CISO as a Service
Benefit from an experienced Chief Information Security Officer, without the constraints of a full-time hire.
What is CISO as a Service?
CISO as a Service (outsourced CISO) enables an organisation to benefit from an experienced Chief Information Security Officer without the constraints of a full-time hire. This model is particularly suited to medium-sized organisations that need structured security governance but whose workload does not justify a dedicated position.
The outsourced CISO defines and drives the information security strategy, ensures policy governance and reports to management. They act as a true team member, with deep knowledge of the organisation's environment, constraints and regulatory context.
Our commitments: CISSP, CISA, CISM and ISO 27001 Lead Implementer certifications within the team. Strict confidentiality and independence in recommendations. Continuous monitoring of threats, regulations and best practices.
Pragmatic advice tailored to your operational reality and resources. Available by email and phone with a 48-hour response time, periodic review meetings and an annual activity report.
security certifications
guaranteed response time
Lead Implementer
The outsourced CISO's missions
Comprehensive support covering all responsibilities of the Chief Information Security Officer.
Strategy and governance
Defining the information security strategy, aligning it with business objectives and presenting directions to management. Developing and maintaining the governance framework: policies, procedures and security directives.
Risk management
Managing the risk analysis and risk register, monitoring the treatment plan and providing regular reporting to management on the evolution of the security posture.
Compliance and certification
Maintaining compliance with applicable frameworks (ISO 27001, NIS2, DORA). Preparing and monitoring internal and external audits, coordinating with certification bodies and regulators.
Incident management
Defining detection and incident response procedures. Coordinating crisis management during major incidents and supporting notification to competent authorities.
Awareness and security culture
Running awareness sessions for employees and management. Promoting a daily security culture within the organisation.
Executive reporting
Producing dashboards and periodic reports for management and governance bodies. Tracking key security indicators and recommending improvements.
Prerequisites
Management commitment to information security. A dedicated contact within the organisation (management or IT). Access to existing documentation: policies, procedures, asset inventories, audit results. Involvement of the outsourced CISO in projects impacting information security.
Critical infrastructure
Outsourced CISO combined with maintaining and extending ISO 27001 certification
A Belgian critical infrastructure operator, already ISO 27001 certified on part of its scope, entrusted Tomeris with the outsourced CISO role. The distinctive feature of this engagement: it combines information security management with maintaining and extending the ISO 27001 certification.
On a daily basis, Tomeris ensures policy governance, risk register monitoring, coordination with IT teams and executive reporting. In parallel, all ISMS-related work is managed seamlessly: internal audits, management reviews, risk assessment updates and preparation for surveillance audits.
This dual CISO and ISO 27001 Lead Implementer role delivers rare consistency and efficiency: the security strategy and certification journey advance together, without information loss or redundant effort.
An integrated approach that maximises the value of every intervention by combining security governance and the certification process.
Results
Need an outsourced CISO?
Entrust your information security governance to a certified and experienced team.