77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide77 officer roles, all coveredArt. 33 GDPR, 72 hours to report a breach93 controls under ISO/IEC 27001:2022905 ready-to-run audit templates in the workspace§ 130 OWiG, supervisory duty of the management boardOfficer appointment letter, signed, filed, evidencedOne workspace for tasks, trainings, audits, documentationDIN 14095 fire protection plans, standardisedEU AI Act, the first horizontal AI regulation worldwide
External CISO: When the virtual security officer is the right model
IT Security & NIS-2

External CISO: When the virtual security officer is the right model

8 June 202613 min readBy Lena Vogt
CIVAC

With NIS-2 and ISO/IEC 27001:2022, the need for strategic security leadership is growing. An external CISO takes on governance, risk and reporting lines to management without having to fill the position internally. This post explains when the model wears and when not.

The NIS 2 Implementation Act obliges around 29,500 companies in Germany to formally assume management responsibility for cybersecurity, including training requirements and personal liability in accordance with Section 38 NIS2UmsuCG. At the same time, ISO/IEC 27001:2022 requires documented ISMS responsibility with a clear reporting line. In many medium-sized companies there is no senior position for this. An internal full-time CISO position costs 180,000 to 260,000 euros per year including additional costs and often cannot be filled within six months.

The external CISO, also called virtual CISO or CISO-as-a-Service, is the operational answer to this gap. He takes on governance, risk management, reporting to management and oversight of internal security roles without having to fill the position internally. This article clarifies tasks, differentiation from ISB, realistic costs and the requirements for a viable model.

Key Takeaways

  • The external CISO is responsible for strategy, governance and reporting lines, while the ISB provides the operational implementation of the security measures.
  • Realistic effort in medium-sized companies is between 4 and 12 man-days per month, plus audit and incident peaks.
  • The model only becomes viable with a written order, clear escalation rules and a platform that keeps evidence auditable.

What a CISO does and why the role cannot be delegated at will

The Chief Information Security Officer has strategic responsibility for a company's information security. In terms of content, the role covers three levels. Governance: Security strategy, guidelines, compliance with ISO/IEC 27001:2022, NIS-2, industry-specific requirements (BSI-KritisV, BAIT, VAIT, KAIT). Risk management: risk inventory, assessment, treatment plan, residual risk acceptance by management. Reporting line: regular reporting to the board or management, escalation in the event of incidents, interface to authorities and insurers.

Unlike the Information Security Officer (ISB), who is responsible for operational implementation, the CISO acts at management level and is often directly linked to management. In large corporations, both roles are filled separately. In medium-sized companies they often merge, which is legally permissible but not trivial from an organisational point of view: strategy work and operational tickets take up different time profiles. If you combine reporting duties and hands-on work on one person, you risk leaving one of them behind. The external variant solves exactly this dilemma by clearly delegating strategic responsibility to a function with senior experience, while internal employees carry out the operational implementation.

External CISO vs. External ISB: distinction in practice

Confusing the two roles is the most common pitfall when assigning roles. An external ISB is usually focused on operational topics: asset inventory, technical and organisational measures, awareness measures, incident processing, audit preparation. Daily rates are typically between 900 and 1,400 euros net. An external CISO works at management level: security strategy, risk appetite, investment decisions, reporting to the supervisory board, insurance and authority communication. Daily rates 1,400 to 2,200 euros net, depending on the industry and seniority.

In practical terms, this means: Anyone who buys an external service provider who only closes tickets and fills out templates does not have a CISO, but rather an ISB. On the other hand, anyone who purchases security strategy, risk reporting and C-level communication but does not have an operational hand in the system also needs an ISB. In reality, a mixed model prevails: external CISO with a defined hourly quota for strategy and reporting lines, plus internal or external ISB team for operational implementation. The written order must clearly separate both roles so that liability and escalation are clear. The appointment certificate, signed, filed, verifiable.

Tasks of the external CISO in the first year

A typical mandate starts with an assessment of the situation. In the first four weeks, existing documentation is reviewed: security guidelines, risk inventory, ISMS status, NIS-2 self-classification, existing audit reports, incidents from the last 24 months. This results in a gap analysis with a prioritised list of measures and a roadmap that is aimed at ISO/IEC 27001:2022 certification or NIS 2 conformity.

