vCISO and Managed ISMS
ISO 27001 and DORA maintenance - without hiring a full-time GRC team. Ongoing operating discipline for your ISMS and DORA obligations: risk register upkeep, access and supplier reviews, resilience-testing cadence, incident-reporting readiness, surveillance prep and board-level reporting.
Monthly retainer, scoped to your ISMS. Scoped on a short call.
The problem
Getting certified is a project with an end date. Staying certified - and staying compliant with DORA - is a continuous operating discipline. That is the part that does not fit neatly into a single hire or a single audit.
An experienced ISMS or GRC manager is a scarce, senior salary line. For a growing FX, fintech or SaaS team, a full headcount is more capacity than the ISMS actually needs month to month.
The moment certification is done, attention moves on. The risk register stops moving, access reviews slip, evidence scatters. Surveillance auditors are trained to spot exactly this drift.
Incident reporting, resilience testing and the ICT third-party register are ongoing duties for financial entities. Maintenance is not optional - the obligations run every month, not once a year.
What is included
The retainer carries the recurring work that keeps an ISMS alive and a DORA programme current - the cadence, evidence and reporting that auditors and regulators expect to see running all year.
New risks captured, scores revisited and closed risks retired on a cadence, so the register reads as a living record rather than a snapshot frozen at certification.
User access and supplier or sub-processor assurance reviewed on schedule, documented with sign-offs, and new suppliers assessed as they are onboarded.
A planned rhythm of resilience and recovery testing - including restore tests and scenario exercises - evidenced in a form that satisfies both ISO 27001 and DORA expectations.
Incident classification, escalation and reporting kept exercise-ready, so DORA reporting timelines and internal response paths are not improvised under pressure.
Focused reviews ahead of the annual surveillance visit and the deeper recertification review, so each audit is a confirmation rather than a fire drill.
Concise reporting that gives management and the board a real view of security performance and open actions - the record a management review clause depends on.
Findings, observations and nonconformities tracked to closure with an evidence trail, so nothing raised at one audit resurfaces at the next.
This is the retainer view of the Maintenance Retainer and the surveillance and recertification checks - one named advisor carrying the whole cadence rather than a stack of separate one-off reviews.
How it works
A monthly or quarterly cadence
Work is scheduled on a rhythm that matches your ISMS - monthly touchpoints with a quarterly deeper pass - so the operating discipline never lapses between audits.
A named advisor
You work with a consistent, named advisor who knows your scope, your SoA and your DORA obligations, rather than a rotating queue of tickets.
Light-touch, but audit-ready
The retainer is deliberately light on your team's time. We carry the cadence and the evidence discipline so your engineers stay on product while the ISMS stays ready.
Fit
A good fit if
Probably not the right fit if
Where the retainer connects
Readiness Assessment
Establish where the ISMS stands before the retainer keeps it there.
DORA Readiness
The financial-entity obligations the retainer maintains month to month.
Ongoing Support
The individual checks and reviews the retainer bundles into one cadence.
Delivered by an advisor who is CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained, IRCA Associate Auditor - ISMS and CQI Practitioner Member - PCQI.
FAQ
A managed ISMS retainer keeps ISO 27001 and DORA maintenance audit-ready between audits, with a named advisor and a cadence scoped to your ISMS. Scoped on a short call.
Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.