Pospíšil Petr | CyberPOPE Independent Consultant | Cybersecurity Architect & vCISO
Founder-Led European SMEs

Retained security advisor

For founder-led European SMEs that need customer assurance, ISO 27001, or NIS2 readiness - without hiring a full-time CISO or creating unnecessary compliance overhead.

Usually, the trigger is not a breach. It is a customer questionnaire, an enterprise tender, an ISO 27001 expectation, a NIS2 question, or the uncomfortable feeling that security work is scattered across people, tools, and forgotten documents.

Start with Discovery Encrypted Call

Where You Stand

Maturity model

Before choosing CIS Controls, ISO 27001, or NIS2 readiness, first identify how security currently works inside the business.

Most founder-led SMEs already have some tools, policies, and customer-facing answers. The problem is that security work is often fragmented, undocumented, or only activated when pressure appears.

This model shows the shift from reactive security, through compliance pressure, toward a working ISMS that supports real business decisions.

Stage 1

Reactive

Security is handled when something breaks, a customer asks a difficult question, or an incident forces action.

Stage 2

Compliance-Driven

Security work happens around audits, tenders, questionnaires, or regulation - but ownership, evidence, and follow-up are still inconsistent.

Stage 3

Working ISMS

Security is reviewed, evidenced, improved, and used in business decisions before customers, auditors, or regulators force the issue.

Most SMEs I help are between Stage 1 and Stage 2. The retainer turns security from occasional project work into a managed operating rhythm.

Frameworks

Which framework applies

CIS CRITICAL CONTROLS

Practical technical hardening, prioritised safeguards.

ISO 27001

Formal ISMS, certification, Statement of Applicability.

NIS2 DIRECTIVE

Management accountability, incident reporting, regulator-facing evidence.

Shared core

Asset registerRisk managementAccess controlSupplier assuranceIncident readinessEvidence

These controls show up in every path. What changes is the formality, the audience you prove them to, and the unique extras each framework adds.

Moving up is a scope increase, not a restart - the work you already did stays in scope.

Choose Your Path

Pick the lightest path

Practical baseline

CIS Critical Controls

Use when
Customer questionnaires, GDPR basics, general assurance.
Result
A defensible security baseline.
Best for
Small SMEs that need credible basics without certification overhead.
See the path

Working ISMS

ISO 27001

Use when
Tenders, enterprise customers, investors, formal evidence.
Result
A working ISMS with a clear route to certification.
Best for
Growing SMEs that need proof, not just good intentions.
See the path

Regulated readiness

NIS2 Directive

Use when
NIS2 obligations, critical sectors, supply-chain pressure.
Result
Management-ready evidence, reporting, governance rhythm.
Best for
Regulated or near-regulated companies.
See the path

Start Here

First step: assessment

Two ways in. Both end with a recommended path and a recommended retainer level.

Still scoping

Discovery

For buyers still scoping.

You get
A short written recommendation, the likely path, and a high-level direction.
Best when
You are unsure whether CIS Critical Controls, ISO 27001, or the NIS2 Directive is the right level.

Ready to act

Roadmap Assessment

For buyers ready to act.

You get
Current-state review, gap analysis, prioritised roadmap, and a recommended retainer level.
Best when
You already know security work is needed and want sequencing.

Keep It Moving

Monthly cadence options

The assessment defines the path. The retainer keeps it alive. Three levels, set after the assessment and flexed as the business changes.

~8H / MO

Foundation

  • Context retained under NDA; familiar with your stack, risks, and team
  • Support for customer questionnaires, supplier questions, and security decisions
  • Quarterly review keeps the roadmap and evidence model alive

~2-4D / MO

Programme

  • Active roadmap delivery
  • Quarterly risk and supplier reviews
  • ISMS or compliance work moving in the background

~2-3D / WK

Embedded

  • Near full-time presence
  • Certification pushes or NIS2 readiness sprints
  • Deep involvement in your team's daily work

Most clients move along this spectrum over time. The level is set after the assessment and can flex up or down as the business changes.

One framework contract, predictable monthly fee, scope flexes month by month.

Advisory Boundary

What I own, what you own

I do not replace the CEO, act as a 24/7 SOC, or take legal accountability for incidents. I advise, prioritise, document decisions, help implement best practices, and support incident preparedness. Final business decisions remain with management.

For material residual risk, I will also recommend practical transfer options such as cybersecurity insurance - because mature security is a mix of prevention, preparedness, accountability, and risk transfer.

Book a call

I will recommend Discovery or a Roadmap Assessment, and the retainer level that follows.

Encrypted Call

Have questions? See the FAQ →