Virtual CISO for SMEs: Monthly Subscription, Immediately Effective

For small and medium-sized enterprises, a full-time Chief Information Security Officer (CISO) position is economically unviable in most cases. At the same time, NIS-2 (EU 2022/2555, implemented in Sections 30, 38 BSIG) and ISO/IEC 27001:2022 require a designated, competent person to be responsible for the Information Security Management System (ISMS). The virtual CISO bridges this gap.

This article describes what a virtual CISO for SMEs must deliver, what contractual and regulatory requirements apply, and how a monthly subscription model should be structured to withstand scrutiny in an audit situation.

Section 30 BSIG does not distinguish between internal and external officers. The standard requires a designated person with verifiable qualifications, accessibility, and a reporting line to management. A vCISO meets these requirements when the appointment is made in writing, the qualifications are documented, and the reporting line is clearly defined.

The practical difference lies in scope: an internal CISO is fully integrated into company structures, knows every IT component, and is permanently accessible. A vCISO works on a mandate basis, covers strategic and regulatory tasks, and delegates operational activities to internal IT teams.

For SMEs with 50 to 500 employees, this model is pragmatic: a vCISO coordinates the ISMS, prepares certification audits, and ensures NIS-2 reporting chains — without the costs of a full-time position between €90,000 and €130,000 annually. More on the role at Information Security Officer at CIVAC.

A vCISO for SMEs typically takes on the following core tasks: First, ISMS build-up and maintenance per ISO/IEC 27001:2022 — risk analysis, treatment plan, Statement of Applicability (SoA), audit preparation. Second, NIS-2 compliance per Sections 30, 38 BSIG — company classification (essential/important), incident reporting processes (24h/72h), supply chain risks.

Third, training programme per ISO/IEC 27001:2022 Control 6.3 — annual planning, implementation or coordination, documentation. Fourth, reporting line to management — quarterly status reports, board presentations on risk status and open measures. Fifth, incident response coordination — activation of the incident response plan during security incidents, coordination of BSI reporting.

Tasks typically outside the vCISO mandate: daily IT administration, firewall management, penetration testing (commissioned but not conducted by the vCISO), and software development.

NIS-2 differentiates between essential entities (Annex I) and important entities (Annex II). Essential entities are subject to stricter supervision, higher fines (up to €10 million / 2% of global annual turnover), and more direct BSI oversight. Important entities fall under a reactive supervision regime with fines up to €7 million / 1.4% of annual turnover.

Regardless of category, Section 30 BSIG requires the same minimum measures catalogue for both groups: risk analysis, security measures for networks and information systems, incident management, business continuity, supply chain security, training, and cryptography policy. The vCISO must coordinate these measures in a verifiable manner.

Another NIS-2-relevant point: Section 38 BSIG requires management to complete information security training. This is also a task the vCISO coordinates and documents.

A vCISO is frequently the main driver of an ISO/IEC 27001:2022 certification. The certification process is structured in multiple phases: gap analysis (current state vs. standard), implementation of missing controls from Annex A (93 controls), internal audit, management review, Stage 1 audit (document review by certification body), and Stage 2 audit (implementation verification on-site).

The vCISO coordinates this process, delegates operational measures to internal teams, and ensures that all 93 controls of Annex A are either implemented or excluded in the SoA with justification. In the CIVAC workspace, 37 ready-to-deploy audit templates are available to structure the preparation.

A common mistake: companies begin certification preparation without a prior gap analysis and only discover in the Stage 1 audit that essential documents are missing. A vCISO prevents this mistake through structured project management in the workspace.

A legally sound vCISO contract covers at least six elements. First: scope of services with concrete hours or task flat rates. Second: reporting obligations — frequency, format, recipients. Third: accessibility and response times, especially for security incidents with NIS-2 reporting obligations. Fourth: proof of qualifications and continuing education commitment. Fifth: confidentiality clause and data processing agreement per Article 28 GDPR. Sixth: handover arrangement at mandate end, including knowledge transfer and documentation handover.

A monthly cancellable model should include a minimum term of three to six months for the initial ISMS build-up phase. Excessively short mandate terms lead to insufficient continuity in ISMS operations.

CIVAC standardises these contract parameters in the Officer-as-a-Service model: service depth, escalation paths, and documentation obligations are governed in a standard contract that is active within two business days.

The costs of a vCISO vary considerably depending on scope of services, industry, and company size. For SMEs with 50 to 250 employees requiring NIS-2 compliance and ISO/IEC 27001 readiness, monthly flat rates typically range between €1,500 and €3,500.

For larger mid-market companies with 250 to 1,000 employees and active certification preparation, monthly flat rates between €3,000 and €6,000 are realistic. These figures are considerably more economical compared to an internal position (€90,000 to €130,000 annual salary) — without employer contributions, training costs, and absence risk.

Transparency in service billing is key: a vCISO model with a clear hourly or task structure is more calculable than one with undifferentiated day rates. The CIVAC platform documents every step taken by the officer with a timestamp — for full cost transparency.

For SMEs in the initial phase (ISMS build-up), a time frame of 20 to 40 hours per month is realistic. After the build-up is complete and in ongoing ISMS operations, 8 to 16 hours monthly often suffice for regular obligations.

Exception situations — security incident with NIS-2 reporting obligation, certification audit, supplier security analysis — can temporarily increase demand to 30 to 60 hours. A monthly subscription model with flexible hour contingent top-ups is therefore more practical than a rigid flat-rate construct.

The CIVAC workspace enables the vCISO to use time efficiently: pre-structured task cadences, 37 audit templates, and the AI assistant with confidence score reduce research effort. More at CIVAC FAQ.

Five characteristics distinguish a qualified vCISO from a poorly prepared provider. First: verifiable certifications — ISO/IEC 27001 Lead Auditor or Lead Implementer, CISSP, or CISM. Second: industry experience — has the vCISO previously served companies in your sector?

Third: structured onboarding process — a good vCISO starts with a gap analysis, not a standard presentation. Fourth: tool integration — does the vCISO use a compliance platform or work with files in email attachments? The latter creates documentation breaks. Fifth: references and case studies from comparable companies.

CIVAC partners undergo a standardised qualification and onboarding programme. The platform ensures that work results are structured, documented, and can be reviewed by management at any time.

NIS-2 is in force. BSI controls are running. ISO/IEC 27001:2022 auditors are checking documentation. Companies without a designated person responsible for information security today expose management to personal liability under Section 38 BSIG.

CIVAC combines compliance platform and Officer-as-a-Service: licence the workspace for your internal officers — or have a certified CIVAC partner appointed as vCISO. Appointment certificate, signed, filed, verifiable — within two business days.

Turn reading into action: info@civac.de.