External IT Security Officer as a Service Provider: Scope, Selection, and Contract Design

The NIS-2 Directive (EU 2022/2555), implemented by BSIG as amended in October 2024, obliges essential and important facilities to appoint a responsible person for information security. For companies that cannot or do not wish to fill this position internally, external service providers are the legally permissible alternative — provided mandatory formal requirements are met.

BSIG (§§ 30, 38) requires the appointment of an ISB but does not prescribe internal staffing. ISO/IEC 27001:2022 Section 5.3 specifies that roles and responsibilities within the ISMS must be documented — this requirement can also be met by external service providers. The critical distinction: a mere advisory relationship without formal appointment does not constitute a valid ISB mandate under supervisory law. The appointment certificate must be issued before the service provider begins work.

The scope of services of an external ISB service provider can be divided into four categories.

Ongoing ISMS operation: The service provider operates the ISMS under ISO/IEC 27001:2022, regularly reviews the 93 Controls, documents the results, and prepares the annual management review. NIS-2 notification pathway: In the event of a significant incident, the service provider manages the 24-hour early warning, 72-hour follow-up report, and 30-day final report to the BSI. Risk management: Annual risk assessment, risk treatment plan, and documented residual risk acceptance. Training and awareness: Implementation and documentation of annual security awareness training under Control A.6.3.

A defensible service contract for an external ISB must contain six core clauses.

Appointment certificate as annex: The formal appointment is not part of the service contract but a standalone document attached as an annex. The certificate names the officer by name, defines the scope, establishes the reporting line to management, and is signed by both parties. SLA for incident response: The contract must specify response times — particularly for the 24-hour NIS-2 early warning obligation. A service provider without contractually defined incident SLAs cannot meet this obligation reliably. Activity evidence obligation: Monthly reports, audit logs, and training certificates must be contractually required. Conflict of interest exclusion: The contract must prohibit the simultaneous provision of IT operational services by the same entity. DPA under Art. 28 GDPR: Processing personal data of employees requires a signed data processing agreement. Handover arrangement: At contract end, all documentation must be transferred in structured form.

An ISB who simultaneously acts as IT service provider for the same company has a structural conflict of interest problem. He is supposed to monitor the security of IT systems — and in doing so, is effectively assessing his own work. Auditors and authorities recognize this pattern: it weakens the governance function of the ISB role and can call the entire ISMS certification into question. ISO/IEC 27001:2022 Controls A.5.2 and A.6.1.2 require segregation of duties and freedom from conflicts of interest.

Selecting an external ISB service provider follows a six-stage evaluation framework.

Qualification and certification: Verify that the designated ISB holds a recognized qualification — e.g., CISM (Certified Information Security Manager), ISO 27001 Lead Implementer, or a BSI-recognized IT security qualification. Independence from IT operations: Does the provider simultaneously deliver IT services to the same company? Appointment process: Can the provider issue the appointment certificate on day one? ISMS tooling: Does the provider use a documented, audit-trail-capable ISMS platform? References: Can the provider demonstrate comparable mandates in the same industry and NIS-2 classification? SLA track record: Can the provider demonstrate actual incident response within NIS-2 time limits?

NIS-2 sets clear time requirements in §§ 32 and 35 BSIG: in the event of a significant security incident, the early warning must reach BSI within 24 hours, the follow-up report within 72 hours, and the final report no later than 30 days after the incident. These deadlines run from the moment the operator becomes aware of the incident. A service provider without contractually defined incident response SLAs and documented escalation pathways cannot reliably meet these obligations. The contract must therefore explicitly specify: what constitutes a significant incident, how the operator notifies the service provider, and within what timeframe the service provider initiates the BSI notification.

The cost of an external ISB service provider varies considerably — depending on company size, ISMS maturity, NIS-2 scope, and agreed scope of services. Three pricing models dominate the market.

Retainer model: The service provider makes a fixed number of hours available monthly. Suitable for companies with a defined, stable ISMS. Risk: scope creep for unplanned incidents. Hourly model: Suitable for project-based work (certification preparation, audits) but unpredictable for ongoing officer mandates. Officer-as-a-Service model: Fixed monthly fee including platform. Best suited for ongoing mandates — cost certainty, scalable scope adjustment.

CIVAC combines two delivery models that complement each other. First: license the workspace for your internal ISB. He receives 37 ready-to-use audit templates under ISO/IEC 27001:2022, a structured ISMS workflow covering all 93 Controls, a NIS-2 notification pathway with 24-hour early warning function, and monthly reporting templates. Second: order an externally certified ISB. CIVAC provides the appointment certificate, reporting line to management, and certified officer from its partner network — set up within two business days, at a transparent monthly flat fee.

If you wish to engage an external IT Security Officer as a service provider, five concrete steps are recommended.

First, create an ISB requirements matrix: What is your company's NIS-2 classification? Is ISO 27001 certification required or planned? What is your current ISMS maturity level? Second, define your must-have contract clauses based on the points above. Third, request structured proposals from at least three providers — insist on the appointment certificate process being demonstrated in the proposal. Fourth, check the conflict of interest situation: does the provider simultaneously deliver IT services? Fifth, compare Total Cost of Compliance, not just the monthly retainer.