Talsoft TS
Indicative 12-month program

Annual Cybersecurity Maturity Program

A 12-month program to assess, implement and operate a business-aligned security system with internal owners, reusable evidence and senior consulting.

Problem

The issue is not having too few tools. It is not being able to explain posture under pressure.

When an enterprise customer, auditor, insurer or investor asks how secure the company is, many organizations discover they do not have a clear, current and defensible answer.

It is unclear which risks are truly priority.

Some controls exist in practice, others only in theory.

Evidence is scattered or depends on specific people.

There is no clear ownership for deciding what gets fixed first.

Solution

A progressive framework that can start from different entry points.

The Talsoft Program uses a 6-level framework to organize posture, gaps, controls, evidence and next steps in business language. It does not always start as the full program: it can emerge from GAP, PenTest, readiness or an enterprise requirement.

Initial GAP to understand where the company stands when clarity is missing.

PenTest or Readiness as valid entry points when pressure is already concrete.

30-60-90 roadmap with owners, milestones and quick wins.

ISMS Implementation and Continuous Security Management to turn the plan into controls, evidence and cadence.

In summary

What it is

A 12-month program to assess, implement and operate a business-aligned security system with internal owners, reusable evidence and senior consulting.

Who it is for

SMBs, startups, SaaS and fintechs under customer, audit, cyber insurance, growth or evidence pressure.

Main deliverables

  • Risk and priority-gap map.
  • Assessment against the 6-level maturity framework.
  • 30-60-90 roadmap with owners and milestones.

What it does not promise

It does not promise total security, certification, audit approval, insurance approval or absence of incidents.

How this connects to the Talsoft Operating Model

When there is no defensible read of current posture.

  1. Posture
  2. Risks
  3. Owners
  4. Roadmap
  5. Implementation or validation

The assessment creates the shared foundation for prioritizing and measuring future cycles.

Trust reference

Rivkin Securities case: ISMS, evidence and sustained operations.

Talsoft supported Rivkin Securities in Australia through a six-month program to formalize its cybersecurity structure, including an ISO 27001-aligned ISMS, live risk register, incident response, centralized monitoring and external PenTest.

View Rivkin case
  • Named case with a public CTO testimonial from Rivkin Securities.
  • Relevant for companies facing audit pressure, enterprise customers or international expansion.
  • The focus was not promising certification: it was organizing posture, execution, measurement and evidence.

Published testimonials

Client experiences working with Talsoft

Short references on professionalism, communication and support in cybersecurity work. Every project depends on its scope, context and objectives.

Leandro and the team did a great job enhancing and formalising our existing security structure. The engagement was well-organised, consistently documented, and delivered to a high standard.
CTORivkin Securities
The action plan made the security audit useful and effective.
Casimiro Félix Toyos e Hijos S.A.Client company
The service is very detailed and the report is clear. Very good report.
EdeaClient company
They delivered a quality service and adapted to the project's delivery timelines.
Avislatam SPAClient company

Testimonials are qualitative references. They do not imply guaranteed outcomes or replace a context-specific assessment.

Feedback patterns

What clients tend to value when working with Talsoft.

Client comments reinforce a core idea: the value is not only finding risks, but explaining priorities, being available and turning findings into concrete next steps.

Clear action plan

Feedback highlights audits and assessments that end with concrete workstreams and improvements to implement.

Fast communication

Comments repeatedly mention clear responses, fluid contact and easy coordination during the project.

Availability under pressure

Several comments value team involvement when there was operational pressure or an active security issue.

Understandable reports

Feedback references detailed and clear reports that help business and technical teams understand what to do next.

Talsoft publishes qualitative patterns and short testimonials. Logos, metrics, architectures and sensitive details are not published without explicit authorization.

Free entry point

Not sure whether you need a full GAP assessment? Start with the free mini assessment.

When booking, you complete a short questionnaire. Based on that input, Talsoft prepares a first read and a mini diagnostic report to orient the next step without over-scoping the decision.

  • Short pre-booking questionnaire.
  • Mini diagnostic report with signals and suggested next step.
  • Initial orientation without promising an audit, certification or guaranteed compliance.

Talsoft 6-level maturity framework

The framework organizes progress from a reactive posture toward managed, measurable security connected to the business.

Level 1

Reactive

Risks and controls exist, but depend on urgency or specific people.

Level 2

Organized

Gaps, owners and initial priorities are identified.

Level 3

Managed

There is a roadmap, tracking and defensible evidence.

Level 4

Measurable

Controls are reviewed with indicators and executive decisions.

Level 5

Integrated

Security supports sales, audits, product and operations.

Level 6

Evolving

The posture improves with cadence, learning and business change.

Is this for your company?

The six-level framework can be an entry point, a continuity backbone or the model that receives work started through PenTest, readiness or a specific need.

