What is a virtual CISO (vCISO)?

A virtual CISO provides executive-level security leadership on a fractional basis — setting strategy, managing the security program, and reporting to leadership — without the cost of a full-time hire. It's a fit for SaaS companies and SMBs with compliance obligations like SOC 2, ISO 27001, or HIPAA that can't justify a full-time security executive.

How long does ISO 27001 certification take?

Most organizations reach ISO 27001 readiness in 4–6 months when working with focused effort, depending on the current maturity of their security program. The full certification cycle — readiness, Stage 1 audit, Stage 2 audit, and certification — typically runs 6–9 months end to end.

What's the difference between SOC 2 Type I and Type II?

A SOC 2 Type I report evaluates the design of your controls at a specific point in time. A Type II report evaluates operating effectiveness over an observation period, typically 3 to 12 months. Enterprise customers and sophisticated buyers generally expect a Type II report.

What does a cloud security assessment cover?

A cloud security assessment evaluates your AWS, Azure, GCP, Google Workspace, or Microsoft 365 environment against industry benchmarks such as CIS and CSA. We review identity and access management, architecture, storage configurations, logging, encryption, and OAuth application governance — then deliver prioritized findings with remediation guidance your team can execute.

Do you serve organizations outside the United States?

Primarily the United States, but I work with clients globally on cloud security, ISO 27001 readiness, and virtual CISO engagements where remote collaboration fits the engagement model.

Assessments

Table of Contents

Thompson InfoSec runs one-time security assessments for growing B2B SaaS companies. You get a clear, prioritized read on where your security actually stands and what to fix first, whether you have an established security team or you’re building one from the ground up.

ISO 27001 Readiness
#

ISO 27001 certification signals mature information security practices to customers, partners, and regulators. I help you get there efficiently.

Gap analysis: assess your current controls against ISO 27001 Annex A requirements
ISMS development: build or refine your Information Security Management System documentation
Risk treatment planning: develop risk treatment plans aligned with the standard’s requirements
Audit preparation: mock audits and readiness reviews so you’re confident before the real thing

Case Study: After a GRC team departure, I rebuilt a compliance program from disarray and achieved ISO 27001 certification on the first attempt, alongside SOC 2, HIPAA, and HITRUST. Read the full case study →

SOC 2 Readiness
#

Whether you’re pursuing Type I or Type II, I guide you through the process from initial scoping to audit day.

Trust Services Criteria mapping: assess your controls against Security, Availability, Confidentiality, Processing Integrity, and Privacy criteria
Control gap identification: find where your current practices fall short and what needs to change
Policy and procedure development: build the documentation foundation auditors expect
Evidence collection guidance: set up processes to collect and maintain audit evidence continuously

Case Study: I rebuilt a compliance program from the ground up and passed SOC 2 alongside ISO 27001, HIPAA, and HITRUST, all within six months. Read the full case study →

Risk Assessment
#

Understanding your risk landscape is the foundation of any effective security program. I conduct structured risk assessments that give you a clear picture of where you stand and where to invest.

Threat and vulnerability identification: map your organization’s threat landscape
Risk scoring and prioritization: quantify risks so you can allocate resources where they matter most
Framework alignment: assess against NIST CSF, ISO 27001, or other frameworks relevant to your business
Executive reporting: clear, business-friendly deliverables your leadership team can act on

Cloud Security Assessment
#

Misconfigurations are the leading cause of cloud breaches. I evaluate your cloud environments (AWS, Azure, GCP, Google Workspace, Microsoft 365) to identify security gaps before they become incidents.

Architecture review: assess your cloud design for security best practices
Identity and access management: evaluate IAM policies, roles, and privilege escalation paths
Configuration audit: check storage, networking, logging, and encryption settings against industry benchmarks (CIS, CSA)
Remediation guidance: prioritized findings with clear, actionable steps your team can execute

Case Study: I performed a comprehensive Google Workspace security assessment covering CIS Benchmark controls, OAuth application governance, domain-wide delegation, email authentication, AI controls, and administrative hygiene, identifying 33 findings across five critical areas. Read the full case study →

Network Security Assessment
#

Gaps in network architecture and access controls create easy paths for attackers. I perform comprehensive network security evaluations to surface vulnerabilities in your infrastructure.

Architecture and segmentation review: evaluate network design, VLANs, and trust boundaries
Firewall and access control audit: review rule sets, ACLs, and ingress/egress controls
Vulnerability scanning: identify known vulnerabilities across hosts, services, and protocols
Wireless security evaluation: assess Wi-Fi configurations, encryption, and rogue access points

Case Study: I assessed a regulated technology company’s network across three continents: multiple firewalls, a colocation data center, and AWS. Read the full case study →

Looking for ongoing security leadership? See my Virtual CISO service →

Not sure if I'm the right fit?

Book a free 30-minute call. If I'm not the right fit, I'll tell you and point you to someone who is.

Book a Free 30-Min Call

ISO 27001 Readiness #

SOC 2 Readiness #

Risk Assessment #

Cloud Security Assessment #

Network Security Assessment #