Strategic security expertise — flexible and on demand
Not every company can — or wants to — hire a full-time CISO or information security officer. At the same time, ISO 27001, NIS2, DORA, TISAX®, and BSI IT-Grundschutz require clear accountability. We provide experienced security experts on a flexible basis — exactly when you need them.
Why vCISO & vISO on demand
Security expertise without a full-time hire and fixed costs — with clear accountability, regulatory confidence, and immediate availability.
Flexibility & cost control
External security expertise on demand, without a full-time position or fixed costs — scalable from mini-mandates to permanent operations.
Outside perspective
Access to hands-on knowledge from a wide range of industries and projects. An outside view helps spot blind spots.
Regulatory confidence
Meeting the requirements of ISO 27001, NIS2, DORA, TISAX®, BSI IT-Grundschutz, and more — audit-ready at any time.
Seamless integration
Embedded in your existing processes, teams, and committees — remote or on-site, flexibly matched to your calendar.
Strategy & execution
Combining management-level consulting (vCISO) with operational ISMS support (vISO) — from a single source.
Ready to deploy
No onboarding overhead, no recruiting cycle. Within a few days, we take ownership of your security responsibilities.
Two roles, one partnership
We provide both roles — separately or combined — depending on your maturity and regulatory situation.
Virtual Chief Information Security Officer
Strategic steering and management-level advisory. The vCISO reports to executive management and is accountable for the overall security architecture.
- Security strategyDeveloping and steering a holistic information security strategy aligned with business goals and risk appetite.
- Executive advisoryManagement-level advisory on risks, compliance, security investments, and board reporting in plain language.
- Governance & KPIsSetting up and leading governance structures, security KPIs, reporting templates, and management review processes.
- Stakeholder communicationInterface with regulators, auditors, customers, and partners — from BaFin requests to customer security questionnaires.
Virtual Information Security Officer
Operational ISMS execution and delivery. The vISO works with business units, ensures audit-ready evidence, and supports audits.
- ISMS operationsOperating and evolving the information security management system per ISO 27001, BSI IT-Grundschutz, or TISAX.
- Policies & documentationCreating and maintaining policies, procedural instructions, process documentation, and audit-ready evidence.
- Risk analysis & awarenessConducting regular risk analyses and treatment decisions, plus awareness training for staff and leadership.
- Audit supportPreparing and supporting internal and external audits, certifications (ISO 27001, TISAX®, BSI IT-Grundschutz), and remediation of findings.
On-demand add-on services
Incident response & emergency
Support during security incidents: coordination, NIS2/DORA/GDPR notifications, crisis communication, and lessons learned.
Status reporting
Regular reports to management and business units — with clear recommendations rather than walls of data.
Regulatory monitoring
Continuous adaptation to regulatory changes (NIS2, DORA, AI Act, CRA) and emerging threat landscapes.
AI Officer on demand
Optional add-on: AI Officer per EU AI Act for safe and compliant use of AI systems.
When an external vCISO/vISO makes sense
Start-ups & scale-ups
You need security structures for customer audits (SOC 2, ISO 27001) for the first time — but not a €150k full-time hire. We take on 2-5 days/month and deliver audit readiness.
Mid-market without a CISO
You face NIS2 or DORA but have no internal expert. We build the ISMS, coach your team, and stay engaged as your vCISO long-term.
Interim phase
Your CISO has moved on and a successor search is underway. We bridge 3-12 months without losing know-how and support the search for the right person.
Critical projects
Major audit, certification, cloud migration, or M&A security due diligence — we bring deep expertise on a project basis.
Common questions about the vCISO model
What is the difference between vCISO and vISO?
The vCISO (Chief Information Security Officer) steers security strategy at management level and reports to executive management. The vISO (Information Security Officer) handles operational ISMS execution — policies, audits, training. Many organizations need both — we offer both roles combined or separately.
How much time does a vCISO invest per month?
It depends on need: 2-4 days/month for smaller mandates, 5-10 days for mid-sized companies, up to 50% of a full-time position for complex mandates or regulated industries (DORA, KRITIS). We scale with you.
Can we replace the vCISO internally later?
Yes — that’s our preferred model. We build structures, processes, and knowledge so that an internal successor can take over. We support the search and knowledge transfer over 3-6 months.
Which standards and regulations do you cover?
ISO 27001, ISO 42001 (AI management), ISO 27701 (privacy), BSI IT-Grundschutz, TISAX®, NIS2, DORA, EU AI Act, CRA, GDPR — as well as industry-specific requirements such as BAIT, VAIT, KAIT, KRITIS.
Do you work remotely or on-site?
Both. Remote by default (MS Teams, secure document storage); on-site in the DACH region for important meetings, audits, or workshops. Fixed on-site days per month are also available on request.
What does a vCISO mandate cost?
Daily or monthly rates depending on scope and term. Typically 30-60% less expensive than a comparable internal full-time hire. We provide a concrete offer after a free initial consultation.
Ready for the next step?
In 30 minutes we’ll determine whether and how a vCISO or vISO mandate fits your organization. Free of charge, no obligation — with a clear recommendation afterwards.
"Only when all instruments are well tuned to one another will your organization be secure and compliant."— Valeri Milke, CEO of VamiSecBook a consultation