What does your approach look like in practice?

We start with a short assessment, set priorities and work in short sprints towards concrete, testable deliverables.

How much internal time is required?

We minimise effort through smart planning, reuse of existing materials and clear templates.

Is this suitable for SMEs?

Yes. The approach is designed for organisations with limited capacity: pragmatic, fast and without unnecessary overhead.

Can you act as an interim Information Security Manager?

Yes. We can temporarily fill the ISM role, including operational embedding and handover.

How do you ensure continuity after the engagement?

By defining ownership, making documentation transferable and setting up practical management processes.

Do you also support training or security awareness?

If needed, we provide short, practical sessions focused on immediate adoption and real-world behaviour.

Start Build Steer

Get cybersecurity under control and become trustworthy for your customers

For SMEs who need defensible security, evidence, and a cadence that keeps controls working, not a certificate project.

Start with an Executive Risk & AI Exposure Scan.
We translate exposure into decisions: what to fix now, what can wait, and how to run it monthly.

Governed supplier and AI use, with defensible evidence and a monthly rhythm.

Request Executive Risk & AI Exposure Scan

Mapped to ISO 27001 Annex A • NIS2 duty-of-care • AI governance baseline • Fixed scope, fixed fee

Schedule introductory call (20 min)

Best fit for organisations facing customer audits, supplier liabilities, cloud exposure, and rising compliance pressure.

How most organisations do it

They implement ISO 27001 for the certificate, not for control. They adopt AI and cloud tools without updating their governance. They respond to NIS2 under pressure instead of planning ahead. And they collect evidence manually, just before the audit. The result is risk theatre: paperwork that looks like governance but doesn't hold up when a supplier questionnaire, a cyber incident, or an inspector asks the hard questions.

Luméro builds governance that is defensible and operational.

Trust: clear evidence, clear ownership, clear reporting.

Authority: mapped to ISO 27001 Annex A and NIS2 duty-of-care.

Cadence: a monthly operating rhythm that keeps controls working.

Luméro | Simplicity. Certainty. Progress.

Offer stack

A stepped approach from clarity to continuous assurance. With clear objectives, defined deliverables, and designed for trust and ongoing control.

Step 1: Executive Risk & AI Exposure Scan

Three packages, each specifically tailored to each type of organisation. Aimed at getting a bird's-eye view of the organisation's risk posture and liabilities, and an actionable treatment plan within days. The Scan fee is credited for 20% when starting the Blueprint or Continuous Assurance System™ subscription.

Scan Lite (Starter) — €3,200 · 2 days

For straightforward organisations. An inventory that gives clear insight into your organisation's compliance status, threat exposure and response readiness, plus supplier and AI tool exposure risks.
Deliverables: Executive Summary (2–4 pages) · 90-day roadmap · IT Supplier Action Pack · AI Usage Register

Bridge Roadmap — €6,800 · 6 days

For most SMEs. Complete critical asset mapping against the ISO 27001 baseline and NIS2 duty-of-care, plus AI governance.
Deliverables: Everything in Scan Lite · Risk register (v1) · Control priorities · Evidence requirements · Implementation order

Scan Deep — €12,500 · 11 days

For heavier risk and certification readiness. The de-risked path to certification. Board presentation & pack, Statement of Applicability (SoA) draft, pre-audit check, and Closure Plan for findings.
Deliverables: Everything in Bridge Roadmap · Audit-ready upgrade pack

Step 2: Operating System Install

A Fixed-Price Setup Sprint delivered in 2-week iterations. Step 2 typically runs 2–4 sprints (6–12 weeks), depending on complexity. The exact scope and number of sprints is confirmed after the Step 1 Scan.

Luméro installs the minimum viable security operating model, so controls run through normal business workflows and produce defensible evidence.

Included:

Deployment of the Luméro Minimum Control Engine
Monitoring signals and reliability checks (CCM-light)
One full monthly operating cycle executed together
Hypercare handover period

At the end of Step 2, you are running an Information Security Operating System™ (ISOS).

Step 3: Luméro Continuous Assurance System™ (subscription)

Luméro directs. Your IT partner executes. Your organisation focuses on its business. Luméro owns governance, roadmap, evidence quality, and reporting, so controls remain working. 3-month minimum. Annual plans available with 10% discount for prepayments.

Control Sentinel — €800 / month

For Scan Lite graduates. Up to 4 hours/month of expert time for governance, evidence reviews, and decision support.

Risk register updates
Quarterly compliance snapshot
Evidence health review
AI usage register refresh

Governance Custodian — €1,500 / month

For Bridge Roadmap graduates. Up to 8 hours/month of expert time.

Everything in Control Sentinel
Quarterly management/board briefing
Control testing rhythm
Supplier & vendor risk cadence
Annual pre-audit readiness cycle

Strategic Partner — €2,500 / month

For Scan Deep graduates. Up to 16 hours/month of expert time.

Monthly governance session
Incident coordination & reporting readiness
Evidence design review
AI governance oversight
Executive risk advisory

Request Executive Risk & AI Exposure Scan

Mapped to ISO 27001 Annex A • NIS2 duty-of-care • AI governance baseline • Fixed scope, fixed fee

How it works

Short sprints with visible results. Governance first. Evidence always.

Start

Interviews, artefact review, and an evidence-first risk snapshot.

Direction

Scope, priorities, and success criteria → one clear plan.

Build

Controls live, evidence structured, owners assigned.

Steer

Monthly rhythm, control health, supplier checks, continuous improvement.

What you get

Executive clarity: what’s good, what’s urgent, what’s next.

Customer trust: evidence you can show without scrambling.

Supplier control: clear requirements and verification.

Schedule an introductory call (20 min)

A brief, no-obligation call to decide whether this approach fits your situation and what the shortest path to continuous assurance is.

Schedule intro call (20 min)

You will be redirected to Calendly, a third-party scheduling service with its own privacy policy.

Talk to me

Please briefly describe your situation. Will respond within one working day.

Name

Work email address

Phone number

Number of employees

Company

Subject

Message (optional)

Send me a copy (CC)

By submitting this form, you agree to the Luméro Website Terms of Use and Luméro Privacy Policy.

Prefer a quick intro? Call directly: +31 6 11 80 48 10