Security Programme Build

What it is

Most SMEs don't need a CISO — they need someone to build the foundations of a security programme so that when they do hire, there's something solid to build on. We design and implement the entire security function: strategy, processes, policies, tooling, and team.

Is this for you?

You've never had dedicated security focus, or your security was handled reactively by IT. Now you need structure — for compliance, investors, customers, or just peace of mind.

• Series A or B fundraising — investors want to see a security programme
• Enterprise sales cycles requiring security documentation and evidence
• ISO 27001 or Cyber Essentials certification is on your roadmap
• You've had a security incident and need to build properly going forward
• GDPR obligations are accumulating and you need a data protection framework

What you get

A structured three-phase approach. We don't just hand over documents — we build working systems that your team can operate.

• Phase 1 — Assessment: Technical and governance gap analysis against your target maturity level
• Phase 2 — Design: Security strategy, policy framework, tool selection, RACI matrix
• Phase 3 — Implementation: Tool deployment, process implementation, team training, first audit prep

Deliverables

Every programme build includes the full toolkit your team needs to operate independently:

• Information Security Management System (ISMS) — policy suite covering all ISO 27001 Annex A controls
• Risk register with treatment plans, updated quarterly
• Tooling blueprint — what to buy, what to skip, what to build
• Incident response plan with runbooks for top 10 scenarios
• Security awareness training programme and phishing simulation
• Vendor security review process and third-party risk register

Day rate

From £1,200 per day. Programme builds are scoped at the start — expect a 20–60 day engagement depending on your starting point and target maturity.