vCISO Engagement SOP¶
Sub-procedure of vcto-vciso-engagement-sop.md
Overview¶
Detailed procedure for initiating and onboarding new vCISO (Virtual Chief Information Security Officer) engagements, including security program assessment, priority setting, and establishment of ongoing advisory relationship.
Scope¶
Parent SOP: vCTO/vCISO Engagement Pillar: Plan (Strategic Advisory) & Protect (Security) Service Area: vCISO Services
Prerequisites¶
- Parent SOP requirements met (signed SOW, engagement tier confirmed)
- Primary security stakeholder identified
- Current security documentation accessible (policies, procedures, tools)
- Compliance requirements documented (HIPAA, SOC 2, PCI, etc.)
- Recent security assessments or audit findings available (if any)
Procedure¶
Step 1: Security Discovery¶
- Review existing security documentation and policies
- Inventory security tools and technologies in use
- Document compliance framework requirements
- Identify recent security incidents or near-misses
- Understand organizational risk tolerance and culture
Step 2: Stakeholder Mapping¶
- Identify security decision-makers and influencers
- Map IT and security team structure
- Understand reporting relationships and authority
- Document communication preferences and cadence
- Identify key business stakeholders for security matters
Step 3: Current State Assessment¶
- Assess security program maturity (using framework like NIST CSF)
- Review existing policies and their enforcement
- Evaluate security awareness and training programs
- Document security architecture and controls
- Identify critical assets and data classification
Step 4: Gap Analysis¶
- Compare current state to required compliance frameworks
- Identify control gaps and deficiencies
- Assess incident response capabilities
- Evaluate third-party risk management
- Document vulnerability management effectiveness
Step 5: Priority Setting¶
- Identify quick wins for immediate security improvement
- Prioritize gaps by risk and compliance impact
- Align security initiatives with business objectives
- Balance remediation with operational needs
- Create 30-60-90 day action plan
Step 6: Program Roadmap Development¶
- Develop 12-month security roadmap
- Define milestones and success metrics
- Allocate resources and budget requirements
- Establish governance and review cadence
- Document dependencies and constraints
Step 7: Engagement Kickoff¶
- Present findings and roadmap to leadership
- Confirm engagement scope and expectations
- Establish communication channels and escalation paths
- Schedule recurring meetings and reviews
- Document success criteria and KPIs
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| Security Maturity Assessment | Document (10-15 pages) | vCISO |
| Gap Analysis Report | Document/Matrix | vCISO |
| 30-60-90 Day Action Plan | Document | vCISO |
| 12-Month Security Roadmap | Visual Timeline | vCISO |
| Risk Register (Initial) | Spreadsheet | vCISO |
| Engagement Kickoff Presentation | Slides (15-20) | vCISO |
Quality Gates¶
- All compliance requirements documented and understood
- Security tool inventory complete and validated
- Key stakeholders interviewed and mapped
- Gap analysis covers all relevant control domains
- Roadmap aligned with business priorities
- Client sign-off on priorities and approach
- Peer review of assessment and roadmap
Related Documents¶
- Parent SOP: vCTO/vCISO Engagement
- vCISO Monthly Activities SOP
- vCISO Board Reporting SOP
- Risk Assessment SOP
- Cross-Pillar SOPs
- Templates
Last Updated: February 2026 Parent SOP: vcto-vciso-engagement-sop.md