What a vCISO Should Actually Deliver: An Independent Checklist
The vCISO market grew fast alongside compliance automation platforms. The service is genuinely valuable when scoped well — and genuinely disappointing when it isn't. Most disappointment traces to one root cause: nobody defined what "vCISO" means for this specific engagement. This page fixes that.
The three things people call "vCISO"
Before evaluating any vCISO provider or pitch, it helps to understand that "vCISO" is used to describe at least three meaningfully different service models — and they're priced very differently.
Platform management
"We'll run your Vanta or Drata" — keeping integrations connected, triaging failing tests, maintaining evidence currency. This is legitimate and valuable, but it's compliance operations, not a CISO function. Providers who do this well provide real value; providers who pitch it as strategic security leadership are overselling.
Typical value: $1,000–$2,500/month
GRC program management
Policies, risk register, vendor risk reviews, audit preparation coordination, framework gap assessments. The most common real deliverable in the market. This is where most mid-market companies actually need help, and where a well-scoped engagement provides strong ROI.
Typical value: $2,500–$5,000/month
Strategic security leadership
Board reporting, security roadmap ownership, incident readiness, architecture input, vendor security oversight at the strategic level. The actual CISO function — and the thing most vCISO pitches imply you're getting.
Typical value: $5,000–$10,000+/month
The problem isn't any of these three tiers — it's when providers pitch tier 3 language at tier 3 prices and deliver tier 1 or tier 2 work. That happens not always from bad faith, but from scope that was never written down clearly. The checklist below gives you a concrete standard for what should exist at a full vCISO engagement level.
The 25-Point vCISO Deliverables Checklist
Check what currently exists in your engagement. Use this to evaluate a pitch, audit your current provider, or confirm what your vCISO is delivering.
Program Foundations
Ongoing Operations
Audit & Framework
Communication & Leadership
Incident & Resilience
How to use this checklist
Evaluating a pitch: Walk through each category with the provider. For every item, ask explicitly: is this in scope for our engagement, and if so, what does delivery look like? Items that aren't in scope aren't a dealbreaker — but they should be explicit exclusions, not silent gaps. Get scope in writing.
Auditing your current vCISO: Check what exists today — not what you've been told exists, but what you can see and verify. Score your results:
- 20–25: Strong engagement. You have clear evidence of delivery across the program.
- 12–19: A scope conversation is needed. Identify which categories are thin and address them explicitly.
- Under 12: You are paying for a title, not a function. The vCISO Audit is designed for this situation.
If you're a vCISO: This is the standard. Sharing this checklist with clients and showing them clearly where you stand on each item builds trust and surfaces scope gaps before they become relationship problems. Good vCISOs welcome this kind of transparency.
Want an independent read on your vCISO engagement?
The vCISO Audit is a $750 independent review. We assess what your provider has actually delivered against this checklist and give you a written scorecard with a clear verdict — on track, gaps to address, or time for a change.
Frequently asked questions
Not sure how to interpret your checklist results?
A free 30-minute consultation maps your exact situation — what data moves, what doesn't, whether your timeline is viable, and what the switch will actually cost in time and disruption.
Independent advice. Not affiliated with any platform vendor.