External IT Security Officer: What Does the Monthly Mandate Really Cost?

§§ 30 and 38 BSIG require operators of essential and important facilities under NIS-2 to appoint an Information Security Officer (ISB). For companies that cannot or do not wish to fill this role internally, the external option is the legally permissible alternative — provided the formal requirements are met.

The obligation to appoint an Information Security Officer arises from several legal sources. §§ 30 and 38 BSIG (as amended by the NIS-2 Implementation Act, October 2024) require essential and important facilities to appoint a responsible person for information security. ISO/IEC 27001:2022 Section 5.3 requires that roles, responsibilities, and authorities within the ISMS be assigned and documented. Neither provision requires internal staffing — external appointment is legally permissible provided the mandate is formally documented.

The monthly price for an external ISB is determined by five factors. First: hourly volume. A basic mandate with four to six hours per month for a 100-employee company is priced differently from a full ISMS mandate for a NIS-2 essential facility. Second: regulatory scope. ISO 27001 certification mandates, NIS-2 notification pathways, and TISAX assessments each add complexity. Third: industry. Regulated industries (banking, healthcare, critical infrastructure) require sector-specific expertise commanding a premium. Fourth: ISMS maturity. Building an ISMS from scratch requires significantly more effort than maintaining an existing certified system. Fifth: on-site presence. Regular on-site visits add travel costs not included in basic offers.

For DACH mid-market companies, three mandate classes with different pricing ranges can be distinguished. Class 1 – Basic Mandate (approx. €800–1,500/month): Formal appointment under BSIG, monthly activity report, annual ISMS overview, no full ISO/IEC 27001:2022 certification support. Class 2 – Standard Mandate (approx. €1,500–3,000/month): Full ISMS operation under ISO 27001:2022, NIS-2 notification pathway, quarterly management report, incident support. Class 3 – Premium Mandate (approx. €3,000–5,000/month): ISMS certification support, TISAX assessment, sector-specific regulatory mapping, on-site presence.

When selecting an external ISB, costs frequently arise that are not disclosed in the basic offer. First: travel costs. External officers who must appear on-site regularly often invoice travel and accommodation costs separately. Two on-site visits per month can add €500–1,500 in travel costs alone. Second: additional hourly rates. Incident response, certification preparation, and authority inquiries are often billed at separate hourly rates on top of the monthly retainer. Third: tooling costs. Some providers charge separately for compliance platform licenses, documentation tools, and audit management systems.

Three billing models dominate the external ISB mandate market. The hourly model (€160–250/hour net) is suitable for project-based tasks but unpredictable for ongoing officer mandates. A security incident or audit preparation can multiply monthly costs unpredictably. The flat-fee model provides cost certainty but requires careful scope definition — scope creep is a common source of conflict. The Officer-as-a-Service model (fixed monthly fee including platform) combines cost certainty with scalability and is best suited for ongoing officer mandates.

A legally compliant ISB mandate begins with the formal appointment. § 38 BSIG and ISO/IEC 27001:2022 Section 5.3 require a documented role assignment. The appointment certificate must specify the scope of the role, the reporting line, independence from the IT department, and termination protection (if applicable). Without a valid appointment certificate, the mandate has no legal standing — regardless of the actual activities performed.

The penalty framework for NIS-2 essential facilities is up to €10 million or 2% of global group turnover — whichever is higher (§ 35 BSIG). For important facilities, the framework is up to €7 million or 1.4% of group turnover. These figures put cost-saving considerations on ISB appointments into perspective: a missing or improperly documented ISB appointment can trigger fines that exceed years of mandate costs in a single proceeding.

When selecting an external ISB, six criteria are decisive. First: qualification. Verifiable certifications (CISM, CISSP, BSI IT-Grundschutz certificate) or equivalent practical experience are a minimum requirement. ISO/IEC 27001:2022 expertise is essential for ISMS mandates. Second: independence. The ISB must be independent from the IT department — a provider that simultaneously delivers IT services has a structural conflict of interest. Third: appointment process. The appointment certificate must be provided on day one. Fourth: reporting structure. Direct reporting line to management, not to IT or operations. Fifth: SLA. Defined response times for the NIS-2 24-hour notification pathway. Sixth: audit trail. All activities must be documented in a tamper-proof system.

CIVAC is a compliance platform and Officer-as-a-Service offering for the Information Security Officer and 24 further officer roles. License the workspace for your internal ISB, or order an externally certified ISB — appointed in two business days, at a transparent monthly flat fee including platform.