Pospíšil Petr | CyberPOPE Independent Consultant | Cybersecurity Architect & vCISO

Retained security advisor

Your SME does not need a full security department yet. But customers already want evidence - and someone has to answer the questionnaires, decide what to fix first, close the obvious gaps, and prepare ISO 27001 or NIS2 evidence where it applies.

That is the gap a retained partnership fills.

Discovery Calculator Encrypted Call
Email

The Pattern

What happens before companies call me

  1. 01A customer asks for security evidence.
  2. 02The founder forwards it to IT, who answer what they can.
  3. 03No one knows whether the answers are complete.
  4. 04A few tools get bought. A policy is copied from somewhere.

Three months later, the same problem returns. The retainer breaks the cycle.

Where You Stand

Maturity model

Before choosing CIS Controls, ISO 27001, or NIS2 readiness, first identify how security currently works inside the business.

Most founder-led SMEs already have some tools, policies, and customer-facing answers. The problem is that security work is often fragmented, undocumented, or only activated when pressure appears.

This model shows the shift from reactive security, through compliance pressure, toward a working ISMS that supports real business decisions.

Stage 1

Reactive

Security is handled when something breaks, a customer asks a difficult question, or an incident forces action.

Stage 2

Compliance-Driven

Security work happens around audits, tenders, questionnaires, or regulation - but ownership, evidence, and follow-up are still inconsistent.

Stage 3

Working ISMS

Security is reviewed, evidenced, improved, and used in business decisions before customers, auditors, or regulators force the issue.

Most SMEs I help are between Stage 1 and Stage 2. The retainer turns security from occasional project work into a managed operating rhythm.

Frameworks

Which framework applies

CIS CRITICAL CONTROLS

Practical technical hardening, prioritised safeguards.

ISO 27001

Formal ISMS, certification, Statement of Applicability.

NIS2 DIRECTIVE

Management accountability, incident reporting, regulator-facing evidence.

Shared core

Asset registerRisk managementAccess controlSupplier assuranceIncident readinessEvidence

These controls show up in every path. What changes is the formality, the audience you prove them to, and the unique extras each framework adds.

Moving up is a scope increase, not a restart - the work you already did stays in scope.

Choose Your Path

Pick the lightest path

Practical baseline

CIS Critical Controls

Use when
Customer questionnaires, GDPR basics, general assurance.
Result
A defensible security baseline.
Best for
Small SMEs that need credible basics without certification overhead.
See the path

Working ISMS

ISO 27001

Use when
Tenders, enterprise customers, investors, formal evidence.
Result
A working ISMS with a clear route to certification.
Best for
Growing SMEs that need proof, not just good intentions.
See the path

Regulated readiness

NIS2 Directive

Use when
NIS2 obligations, critical sectors, supply-chain pressure.
Result
Management-ready evidence, reporting, governance rhythm.
Best for
Regulated or near-regulated companies.
See the path

Start Here

First step: assessment

Two ways in. Both end with a recommended path and a recommended retainer level.

Still scoping

Discovery

For buyers still scoping.

You get
A short written recommendation, the likely path, and a high-level direction.
Best when
You are unsure whether CIS Critical Controls, ISO 27001, or the NIS2 Directive is the right level.
Start the Discovery Calculator

Ready to act

Roadmap Assessment

For buyers ready to act.

You get
Current-state review, gap analysis, prioritised roadmap, and a recommended retainer level.
Best when
You already know security work is needed and want sequencing.

Start Here

The first 90 days

A typical start once the assessment sets the direction. The pace flexes to what the business can sustain.

Month 1 / Step 1
Understand

Assets, customers, current tools, evidence gaps, and immediate exposure.

Month 2 / Step 2
Fix the obvious

MFA, admin access, backups, patching, endpoint protection, and supplier basics.

Month 3 / Step 3
Make it defensible

A light evidence pack and a roadmap customers and management can trust.

Keep It Moving

Monthly cadence options

The assessment defines the path. The retainer keeps it alive. Three levels, set after the assessment and flexed as the business changes.

~8H / MO

Foundation

  • Context retained under NDA; familiar with your stack, risks, and team
  • Support for customer questionnaires, supplier questions, and security decisions
  • Quarterly review keeps the roadmap and evidence model alive

~2-4D / MO

Programme

  • Active roadmap delivery
  • Quarterly risk and supplier reviews
  • ISMS or compliance work moving in the background

~2-3D / WK

Embedded

  • Near full-time presence
  • Certification pushes or NIS2 readiness sprints
  • Deep involvement in your team's daily work

Most clients move along this spectrum over time. The level is set after the assessment and can flex up or down as the business changes.

One framework contract, predictable monthly fee, scope flexes month by month.

Advisory Boundary

What I own, what you own

I do not replace the CEO, act as a 24/7 SOC, or take legal accountability for incidents. I advise, prioritise, document decisions, help implement best practices, and support incident preparedness. Final business decisions remain with management.

For material residual risk, I will also recommend practical transfer options such as cybersecurity insurance - because mature security is a mix of prevention, preparedness, accountability, and risk transfer.

Book a call

I will recommend Discovery or a Roadmap Assessment, and the retainer level that follows.

Discovery Calculator Encrypted Call
Email

Have questions? See the FAQ →