Senior security leadership on retainer for companies with 50 to 500 employees. Embedded with your team, fixed-price, vendor-neutral. ODCUS stays until the security program stands.
Three gaps that show up in almost every SME once you look closely. Compliance is the symptom. Ownership is the problem.
IT keeps the lights on. Executives run the business. Audits are handled ad hoc. Security falls into the gap, and onto whoever happens to be standing there.
Stock policies pulled from the internet. Consultants who do not know your supply chain. Frameworks copied through generically. Paper without substance.
Every audit, every sales pitch ends with another tool to buy. Licenses grow, risk stays. ODCUS starts every engagement with one question: what can go?
Included in every engagement. Depth and time allocation are set during scoping, but the pattern stays the same.
Executive board, board of directors, customer security questionnaires, audit walkthroughs. One point of contact who has all of it covered.
Before new tools come in, the existing security landscape gets reviewed for effectiveness. Duplicate licenses go out.
Measures are implemented with your IT, not documented across 80 pages. ODCUS stays until the system runs.
Four pages of steering each month. Quarterly report for the board. Risks, actions, trends. Not a 60-slide deck.
Which standard is mandatory and which one genuinely helps depends on the business model. What ODCUS has worked with operationally in recent years:
Structured ISMS implementation, ready for certification and for demanding customer audits.
Identify–Protect–Detect–Respond–Recover. Fast path to a picture of where you stand, without certification weight.
Information Security Act for federal context, revised Data Protection Act for everyone. Enforcement from end 2026.
Anyone supplying EU corporates inherits the requirements through contracts. Preparation beats reaction.
Operational risk and resilience. Interface to supervision, internal audit and the risk committee.
SOC 2 Type I/II for SaaS providers, TISAX for automotive suppliers. Where customers demand it, we deliver.
An engagement does not reach full operation on contract day. The rhythm that works: see first, then act, then scale.
Intro call, two-hour scoping, fixed-price offer within five working days. If the setup does not fit, ODCUS says so before you sign.
Stakeholder map (exec board, IT, compliance, audit). Asset and risk register. Review of existing tools, licenses, policies. Top-3 priorities set.
Quick wins implemented (often: Conditional Access, MFA gaps, backup coverage, vendor inventory). Steering rhythm in place. First report to executive board.
Security program in place. ISMS maintained, audits supported, quarterly board report. Vendor and customer questionnaires handled, continuous improvement.
Most engagements start with the Cyber Assessment. Those who already know where they stand jump straight to ISMS Implementation or the Retainer.
No shelf reports. Assessment with a prioritized plan and concrete actions.
Security ownership without a full-time hire. Embedded in the team, facing exec board and the directors.
Information security that actually works day-to-day. Ready for ISO 27001, Swiss ISG or customer audits.
All prices in CHF, excl. VAT. Fixed prices apply after joint scoping (free, max 2 hours). Minimum retainer term: 6 months.
Fractional CISO is a service of ODCUS AG. A Swiss boutique for cybersecurity, ISMS and compliance. Focus on SMEs with 50 to 500 employees.
The thesis behind ODCUS: most companies do not have a security problem. They have a sizing problem. Too many tools, too little overview, too much cost for too little actual protection. Every engagement starts with the question of what stays and what goes, before anything new gets added.
The practice: 15 years at the intersection of security, operations and executive leadership. Active CISO mandate for more than two years at an industrial company with 1'600 employees. Led ransomware recovery. M365 security reviews at more than ten companies. Zero-Trust trainer at heise, haufe, golem, ComConsult and isits.
Learn more about ODCUS →Background in design engineering and implementation, not PowerPoint. Stays until it stands.
Duplicate licenses go before new ones come in. Most engagements lower cost and raise protection at the same time.
No commissions from tool vendors. Recommendations follow fit, not margin. If an existing tool does the job, it stays.
The senior you meet in the conversation is the one who does the work. No junior handoff after signing.
Consulting firms write recommendations. A Fractional CISO owns the result. On retainer, ODCUS steers the security program like an employed CISO. Defined time allocation, no fixed costs, no junior handoff.
Usually not. First step in every engagement: what do you already have, what works, what can go. In most engagements license costs go down while coverage goes up. Cost optimization is part of the engagement, not an add-on.
For a full-time CISO, often yes. For a fractional one, that is exactly the target audience. ODCUS works with companies from 50 employees, typically 1 to 4 days per week, 3 to 12 months.
Common case, good setup. ODCUS complements the line function with methodology and reporting and takes the interface to executive board and audits. Your team keeps day-to-day responsibility but gains time and depth.
The most frequent case. ODCUS does not produce new paper but reactivates what exists: what is still current, what must go, where processes are missing, who owns what. Documentation often shrinks by half and the rest becomes workable.
ISO 27001, NIST CSF, CIS Controls, Swiss ISG, Swiss nDSG, NIS2, DORA, FINMA Circular 2023/01. SOC 2 and TISAX on request.
Intro call within one week. Scoping plus fixed-price offer within five more working days. Kickoff within two weeks of contract signing, depending on scope.
When size and maturity fit, yes. ODCUS works vendor-neutral and does not accept commissions from vendors. The tool that gets recommended depends on context, not on a margin. If an existing tool does the job, it stays.
The retainer is cancellable monthly after 6 months. Cyber Assessment and ISMS Implementation are fixed-price projects with defined endpoints. If after the first month it becomes clear the setup does not work, ODCUS says so and ends cleanly.
30 minutes on the phone. You describe the situation. ODCUS says honestly whether the engagement fits. If not, you get a referral. Free, no sales slides.