Engagement model

How we work

vciso.tr supports focused security governance, privacy, AI risk, audit readiness, and customer trust work at executive level.

Request a conversation

Who this is for

Teams that benefit from this model

Companies not ready for a full-time CISO

Teams preparing for ISO 27001, SOC 2, DORA, or customer assurance

Leaders bringing AI, GDPR/KVKK, or vendor risk into governance

Scope options

Engagement models

Discovery sprint

Makes current scope, stakeholders, risk ownership, and evidence gaps visible quickly.

90-day governance roadmap

Connects control ownership, priority risks, reporting rhythm, and practical actions in one plan.

Audit readiness support

Structures evidence, policies, and gap actions for ISO 27001, SOC 2, DORA, or customer assurance work.

Customer assurance and questionnaire support

Turns questionnaires, evidence packs, and approved answers into a repeatable sales support workflow.

Fractional governance cadence

Keeps risk registers, executive reporting, and decision agendas active through monthly or biweekly rhythms.

First 90 days

30, 60, and 90-day cadence

First 30 days: current state, stakeholders, risk, and evidence map are clarified.
First 60 days: policy and control owners, priority gaps, and reporting rhythm are established.
First 90 days: operating cadence, board-ready summary, roadmap, and next-step backlog are created.

Deliverables

Typical outputs

Risk register structure

Evidence map

Policy and control owner matrix

Customer assurance answer base

Audit readiness backlog

Executive reporting template

Vendor risk workflow

AI governance operating model

Boundaries

What this is not

Not legal advice.
Not a formal audit opinion.
Not a compliance guarantee.
Not a replacement for licensed legal, audit, or certification bodies.
Not a tool-only implementation project.

Frequently asked questions

What happens in the first conversation?

The first conversation clarifies scope, current pressure, customer assurance needs, audit timing, and executive expectations.

Does this replace a full-time CISO?

It can close the leadership gap for early and growth-stage companies, but a full-time role may become necessary as the company scales.

Are deliverables only documents?

No. The goal is operating output such as risk ownership, evidence maps, executive reporting cadence, and priority action plans.

Is this legal advice or a formal audit?

No. The work is educational and readiness-focused. It is not legal advice, an audit opinion, or a compliance guarantee.

Next step

Need senior security leadership without a full-time CISO?

Request a focused conversation about governance gaps, board reporting, and the first 90 days.

Request a vCISO conversation How we work