Pre-vCISO Engagement Checklist

Download the Checklist

For many organizations, it doesn’t make sense to employ a full-time Chief Information Security Officer (CISO). Because of this, a virtual Chief Information Security Officer (vCISO) may be employed instead. These third-party security experts fill the role of a CISO–providing their expertise remotely in order to improve the security programs of their clients.

While a vCISO engagement can be implemented no matter what stage your security program is (yes, they can even help you build one from scratch), there are certain things companies can do to ensure they get the most out of their vCISO engagement right away and through the life of the engagement.

Here is a checklist to help walk you through what those are!

Pre-vCISO Engagement Checklist

Things you can do to make your vCISO engagement successful


  • Get buy-in from your executive leadership or your board of directors
    • If you don’t know how to get this buy-in, ask your vCISO provider
  • Communicate that this is not just an IT issue, and requires business involvement and decisions.
  • Identify key stakeholders to involve in your information security decisions and initiatives related to the
    topics below, and invite these stakeholders to the first vCISO meeting.

    • Business risk
    • Cyber insurance
    • Policies and procedures
    • Human resources
    • Business continuity and disaster planning technology (including cloud and third-party providers )
    • Cyber incident response
    • Compliance and legal
    • Finance and asset management
    • Vendor management
    • Facilities/office management
  • Involve all people inyour key stakeholder group in the delivery of the risk assessment results.
  • Present the risk assessmentresults to your executive management or board of directors. Locate current
    organizational policies, including:

    • Employee handbook
    • Acceptable use and other organizational policies
    • IT documentation
      • Network diagram
      • Asset inventory
  • Know the age and accuracy of the information you are providing. Find out when the documents were
    last reviewed or updated.
  • Review the top recommendations from the risk assessment and know who should be involved
    in making decisions on when and what resources are needed to address them.
  • Start collecting questions to ask your vCISO. The vCISO is there to educate and help you make the
    best, most informed decision.
  • Prepare your team to consistently attend and be engaged in the monthly vCISO check-ins.