vCISO Services: What to Offer Your Clients in 2026
The core services a virtual CISO should offer include security assessments, risk management, compliance guidance, board-level reporting, policy development, incident response oversight, and vendor risk management. These seven service areas form the foundation of a comprehensive vCISO engagement, and most successful consultants package them into tiered retainers that scale with client maturity and budget.
Key takeaways
- Seven core vCISO services: assessments, risk management, compliance, board reporting, policies, incident oversight, vendor risk
- Package services into tiered retainers (Essentials, Standard, Premium) for predictable revenue
- Most clients start with assessments and risk registers, then expand scope over time
- Typical retainers range from $1,500/mo (essentials) to $8,000+/mo (full vCISO)
- CisoDeck maps platform features directly to each service deliverable
Core vCISO services: a complete breakdown
1. Security assessments
Foundation serviceSecurity assessments are the starting point for nearly every vCISO engagement. You evaluate the client's current security posture against a recognized framework such as NIST CSF 2.0, SOC 2, ISO 27001, or Cyber Essentials. The assessment identifies control gaps, produces a maturity score, and generates a prioritized remediation roadmap that becomes the basis for ongoing advisory work.
2. Risk management
Foundation serviceRisk management involves identifying, scoring, and tracking cybersecurity risks on an ongoing basis. You maintain a risk register that maps each risk to likelihood and impact scores, assigns risk owners, and tracks treatment status. The risk heatmap becomes a primary communication tool for board and executive updates.
3. Compliance guidance
Growth serviceMany clients come to a vCISO because they need to achieve or maintain compliance with specific frameworks. You guide them through the requirements of SOC 2, ISO 27001, Cyber Essentials, or industry-specific regulations. This includes mapping current controls to framework requirements, identifying gaps, managing evidence collection, and preparing for audits.
4. Board-level reporting
Growth serviceTranslating technical security posture into language that boards and executives understand is one of the highest-value vCISO skills. You produce quarterly or monthly board packs that summarize risk posture, highlight key changes, track remediation progress, and provide strategic recommendations. These reports need to be concise, visual, and actionable.
5. Policy development
Growth serviceMost SMBs lack foundational security policies. You develop, review, and maintain the policy suite that underpins their security program: acceptable use, access control, data classification, incident response, business continuity, and more. Policies need to be practical, enforceable, and aligned with the compliance frameworks the client is pursuing.
6. Incident response oversight
Premium serviceYou help clients prepare for and respond to security incidents. This includes developing an incident response plan, defining roles and communication chains, conducting tabletop exercises, and providing guidance during actual incidents. You are not the SOC or MSSP handling operational response; you are the strategic advisor ensuring the organization responds effectively and meets its notification obligations.
7. Vendor risk management
Premium serviceAs organizations rely on more third-party SaaS tools and service providers, vendor risk becomes a critical concern. You help clients maintain a vendor inventory, conduct due diligence assessments on critical vendors, track contract and certification status, and report on third-party risk exposure. This is increasingly required by compliance frameworks and cyber insurance carriers.
How should you package vCISO services into tiers?
Packaging services into clear tiers makes pricing transparent, simplifies sales conversations, and creates natural upsell paths as clients mature. Here is a three-tier model that works for most vCISO consultants:
Essentials Tier
$1,500-$3,000/moThe entry point for clients who need baseline security governance but are not yet pursuing formal compliance. Includes an annual security assessment, maintained risk register, basic policy suite, and quarterly executive reports.
Services included: security assessments, risk management, basic policy development, quarterly board reporting
Standard Tier
$3,000-$5,000/moFor clients actively pursuing compliance (SOC 2, ISO 27001) or responding to cyber insurance requirements. Adds compliance guidance, evidence management, vendor risk assessments, and monthly reporting to the essentials foundation.
Services included: all Essentials + compliance guidance, evidence tracking, vendor risk management, monthly board reporting
Premium Tier
$5,000-$8,000+/moFull virtual CISO engagement. Includes all services plus incident response oversight, board meeting attendance, security awareness program guidance, cyber insurance liaison, M&A security due diligence support, and dedicated strategic advisory hours.
