Service

vCISO & ISO 27001 Implementation

Virtual CISO service and ISO 27001 implementation: ISMS design, risk management, audit preparation and continuous compliance — without the cost of a full-time executive.

Overview

How we work and what you get

Our vCISO is certified ISO 27001 Lead Auditor and Lead Implementer.

ISO 27001 certification is not a one-time project — it is an ongoing business process that requires leadership, structure and expertise. Our Virtual CISO (vCISO) service gives you exactly that: an experienced security leader who takes ownership of your entire ISMS, from strategy through certification and continuous maintenance.

What we do in practice

  • 1Gap analysis & current-state assessment: We identify risks, control gaps and priorities before implementation begins.
  • 2ISMS design & setup: Policies, procedures and controls tailored to your organisation — not generic templates.
  • 3Risk management: Risk assessment workshops, risk treatment plans and continuous monitoring with clearly assigned risk owners.
  • 4ISO Toolbox: Access to a set of ready-made but tailored tools — risk registers, Statement of Applicability (SoA), audit trackers, policy library.
  • 5Certification preparation: Stage 1 and Stage 2 audit readiness, internal audits, management review support.
  • 6Continuous compliance: Annual surveillance audits, KPI reporting for management, change control and ongoing ISMS improvement.

Why outsource the CISO role?

A full-time CISO costs €80,000 to €150,000+ per year — and you do not always need one. Our vCISO service gives you the same level of expertise and dedication, scaled to your needs and growth stage. Flexible, cost-effective and immediately operational.

Who benefits most?

  • Companies preparing for ISO 27001 certification without an in-house CISO.
  • Startups working with enterprise or EU clients for whom certification is a prerequisite.
  • Organisations in regulated industries (fintech, healthcare, public sector, SaaS) that must demonstrate compliance.
  • Firms that have passed initial certification but lack capacity for ongoing ISMS management.

After certification — our work is not done

We stay as your CISO through annual surveillance audits, recertifications and all changes brought by new risks or regulatory requirements. Certification becomes a living business process, not a once-a-year compliance exercise.

Investment

Packages & pricing

ISO Kickstart

Starter

For startups & small businesses

Implementation€2.500 – €4.000
Monthly maintenance€300 – €500
Timeline4–8 weeks
  • Gap analysis
  • Basic ISMS setup
  • ISO Toolbox (templates)
  • Initial risk assessment
  • Statement of Applicability
  • Stage 1 audit preparation
Most popular

ISO Ready

Growth

For full certification

Implementation€5.000 – €8.000
Monthly maintenance€600 – €1.000
Timeline8–16 weeks
  • Everything in Starter
  • Full risk assessment & treatment
  • Controls implementation (Annex A)
  • vCISO guidance throughout
  • Internal audit preparation
  • Stage 2 certification audit prep

Enterprise vCISO

Advanced

For mature organisations

Implementation€9.000 – €15.000
Monthly maintenance€1.200 – €2.500
Timeline3–6 months
  • Everything in Growth
  • Full vCISO role (strategy, oversight)
  • Continuous risk management
  • Regular internal audits
  • KPI & security reporting
  • Support during external audits

* Pricing depends on organisation size, number of employees, IT environment complexity and number of locations.

FAQ

Frequently asked questions

What is a vCISO and why is it useful for SMBs?

A Virtual CISO is an outsourced security leader providing executive-level expertise without the cost of a full-time hire. Ideal for companies that cannot justify a full-time position but need structure, compliance and risk management.

How long does ISO 27001 certification take?

It depends on the size and complexity of your organisation. With our structured approach: Starter (4–8 weeks), Growth (8–16 weeks), Advanced (3–6 months). The certification audit is scheduled with an external accredited certification body.

Do we need ISO 27001 certification?

It is increasingly required when working with enterprise clients, EU companies or in regulated industries (healthcare, fintech, public sector). Even without a formal requirement, certification speeds up contract closures and builds trust.

What is the ISO Toolbox?

A set of ready-to-use templates and tools tailored to your context: risk registers, Statement of Applicability (SoA), policies and procedures, audit and compliance trackers. Not generic copies — adapted documents that fit your organisation.

Do you continue support after certification?

Yes — continuous compliance is part of every package through monthly maintenance. Certification must be renewed annually through surveillance and recertification audits, and the ISMS must be a living system, not a one-year exercise.

How is pricing determined?

Pricing depends on company size, number of employees, IT environment complexity and number of locations. After a short introductory call we provide a precise quote with no hidden costs.