About pricing
Our pricing is structured according to the three types of services offered: ongoing retainers, project-based implementation, and on-demand consulting. If you have a problem that doesn’t fit any of them, don’t hesitate to reach out →
Reduced rates are available for organizations genuinely advancing human welfare and environmental protection. Check our community pricing below →
All prices exclude VAT where applicable.
Leadership retainers
vCRO / vCISO
For organizations needing ongoing security or risk oversight
Ready when you are →
| Engagement | Delivery | Price (€/mo.) |
|---|---|---|
| One day per week Suitable for organizations needing strategic oversight and decision support without day-to-day operational involvement. |
Remote onboarding with semi-annual on-site alignment. |
4,900 |
| Two days per week Suitable for organizations requiring active support across functions and ongoing operational guidance. |
On-site onboarding with semi-annual on-site alignment. |
9,800 *8,300 |
| Three days per week Suitable for organizations whose needs approach full-time leadership without justifying a dedicated hire. |
On-site onboarding with quarterly on-site alignment. |
14,700 *12,400 |
What’s included:
- Rapid onboarding in month one, including up to two days of discovery work at no additional cost.
- Rolling monthly engagement with one month notice period.
- Support hiring or building the profile internally when you are ready to transition to a full-time executive.
*Discounted rates (-15%) applicable from month seven.
Implementation projects
Risk / ISMS
For organizations establishing an independent capability
Ready when you are →
Project cost depends on organizational complexity, portfolio diversity, and your current state — such as current practices, maturity of business processes, existing documentation, etc. Each project is scoped individually based on your needs. We bill time and materials, at a rate of 1120 €/day.
| Service | Delivery | Typically (€) |
|---|---|---|
| Risk framework implementation Suitable for organizations looking to consolidate risk management across business functions. Includes establishing a risk governance structure, methodology design, definition of workflows, team training & support, risk assessment support, integrated risk register and management report. |
Remote, with three on-site sessions: kick-off, risk assessment & training, management report & closing. Duration: 3 – 6 months |
17,900 – 35,800 |
| ISO/IEC 27001 ISMS implementation Suitable for organizations looking for a managed process to ISO/IEC 27001 certification. Includes ISMS implementation — organizational context analysis, scoping, gap analysis, security governance structure design, risk assessment support, risk treatment planning, statement of applicability (SOA), policy development, control design, control implementation support, stakeholder training — as well as management reporting, support in documentation and evidence management, and audit support. |
Remote, with four on-site sessions: kick-off, risk assessment & treatment plan approval, management review and audit support. Duration: 6 – 12 months |
45,900 – 97,500 |
| ISO/IEC 27001 compliance advisory Suitable for organizations with established security management capability needing guidance and advice to ISO/IEC 27001 alignment and certification. Includes guidance on ISO/IEC 27001 requirements, overview of the certification process, gap analysis, weekly progress check-ins, on-demand reviews and advice. |
Remote, with optional paid on-site presence for key events. | 9,100 – 21,300 |
| Compliance readiness Suitable for organizations targeting compliance to one of the supported frameworks: NIS2, GDPR, CRA, DORA, PCI DSS, SOC 2 or CSA STAR. Includes gap analysis & remediation plan, implementation support, documentation and evidence management, team training, as well as audit support where applicable. For ISO/IEC 27001 compliance please check the dedicated services above. |
Delivered either as a managed process or advisory service. | Depends on framework and delivery method. |
Ranges shown above represent typical service price and project duration for small to medium enterprises (SMEs). When planning however, you should account for costs beyond what we bill, such as: internal staff efforts, auditors, certification bodies where applicable, etc. If you want to get more insight on how different cost factors scale, as well as how to plan properly for success, the following ISO/IEC 27001 budget planning write up is one of the best out there ↗
If something looks too good to be true, then it almost certainly is!
When researching implementation cost and timelines, make sure you rely on credible sources. There is a lot of misinformation on the internet, and we have noticed a lot of AI-generated content on the topic in which the numbers simply don’t add up — we have nothing against AI but we have against misinformation.
The same goes for tools and template packs that promise almost instant compliance. While tools and templates are very useful, signing off a policy without implementing it in practice is one of the “worst offenses” in security compliance, and a recipe for failure. Your customers, the industry and public authorities are interested in pragmatic but true security — not a theater.
Need to meet a compliance deadline?
If you’re facing regulatory deadlines or certification requirements with tight timelines, compressed implementation is possible. Feasibility and time gained depend on availability, your commitment, and risk tolerance. We concentrate the work into higher monthly intensity with primary focus on meeting requirements efficiently, deprioritizing capability development.
Total cost typically remains similar to standard timelines. What changes is delivery speed at the expense of reduced knowledge transfer and overall maturity. Note that if you choose this route you should plan for a follow-up after reaching your milestone in order to achieve sustainable capability — often required for continued compliance.
We don’t recommend this approach unless you absolutely need it!
Review & Advice
For light engagements and pre-defined deliverables
Ready when you are →
Advisory work is purchased as 5-hour packages, valid for 30 days. For ongoing access over multiple months, multiple packages can be purchased as a light retainer. Pre-defined assessments are available at fixed prices.
| Service | Deliverables | Price (€) |
|---|---|---|
| Organization context analysis Facilitated analysis based on a structured workshop (up to four stakeholders) using SWOT, PESTLE, and Porter’s Five Forces frameworks. |
Organizational context report, consolidating internal capabilities, external factors and competitive environment, suitable for strategic planning and ISO/IEC 27001 documentation. | 5,600 |
| Maturity review Assessment of current security or risk practices, with included organizational context analysis. |
Report on organizational context, the state of current practices, proposed target state based on organizational context and recommendations on achieving the proposed target state. | 8,900 |
| Advisory Package Five hours of expert consultation, used flexibly within 30 days. |
Expert consultation on security or risk topics of your choice — used for second opinions, guidance, risk assessment facilitation, or ad-hoc questions. | 700 |
Other fixed-price deliverables, such as gap analysis against specific frameworks or security architecture reviews, can be arranged on request.
Community pricing
For organizations advancing human welfare
Ready when you are →
If you are a charity, cooperative, social enterprise, or any organization genuinely advancing human welfare and environmental protection, we offer up to 30% lower rates. Legal structure is not what qualifies you - intent is. Reach out and we can have a quick chat to assess if there is alignment in values.