concepture

Cybersecurity

Fractional CISO

Strategic security leadership on demand — a Fractional CISO (also known as a virtual CISO, vCISO) owning governance, risk and compliance and reporting to executive management.

Overview

Not every organization needs — or can find — a full-time CISO. With a Fractional CISO (also known as a virtual CISO, vCISO) you get experienced security leadership as a standing engagement: strategically anchored, reporting to executive management and independent. We answer the question of what needs to be protected and why — and lead security as a coherent organizational architecture, not as a collection of isolated measures.

In many companies it is not the measure that is missing, but the structure: policies, controls and tools exist, yet no one prioritizes risk, anchors accountability and documents decisions traceably. This is exactly where the Fractional CISO comes in. They govern information security along the Govern function of NIST CSF 2.0, establish an operating model for governance, risk steering and executive reporting, and ensure audit-ready evidence — without the fixed cost of a permanent hire.

The Fractional CISO steers — they do not build. Establishing an ISMS or BCMS is a dedicated project with a defined scope of work, not part of ongoing leadership. Particularly under NIS2, the personal, non-delegable accountability of leadership comes into focus (Sec. 38 BSIG): management must approve measures, define risk tolerances and monitor their effectiveness. The Fractional CISO provides the governance and reporting that allow leadership to meet this obligation.

Standards & norms

  • NIST CSF 2.0 (Govern)
  • ISO/IEC 27001
  • NIS2 / Sec. 38 BSIG

Frequently asked questions

What does a Fractional CISO actually do?

A Fractional CISO (also known as a virtual CISO, vCISO) owns the strategy and governance of information security as an external leadership role on demand — risk management, policies, service-provider management, audit preparation and reporting to management and oversight bodies. They steer security but do not operate the technology.

How does the Fractional CISO differ from the eCSP?

The Fractional CISO is the architect: they define what needs to be protected and why, and own governance, risk and compliance. The External Cyber Security Professional (eCSP) is the site manager: they implement the requirements technically. The two roles are separately accountable but closely aligned.

Does a Fractional CISO help with NIS2 and DORA requirements?

Yes. Both regimes require effective governance and evidence. The Fractional CISO establishes the necessary governance along NIST CSF 2.0 (Govern) and ISO/IEC 27001 and provides the reporting that lets management meet its monitoring obligation under Sec. 38 BSIG.