Services included: all Standard + incident response, board attendance, security awareness, cyber insurance support, strategic advisory
How does CisoDeck support each vCISO service?
CisoDeck was designed with these exact service categories in mind. Every platform feature maps to a specific vCISO deliverable, eliminating the gap between advisory work and client-facing output.
| vCISO service | CisoDeck feature | Output |
|---|---|---|
| Security assessments | Multi-framework assessment engine | Maturity scores, gap analysis, remediation roadmap |
| Risk management | Risk register with heatmap | Risk register PDF, heatmap visualization, treatment plans |
| Compliance guidance | Compliance tracking + evidence library | Control mapping, evidence index, readiness reports |
| Board reporting | Board pack generator | White-label PDF board packs with executive summary |
| Policy development | Policy management | Policy library, review tracking, framework mapping |
| Incident oversight | Incident tracking | Incident log, timeline, post-incident reports |
| Vendor risk | Vendor risk management | Vendor inventory, due diligence reports, risk scores |
What should you charge for vCISO services?
Pricing depends on scope, client size, and your market. However, the data is clear: vCISO retainers in 2026 typically fall between $1,500 and $8,000 per month. Enterprise clients with complex environments and regulatory requirements often pay $10,000 or more per month for comprehensive virtual CISO coverage.
The key to sustainable pricing is tying your fee to the value delivered, not the hours worked. A quarterly board pack that takes you 15 minutes to generate with CisoDeck is worth hundreds of dollars to the client because it provides the executive visibility they need for board governance and cyber insurance requirements. Price for value, not for time.
Your platform costs are minimal relative to revenue. CisoDeck's Starter plan at $49/mo supports up to 5 clients, meaning your tool cost per client is under $10/mo even at the lowest retainer tier. The Professional plan at $129/mo supports up to 15 clients, and the Consultancy plan at $299/mo supports unlimited clients. See the full breakdown on our pricing page.
Frequently asked questions
- What services should a vCISO offer?
- Core vCISO services include security assessments, risk management, compliance guidance, board reporting, policy development, incident response oversight, and vendor risk management. Most consultants start with assessments and risk registers, then expand into compliance and board reporting as the engagement matures.
- How much should I charge for vCISO services?
- vCISO retainers typically range from $3,000 to $8,000 per month depending on scope, client size, and engagement depth. A basic security essentials package might start around $1,500/mo, while a full vCISO retainer with board attendance and strategic advisory can exceed $8,000/mo.
- How many clients can one vCISO consultant manage?
- With efficient tooling, a solo vCISO can typically manage 5 to 10 active client engagements. The exact number depends on engagement depth, client maturity, and how much time each retainer requires. Using a platform like CisoDeck to automate reporting and assessments significantly increases capacity.
- What qualifications do I need to offer vCISO services?
- There is no single required certification, but common credentials include CISSP, CISM, CISA, and CompTIA Security+. More important than certifications is hands-on experience with security program management, risk assessment, and compliance frameworks. Clients value practical expertise over credential lists.
- How do I find vCISO clients?
- The most effective channels are referrals from existing professional networks, partnerships with MSPs and IT providers, LinkedIn thought leadership, and local business association events. Many consultants also gain clients through compliance-driven demand: companies that need SOC 2 or ISO 27001 readiness and cannot justify a full-time CISO.
- What is the difference between a vCISO and a security consultant?
- A security consultant typically handles a specific project (penetration test, audit, policy review) with a defined start and end date. A vCISO provides ongoing strategic security leadership on a retainer basis, acting as the client organization's fractional chief information security officer over months or years.
- Do I need a vCISO platform to deliver these services?
- Not strictly, but a dedicated platform significantly improves efficiency and deliverable quality. Most consultants managing more than two clients find that the time savings from automated reporting, standardized assessments, and centralized risk management more than pay for the platform cost.
- How does CisoDeck support vCISO service delivery?
- CisoDeck provides multi-client workspaces, multi-framework assessments (NIST CSF 2.0, SOC 2, ISO 27001, Cyber Essentials), risk registers with heatmaps, board-ready PDF reports, policy management, evidence tracking, vendor risk management, and incident logging. Each feature maps directly to a core vCISO service deliverable.