What it is
A 12-month program to assess, implement and operate a business-aligned security system with internal owners, reusable evidence and senior consulting.
A 12-month program to assess, implement and operate a business-aligned security system with internal owners, reusable evidence and senior consulting.
Problem
When an enterprise customer, auditor, insurer or investor asks how secure the company is, many organizations discover they do not have a clear, current and defensible answer.
It is unclear which risks are truly priority.
Some controls exist in practice, others only in theory.
Evidence is scattered or depends on specific people.
There is no clear ownership for deciding what gets fixed first.
Solution
The Talsoft Program uses a 6-level framework to organize posture, gaps, controls, evidence and next steps in business language. It does not always start as the full program: it can emerge from GAP, PenTest, readiness or an enterprise requirement.
Initial GAP to understand where the company stands when clarity is missing.
PenTest or Readiness as valid entry points when pressure is already concrete.
30-60-90 roadmap with owners, milestones and quick wins.
ISMS Implementation and Continuous Security Management to turn the plan into controls, evidence and cadence.
Multiple entry points
Talsoft can start with assessment, PenTest, readiness, an enterprise questionnaire or a specific risk. The goal is for every entry point to feed decisions, roadmap, evidence and continuity when it fits.
In summary
A 12-month program to assess, implement and operate a business-aligned security system with internal owners, reusable evidence and senior consulting.
SMBs, startups, SaaS and fintechs under customer, audit, cyber insurance, growth or evidence pressure.
It does not promise total security, certification, audit approval, insurance approval or absence of incidents.
How this connects to the Talsoft Operating Model
The assessment creates the shared foundation for prioritizing and measuring future cycles.
Trust reference
Talsoft supported Rivkin Securities in Australia through a six-month program to formalize its cybersecurity structure, including an ISO 27001-aligned ISMS, live risk register, incident response, centralized monitoring and external PenTest.
View Rivkin casePublished testimonials
Short references on professionalism, communication and support in cybersecurity work. Every project depends on its scope, context and objectives.
“Leandro and the team did a great job enhancing and formalising our existing security structure. The engagement was well-organised, consistently documented, and delivered to a high standard.”
“The action plan made the security audit useful and effective.”
“The service is very detailed and the report is clear. Very good report.”
“They delivered a quality service and adapted to the project's delivery timelines.”
Testimonials are qualitative references. They do not imply guaranteed outcomes or replace a context-specific assessment.
Feedback patterns
Client comments reinforce a core idea: the value is not only finding risks, but explaining priorities, being available and turning findings into concrete next steps.
Feedback highlights audits and assessments that end with concrete workstreams and improvements to implement.
Comments repeatedly mention clear responses, fluid contact and easy coordination during the project.
Several comments value team involvement when there was operational pressure or an active security issue.
Feedback references detailed and clear reports that help business and technical teams understand what to do next.
Talsoft publishes qualitative patterns and short testimonials. Logos, metrics, architectures and sensitive details are not published without explicit authorization.
Free entry point
When booking, you complete a short questionnaire. Based on that input, Talsoft prepares a first read and a mini diagnostic report to orient the next step without over-scoping the decision.
The framework organizes progress from a reactive posture toward managed, measurable security connected to the business.
Level 1
Risks and controls exist, but depend on urgency or specific people.
Level 2
Gaps, owners and initial priorities are identified.
Level 3
There is a roadmap, tracking and defensible evidence.
Level 4
Controls are reviewed with indicators and executive decisions.
Level 5
Security supports sales, audits, product and operations.
Level 6
The posture improves with cadence, learning and business change.
The six-level framework can be an entry point, a continuity backbone or the model that receives work started through PenTest, readiness or a specific need.
Startups and SMBs handling customer data, payments or critical information.
Companies receiving security questionnaires, audits or enterprise customer requirements.
Teams with firewall, antivirus, backup or cloud, but without a clear framework or organized evidence.
CEOs, CTOs, directors or IT owners who need to speak security in business language.
Organizations that need visible progress in short cycles, not endless projects.
Companies facing enterprise-sales friction due to questionnaires or evidence.
If a customer or auditor asks for your security posture tomorrow, the answer depends on who responds.
Controls exist, but evidence is not clear, current and reusable.
There is no clear owner for deciding priorities, only people executing tasks.
External pressure is expected in the next 6-12 months: RFPs, policies, audits or enterprise customers.
Assessment to understand posture, gaps, risks, evidence, owners and roadmap.
PenTest, readiness or another engagement feeds the same controls, risks, evidence and priorities.
Roadmap follow-up, new requirements, validation and evidence sustained across cycles.
Insurer checklist, critical remediations, evidence package and claim simulation based on scope.
AI use-case inventory, policies, roles, tests, runbooks and evidence based on context.
12 months · Assess · Implement · Operate
The indicative sequence turns assessment into execution and execution into an operable practice. Scope adapts to the team's context, size and capacity.
1 · Month 1
Understand context, assets, risks, controls, owners and expected evidence.
Outputs: GAP report, Risk Register, Control Matrix, evidence map, roadmap and executive readout.
2 · Months 2–6
Execute the roadmap, formalize processes and integrate governance with operations.
Outputs: Policies, procedures, RACI, runbooks, evidence, KPIs, reports and an updated backlog.
3 · Months 7–12
Verify controls, review risks, sustain evidence and prepare the next cycle.
Outputs: Management reviews, control health checks, metrics, Fractional CISO support and next annual plan.
PenTest, readiness, an enterprise questionnaire, assessment or specific risk when pressure is concrete.
For organizing posture, implementing an ISMS, assigning owners, producing evidence and sustaining improvement cadence.
Talsoft does not replace the internal owner or guarantee certification or absolute security. It provides methodology, proprietary platforms, supervised AI-assisted workflows and senior consulting.
Month 1 — Initial ISO 27001 GAP + ISMS Roadmap.
Months 2 to 6 — ISMS Implementation and prioritized roadmap execution.
Months 7 to 12 — Continuous Security Management, evidence and improvement.
Risk and priority-gap map.
Assessment against the 6-level maturity framework.
30-60-90 roadmap with owners and milestones.
Executive tracking dashboard.
Reusable evidence for customers, audits or cyber insurance.
Recommended next stage: implementation, Continuous Security Management, PenTest or Readiness.
Executive clarity on real posture.
Priorities with owners and dates.
Less improvisation during security questionnaires.
Better narrative for customers, partners, insurers and leadership.
Controls aligned to practices such as CIS v8 and ISO 27001 when applicable to scope.
Continuity so the system does not depend on internal heroes.
Business impact
Customer, partner, audit and cyber insurance pressure often appears before the company has everything organized. The program prepares posture and evidence before that moment.
Enterprise customers may request evidence before signing.
Insurers may require MFA, EDR, tested backups and incident response.
An incident forces explanations when ownership is still unclear.
Leadership needs to explain progress and risk without technical noise.
Startups, SMBs and growing teams that need to organize risk, evidence and execution.
Risk map, prioritized 30-60-90 roadmap, main gaps and required evidence to move forward.
No. It helps prepare posture, controls and evidence, but does not guarantee certifications or audit outcomes.
No. Many relationships start with PenTest, readiness, a security questionnaire, Mini Assessment or a specific risk. The program works as the framework for continuity when it makes sense.
When structural evolution is appropriate, ISMS Implementation is followed by Continuous Security Management. A PenTest or specific readiness engagement may also be next depending on risk.
Yes. The initial call helps understand context, external pressure and whether the GAP makes sense for your company.
The first step is not buying another tool. It is understanding which risk exists, which evidence is missing and what decision should be made now.