Independent Standard

What a vCISO Should Actually Deliver: An Independent Checklist

The vCISO market grew fast alongside compliance automation platforms. The service is genuinely valuable when scoped well — and genuinely disappointing when it isn't. Most disappointment traces to one root cause: nobody defined what "vCISO" means for this specific engagement. This page fixes that.

The three things people call "vCISO"

Diagram of the three tiers of vCISO services — platform management, GRC program management, and strategic security leadership — with typical monthly pricing for each tier
Three genuinely different services share one job title; the price bands overlap far less than the pitches do.

Before evaluating any vCISO provider or pitch, it helps to understand that "vCISO" is used to describe at least three meaningfully different service models — and they're priced very differently.

Tier 1

Platform management

"We'll run your Vanta or Drata" — keeping integrations connected, triaging failing tests, maintaining evidence currency. This is legitimate and valuable, but it's compliance operations, not a CISO function. Providers who do this well provide real value; providers who pitch it as strategic security leadership are overselling.

Typical value: $1,000–$2,500/month

Tier 2

GRC program management

Policies, risk register, vendor risk reviews, audit preparation coordination, framework gap assessments. The most common real deliverable in the market. This is where most mid-market companies actually need help, and where a well-scoped engagement provides strong ROI.

Typical value: $2,500–$5,000/month

Tier 3

Strategic security leadership

Board reporting, security roadmap ownership, incident readiness, architecture input, vendor security oversight at the strategic level. The actual CISO function — and the thing most vCISO pitches imply you're getting.

Typical value: $5,000–$10,000+/month

The problem isn't any of these three tiers — it's when providers pitch tier 3 language at tier 3 prices and deliver tier 1 or tier 2 work. That happens not always from bad faith, but from scope that was never written down clearly. The checklist below gives you a concrete standard for what should exist at a full vCISO engagement level.

The 25-Point vCISO Deliverables Checklist

Check what currently exists in your engagement. Use this to evaluate a pitch, audit your current provider, or confirm what your vCISO is delivering.

0 of 25 completed

Program Foundations

Ongoing Operations

Audit & Framework

Communication & Leadership

Incident & Resilience

How to use this checklist

Evaluating a pitch: Walk through each category with the provider. For every item, ask explicitly: is this in scope for our engagement, and if so, what does delivery look like? Items that aren't in scope aren't a dealbreaker — but they should be explicit exclusions, not silent gaps. Get scope in writing.

Auditing your current vCISO: Check what exists today — not what you've been told exists, but what you can see and verify. Score your results:

  • 20–25: Strong engagement. You have clear evidence of delivery across the program.
  • 12–19: A scope conversation is needed. Identify which categories are thin and address them explicitly.
  • Under 12: You are paying for a title, not a function. The vCISO Audit is designed for this situation.

If you're a vCISO: This is the standard. Sharing this checklist with clients and showing them clearly where you stand on each item builds trust and surfaces scope gaps before they become relationship problems. Good vCISOs welcome this kind of transparency.

Want an independent read on your vCISO engagement?

The vCISO Audit is a $750 independent review. We assess what your provider has actually delivered against this checklist and give you a written scorecard with a clear verdict — on track, gaps to address, or time for a change.

Learn About the vCISO Audit →

Frequently asked questions

Not sure how to interpret your checklist results?

A free 30-minute consultation maps your exact situation — what data moves, what doesn't, whether your timeline is viable, and what the switch will actually cost in time and disruption.

Independent advice. Not affiliated with any platform vendor.

Book Free Call