Startups and SMBs handling customer data, payments or critical information.

Companies receiving security questionnaires, audits or enterprise customer requirements.

Teams with firewall, antivirus, backup or cloud, but without a clear framework or organized evidence.

CEOs, CTOs, directors or IT owners who need to speak security in business language.

Organizations that need visible progress in short cycles, not endless projects.

Companies facing enterprise-sales friction due to questionnaires or evidence.

Signals of improvisation under pressure

If a customer or auditor asks for your security posture tomorrow, the answer depends on who responds.

Controls exist, but evidence is not clear, current and reusable.

There is no clear owner for deciding priorities, only people executing tasks.

External pressure is expected in the next 6-12 months: RFPs, policies, audits or enterprise customers.

Three ways to use the Annual Program

As an entry point

Assessment to understand posture, gaps, risks, evidence, owners and roadmap.

As a receiving model

PenTest, readiness or another engagement feeds the same controls, risks, evidence and priorities.

As a continuity backbone

Roadmap follow-up, new requirements, validation and evidence sustained across cycles.

Possible extensions

Cyber-Insurance Readiness

Insurer checklist, critical remediations, evidence package and claim simulation based on scope.

AI-Safe Adoption

AI use-case inventory, policies, roles, tests, runbooks and evidence based on context.

12 months · Assess · Implement · Operate

One program, three connected stages

The indicative sequence turns assessment into execution and execution into an operable practice. Scope adapts to the team's context, size and capacity.

  1. 1 · Month 1

    Initial ISO 27001 GAP + ISMS Roadmap

    Understand context, assets, risks, controls, owners and expected evidence.

    Outputs: GAP report, Risk Register, Control Matrix, evidence map, roadmap and executive readout.

  2. 2 · Months 2–6

    ISMS Implementation

    Execute the roadmap, formalize processes and integrate governance with operations.

    Outputs: Policies, procedures, RACI, runbooks, evidence, KPIs, reports and an updated backlog.

  3. 3 · Months 7–12

    Continuous Security Management

    Verify controls, review risks, sustain evidence and prepare the next cycle.

    Outputs: Management reviews, control health checks, metrics, Fractional CISO support and next annual plan.

A specific need does not always require an annual program

Point solution

PenTest, readiness, an enterprise questionnaire, assessment or specific risk when pressure is concrete.

Annual program

For organizing posture, implementing an ISMS, assigning owners, producing evidence and sustaining improvement cadence.

Talsoft does not replace the internal owner or guarantee certification or absolute security. It provides methodology, proprietary platforms, supervised AI-assisted workflows and senior consulting.

How we work with your company

1

Step 1

Month 1 — Initial ISO 27001 GAP + ISMS Roadmap.

2

Step 2

Months 2 to 6 — ISMS Implementation and prioritized roadmap execution.

3

Step 3

Months 7 to 12 — Continuous Security Management, evidence and improvement.

Deliverables

Risk and priority-gap map.

Assessment against the 6-level maturity framework.

30-60-90 roadmap with owners and milestones.

Executive tracking dashboard.

Reusable evidence for customers, audits or cyber insurance.

Recommended next stage: implementation, Continuous Security Management, PenTest or Readiness.

Benefits

Executive clarity on real posture.

Priorities with owners and dates.

Less improvisation during security questionnaires.

Better narrative for customers, partners, insurers and leadership.

Controls aligned to practices such as CIS v8 and ISO 27001 when applicable to scope.

Continuity so the system does not depend on internal heroes.

Business impact

Waiting does not reduce risk: it leaves the company without an answer.

Customer, partner, audit and cyber insurance pressure often appears before the company has everything organized. The program prepares posture and evidence before that moment.

Enterprise customers may request evidence before signing.

Insurers may require MFA, EDR, tested backups and incident response.

An incident forces explanations when ownership is still unclear.

Leadership needs to explain progress and risk without technical noise.

Frequently asked questions

What company size does the program serve?

Startups, SMBs and growing teams that need to organize risk, evidence and execution.

What do we get after the Initial GAP?

Risk map, prioritized 30-60-90 roadmap, main gaps and required evidence to move forward.

Does the program guarantee certification or compliance?

No. It helps prepare posture, controls and evidence, but does not guarantee certifications or audit outcomes.

Do we always need to start with the full program?

No. Many relationships start with PenTest, readiness, a security questionnaire, Mini Assessment or a specific risk. The program works as the framework for continuity when it makes sense.

What happens after the GAP?

When structural evolution is appropriate, ISMS Implementation is followed by Continuous Security Management. A PenTest or specific readiness engagement may also be next depending on risk.

Is there an initial call?

Yes. The initial call helps understand context, external pressure and whether the GAP makes sense for your company.

Validate the next step with clarity.

The first step is not buying another tool. It is understanding which risk exists, which evidence is missing and what decision should be made now.