What you actually receive
A common reason vCISO engagements feel "fluffy" is that the deliverables are slide decks. This page shows the concrete artefacts a Bachao.AI vCISO produces — the same documents that go into your SOC 2 / ISO 27001 evidence package and that your board sees in security reviews.
These are real samples (redacted from past engagements) of what gets delivered.
1. The Risk Register
Single spreadsheet, 25–60 rows depending on company size. Updated bi-weekly during the engagement and quarterly after.
Each risk row contains:
| Column | Example value |
|---|---|
| Risk ID | R-007 |
| Category | Access Control |
| Description | Production database admin credentials shared across 4 engineers |
| Likelihood | High |
| Impact | ₹2–8 Cr (DPDP penalty + customer churn) |
| Inherent risk score | 16 / 25 |
| Treatment | Mitigate |
| Mitigation owner | DevOps Lead |
| Mitigation actions | (1) RBAC roll-out, (2) shared admin → individual accounts, (3) audit log retention to 90 days |
| Target close date | 2026-08-15 |
| Residual risk score | 4 / 25 |
| Status | In progress |
| Evidence link | confluence://security/r-007 |
2. Sample policy: Acceptable Use Policy
12 pages, plain English. Excerpt from Section 4 (Cloud and SaaS):
4.1 Approved SaaS list Engineering, finance, and HR may use SaaS tools only from the Approved list maintained in confluence://it/approved-saas. Adding a new tool requires submitting a 1-page Vendor Risk Assessment (template in confluence://templates/vendor-risk) reviewed within 2 working days by the vCISO or designated security owner. > 4.2 Personal device access Personal laptops may access company resources only through the company VPN and only after MDM enrollment. Personal mobile devices may access email and Slack with the company MDM profile installed. Personal devices may not store customer personal data offline. > 4.3 Generative AI use Employees may use approved generative AI tools (currently: ChatGPT Team, Claude.ai with team plan, GitHub Copilot Business) for general productivity. Customer data, source code, financial data, and personal data may not be pasted into any consumer or unapproved AI tool. Suspected accidental paste must be reported within 24 hours.
Every policy includes: scope, approval, definitions, controls, monitoring, enforcement, and review cadence.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free Scan3. Sample policy: Incident Response Playbook
15 pages with decision trees. Excerpt from the Detection-to-Containment section:
Severity 1 (potential data breach) > Within 30 minutes:Decision tree maps every observed signal to a severity level (S1–S4), each with prescribed timelines.> Within 6 hours (CERT-In Rule 3 obligation):
- On-call engineer pages the vCISO via priority hotline
- vCISO opens an Incident Channel in Slack (channel name pattern: #ir-yyyy-mm-dd-
) - Affected systems are isolated (network ACL or revoke API keys; documented in playbook)
- Forensic snapshot captured before any remediation
> Within 24 hours:
- Initial incident report filed to incident@cert-in.org.in using the template in confluence://ir/cert-in-template
> Within 72 hours (DPDP Section 8(6)):
- Customer notification draft (template in confluence://ir/customer-notice) reviewed by legal counsel
- DPB India notification if breach of personal data is confirmed
4. The 90-day Security Roadmap
Single page Gantt + table. Sample week-1 entries:
| Week | Owner | Task | Status | Evidence |
|---|---|---|---|---|
| W1 | DevOps Lead | Enforce MFA on AWS root | Done | screenshot in confluence://evidence/mfa-aws-root |
| W1 | CTO | Migrate .env secrets to AWS Secrets Manager | In progress | jira://ENG-432 |
| W1 | HR Lead | Send Acceptable Use Policy to all employees | Done | acks 23 of 28 in google-form |
| W2 | DevOps Lead | Enable CloudTrail log retention 90 days | Done | aws-config check passed |
| W2 | vCISO | Customer security questionnaire (Capgemini) | Pending customer | draft in confluence://qs/capgemini-2026-04 |
5. The Compliance Mapping
For SOC 2 / ISO 27001 / DPDP / SEBI CSCRF engagements, the vCISO maintains a control-to-evidence mapping spreadsheet.
Example for SOC 2 CC6.1 (Logical and Physical Access Controls):
| Control | Operational evidence | Document evidence | Status |
|---|---|---|---|
| CC6.1.a (MFA on critical systems) | aws-config snapshot showing MFA enforced | screenshot in evidence/CC6.1.a.png | Operational |
| CC6.1.b (RBAC documented) | IAM policy review log | doc-id: ACS-001 | Operational |
| CC6.1.c (Quarterly access review) | last 4 quarters' access review records | sheet-id: ACS-Q-Reviews | Operational |
6. Board-ready security report (quarterly)
8-slide PDF deck delivered the last week of each quarter. Outline:
- Top 5 risks accepted by leadership this quarter
- Top 5 risks mitigated this quarter
- Open audit findings & treatment status
- Customer security questionnaires answered (count + close rate)
- Incident summary (count, severity, response time)
- Compliance posture (SOC 2 / ISO 27001 / DPDP / SEBI status)
- Spend on security (this quarter vs budget)
- Next quarter priorities
How to get these
These deliverables are produced for every Bachao.AI vCISO engagement. They're not slides — they're the working artefacts your team uses every day after the engagement ends. The 90-day sprint produces all six. Ongoing retainer keeps them current.
Start a vCISO engagement → — first scoping call is free.
Related: vCISO 90-Day Methodology · vCISO Case Study: Bengaluru Fintech
