed solution will have a clear description of the benefits and expected ROI, using quantitative risk analysis to demonstrate annual loss expectancy before and after solutions are implemented and tested/validated.

Remediation Work

Duration: Based on client’s budget and timelines

Security Improvement Projects are generally implemented locally by the client, using their own resources. We provide ongoing consulting support during the project, to ensure deliverables are aligned with the original requirements.

Optional extra quality control phase: If needed, we can be involved in the evaluation of solutions proposed by different vendors. We offer vendor-neutral advice.

Benefits: Remediating your organisation’s risks is the core reason for investing in cyber security.

Maturing your security posture will help you prevent, detect, respond and assure that your information assets are protected. Security-by-design decreases overall costs of operations dramatically. Digitalize your organisation and bring it into the information era with confidence.

Post Implementation Validation Audit & ISO27001 Accreditation

This phase is the simplest, because our consultants have already been involved from day 1. It is basically a ‘check in the box’, once the necessary projects and processes have kicked off, demonstrating continuous security improvement.

Benefits: Boosts company reputation, share value and gives a unique selling point/advantage in a competitive market. Show your customers that you care about their rights and data security!

Accreditation to ISO27001 will demonstrate proof of due diligence and due care, thereby helping to reduce massive GDPR fines, PCI fines and any others your organisation may face.

We offer vCISO support for your firm’s cyber security programme, with longterm security strategy implementation and continuous improvement in mind, either by leveraging what you already have in place, or by establishing security from the ground up (and top-down via policies and strategy).

Our vCISO service allows organizations to conduct a comprehensive assessment of their security posture, thus pinpointing weaknesses and optimizing security spend and ROI over the long-term.


Acting either as a long-standing advisor for your organisation, or as interim CISO; a vCISO will step in to establish security policies, standards and procedures, implement control frameworks, and establish processes which detect and respond rapidly to incidents; allowing you to continually refine your approach and address the dynamic threat landscape in line with industry best practices and regulatory requirements.

This service is a cost-effective model that can be scaled – both in length and scope – to meet the specific and unique security needs and risk appetite of the client. Through this package our clients can focus on their core business activities, whilst being assured that their information assets are available, effective and safe.

Cost Efficient


Trusted and independent advice


Establishing a risk-based security roadmap


Implementing and transforming security culture within your organization


Compliance with industry standards and regulations


Improved consumer confidence and reputation


Continuous measurement and development of security systems