Months two to six: setting up or consolidating the ISMS, maintaining the risk inventory, introducing or revising security guidelines, training program for management (according to Section 38 NIS2UmsuCG) and employees. Months seven to twelve: internal audits, preparation of certification, reporting to management on a quarterly basis, setting up the 24/72 reporting path for NIS-2. Expenses fluctuate: 12 to 16 days per month are realistic in the starting quarter, 4 to 8 days in the steady state. Audit and incident phases temporarily increase demand. Reporting to management cannot be delegated and must be carried out personally by the CISO, which shapes the mandate structure.

NIS-2 and the external CISO: who signs what

The NIS 2 Implementation Act (NIS2UmsuCG) changes the distribution of responsibility. According to Section 38 NIS2UmsuCG, management is personally liable for the implementation of the security measures in accordance with Section 30 NIS2UmsuCG, including risk management, incident handling and supply chain security. This responsibility cannot be delegated. The CISO supports the management, but does not assume their liability. What the CISO does: Preparation of decisions, risk briefings, documentation, training of management (annual obligation), preparation of reports to the BSI.

The NIS 2 reporting obligations require an early warning within 24 hours, an initial report within 72 hours and a final report after one month. This requires a functioning 24/72 reporting path that the CISO establishes and practices regularly. According to Section 65 NIS2UmsuCG, fines range up to 10 million euros or 2% of group sales for essential facilities, up to 7 million euros or 1.4% for important facilities. Deadline begins as soon as we become aware of it. The external CISO ensures that “knowledge” is defined and that the path between IT operations and management runs smoothly because in an emergency there is no time to clarify responsibilities first.

Mandate structure, reporting line and escalation

A robust mandate contains five elements. First: written order with list of tasks, responsibilities and reporting line. Second: monthly hourly quota with a defined maximum for routine, plus separate quota for incidents and audits. Third: Escalation rule with clear thresholds for when the CISO notifies management (e.g. reportable security incident, significant compliance risk, material audit finding). Fourth: Confidentiality and data protection, including order processing in accordance with Art. 28 GDPR. Fifth: Termination and handover rules.

The reporting line goes directly to management, not to IT management. This separation is specified in ISO/IEC 27001:2022 Clause 5.3 and protects against conflicts of interest. A written report with risk status, progress of measures, open points and recommendations is provided at least quarterly. In the event of incidents, audit findings or regulatory changes, reporting is carried out ad hoc. With the CIVAC Compliance Platform and Officer-as-a-Service, templates for the appointment certificate, quarterly report, risk inventory and action plan are available, versioning and filing are carried out in an audit-proof manner in the workspace with EU data residency. Licence the workspace for your internal representatives, or have our representatives order it.

Costs and ROI compared to an in-house full-time position

An internal CISO position including additional wage costs, training budget, tools and replacement arrangements costs 180,000 to 260,000 euros annually in the German market, depending on the industry and location. In addition, there is the risk period of the vacancy: personnel search and onboarding take six to twelve months, during which responsibility remains organizationally unclear. An external mandate with 6 to 10 man-days per month in steady state is 110,000 to 220,000 euros annually, depending on the daily rate and industry.

The comparison purely based on costs is deceptive. Three factors are more crucial: firstly, scalability, because external mandates can be flexibly adapted, for example in the event of a certification phase or an incident. Secondly, the senior experience, because external CISOs from multiple mandates provide cross-comparisons and best practices. Thirdly, risk coverage, because a service provider model typically guarantees replacement, while the internal individual does not cover vacation and sickness periods. Others run compliance like a filing cabinet. We run it like software. What ultimately counts for management is that the risk is borne, documented and verifiably managed, regardless of whether the person is permanently employed or mandated.

Requirements for the model to wear

An external CISO is not a panacea. Three requirements decide whether the model will wear. First: Management must be accessible and ready to make decisions. If quarterly reports come to nothing without a response, control fails. Second: There needs to be an operational counterpart in-house, be it an internal ISB, an IT manager with security responsibility or an external ISB team. A CISO without hands on site can provide strategic advice but cannot implement measures. Third: There needs to be a platform in which risks, measures, reports and evidence are kept auditable, otherwise friction will arise at the handover points.

