SFF

Security Functions | Foundation

For small and mid-sized organisations where the responsibility for Information Security falls on someone who already has a full-time role, an IT manager, Operations Lead, Compliance Officer, or Product Owner who suddenly also becomes “the security person”.

Contact us

Who is this for

Ideal for companies with a relatively simple technical environment, limited governance structure, and a security program that ranges from non-existent to early-stage. Following is an overview of the services included.

We provide the structure, expertise, and ongoing support needed to confidently build and maintain an Information Security Management System for a standard or regulations such as ISO, GDPR, DORA, NIS2, or SOC2.

Pricing and terms

  • Setup fee: 2.000 EUR (one time)

  • Monthly fee: 1.600 EUR

  • Included hours: 16 hours per month

  • Subscription period: 12 months

Trial period

Our subscription runs on a 12-month cycle, but the first 3 months function as a trial period. During this time, you can evaluate the collaboration and the value it delivers. If the service does not meet your expectations, you may stop the engagement at any point within those first 3 months, no further commitment required.

What is included

  • Lightweight strategic structure to keep the programme aligned and on track.

    • Initial Information Security or compliance programme setup guidance

    • High-level security planning for year-one priorities

    • Quarterly security review meetings

    • Senior on-demand advisory for key decisions and unfamiliar requirements

    • Basic support preparing inputs for annual management reviewption text goes here

  • Core governance and compliance activities to maintain an ISMS or early-stage information security programme.

    • Policy and governance framework maintenance

    • Documented information review (policies, procedures, evidence)

    • Access to templates, guidelines, and structured advisory materials

    • Annual risk assessment and treatment plan

    • Annual internal audit (check last section for standards and regulations in scope)

    • Assistance preparing for external audits

    • Certification body identification & relationship support (if applicable)

    • Secure collaboration workspace for all documentation

    • Included GRC tools for tracking evidence, risks, and documents

  • Basic operational visibility and early-stage support for security processes.

    • Quarterly external attack surface scan reports (baseline visibility)

    • High-level guidance on operational processes (access, change, incidents)

    • Advisory support for interpreting operational findings or alerts

    • Recommended actions and prioritised next steps for improvements

  • Essential readiness and verification support, without deep technical testing.

    • Internal audit (as listed in GRC) with security control validation

    • Support preparing for certification or surveillance audits

    • Light review of supplied reports (pen tests, vendor SOC2 reports, etc.)

    • Guidance on interpreting findings from external assessments or tools