Pre-vCISO Engagement Checklist

Pre-vCISO Engagement Checklist

Download your free copy now

For many organizations, it doesn’t make sense to employ a full-time Chief Information Security Officer (CISO). Because of this, a virtual Chief Information Security Officer (vCISO) may be employed instead. These third-party security experts fill the role of a CISO–providing their expertise remotely in order to improve the security programs of their clients.

While a vCISO engagement can be implemented no matter what stage your security program is (yes, they can even help you build one from scratch), there are certain things companies can do to ensure they get the most out of their vCISO engagement right away and through the life of the engagement.

Here is a checklist to help walk you through what those are!

Free Resource

Download our free Pre-vCISO Engagement Checklist now.


Things you can do to make your vCISO engagement successful

  • Get buy-in from your executive leadership or your board of directors
    • If you don't know how to get this buy-in, ask your vCISO provider
  • Communicate that this is not just an IT issue, and requires business involvement and decisions.
  • Identify key stakeholders to involve in your information security decisions and initiatives related to the topics below, and invite these stakeholders to the first vCISO meeting.
    • Business risk
    • Cyber insurance
    • Policies and procedures
    • Human resources
    • Business continuity and disaster planning technology (including cloud apnd third-party providers )
    • Cyber incident response
    • Compliance and legal
    • Finance and asset management
    • Vendor management
    • Facilities/office management
  • Involve all people in your key stakeholder group in the delivery of the risk assessment results.
  • Present the risk assessment results to your executive management or board of directors. Locate current organizational policies, including:
    • Employee handbook
    • Acceptable use and other organizational policies
    • IT documentation
      • Network diagram
      • Asset inventory
  • Know the age and accuracy of the information you are providing. Find out when the documents were last reviewed or updated.
  • Review the top recommendations from the risk assessment and know who should be involved in making decisions on when and what resources are needed to address them.
  • Start collecting questions to ask your vCISO. The vCISO is there to educate and help you make the best, most informed decision.
  • Prepare your team to consistently attend and be engaged in the monthly vCISO check-ins.

Cheat Sheets


Incident Response Playbooks

Policy Templates

Program Guides


Pre-vCISO Engagement Checklist

Get your free copy now!