The platform is not an end in itself. During an ISO/IEC 27001:2022 audit, the auditor checks 93 controls, documented in the Statement of Applicability (SoA). For an NIS 2 audit, the BSI requires evidence of risk management, incident handling, training and suppliers. Both requirements can be managed in a structured workspace that displays versioning, resubmission and reporting lines. Anyone who does this in Excel will fail in the second audit at the latest. Anyone who runs it in a platform with 490 audit templates and a 24/72 reporting path can have the auditor through the house in two days.

Selecting a provider: What to pay attention to when awarding a contract

Awarding a CISO mandate requires a different review than a normal IT service mandate. Six criteria are crucial. First: senior experience of the specific person employed, not just the provider profile. Get the resumes of the CISOs you are considering, not just a company presentation. Second: industry experience, because regulated sectors (finance, critical care, health) have specific requirements that, without previous experience, cost a learning curve.

Third: replacement arrangements so that vacation and illness do not create gaps. Fourth: Platform and tools that the provider brings with it, including data residency and certifications from the provider itself. Fifth: References, ideally from a comparable size and industry. Sixth: contract model with a clear catalogue of tasks, hourly quotas, escalation channels and termination regulations. The CIVAC Compliance Platform and Officer-as-a-Service delivers both: named officers with ISO/IEC 27001 Lead Auditor and BSI qualifications plus the workspace with appointment certificate, audit templates, 24/72 reporting path, EU data residency and ISO 27001:2022 ISMS. The auditor calls, the evidence is ready.

Turn reading into an assignment

If the management in your company formally bears responsibility for NIS 2, but does not have a senior security management team, the need for action is clear. If an ISMS is desired, but the person for strategy and reporting line is not available in the next few months, the same applies. The external mandate is the faster solution without handing over strategic responsibility to a service provider with a convenience store.

CIVAC provides the compliance platform and officer-as-a-service: appointed CISOs and ISBs with documented qualification profile, workspace with appointment certificate, risk inventory, audit templates, 24/72 reporting path and reporting line, ISO 27001:2022 ISMS, EU data residency. Either with your internal representatives or with our appointed officers. Turn reading into a mandate.: Write to info@civac.de or book a 30-minute strategy discussion using the contact form. You will receive an assessment of the scope of the mandate and an order proposal within two working days.

FAQ

What is the difference between CISO and ISB?

The CISO is responsible for strategic information security at the executive level, including governance, risk and reporting lines. The ISB is responsible for the operational implementation of the security measures. In large organisations both roles are separate, in medium-sized companies they are often merged or combined in the service provider model.

Can an external CISO relieve management of NIS 2 liability?

No. Section 38 NIS2UmsuCG places personal responsibility on the management. The external CISO provides support through preparation, risk reports and training, but does not assume liability. A clear written order and reporting line are the prerequisite for management to be able to demonstrably fulfil their duties.

How many days per month are realistic?

In the first quarter of a mandate, 12 to 16 days are realistic because determining the location, roadmap and initial document maintenance take up time. In the steady state, the effort levels out at 4 to 8 days per month. Audit, certification and incident phases temporarily increase demand significantly.

What qualifications should an external CISO have?

Senior experience in information security (typically 10+ years), previous industry-specific experience, formal qualifications such as ISO/IEC 27001 Lead Auditor, CISSP or CISM, and experience reporting to senior management or the board of directors. In regulated sectors, additional previous knowledge of BAIT, VAIT, KAIT or BSI-KritisV.

How is the reporting line regulated?

The reporting line goes directly to the management, not to the IT management. ISO/IEC 27001:2022 Clause 5.3 requires this independence. A written report with risks, measures and open points is provided at least quarterly. In the event of reportable incidents or material findings, additional ad hoc reporting is carried out.

Is the model also worthwhile for smaller companies?

The model can be economically implemented from around 50 employees and in regulated sectors or when operating as an important or essential institution according to NIS-2. Below this threshold, an ISB mandate with a clearly defined hourly quota is often sufficient. The awarding process can be adapted in a modular manner, for example with a reduced proportion of strategy and a higher proportion of operational support.

No obligation

Sounds like a lot of work?

Officer duties, deadlines, paperwork — that's exactly what we take off your hands. Say hello and we'll show you how.

Turn this into a mandate.

Let us carry the operational weight. External officer, templates and documentation in one workspace. No obligation.

Related articles