Published: October 2025 · Last updated: 2026-06-04

Start Build Steer

Get cybersecurity under lasting control and become a trusted partner for your customers

For SMEs who want real protection, not just certificates. According to ENISA's 2024 Threat Landscape, 57% of cyber incidents in SMEs stem from governance gaps, not missing firewalls.

Start with an Executive Risk & AI Exposure Scan.
Gain insight into your risks, priorities, and the shortest path to cybersecurity that is demonstrably and continuously under control.

Request Executive Risk & AI Exposure Scan

Mapped to ISO 27001 Annex A • NIS2 duty-of-care • AI governance baseline • Fixed scope, fixed fee

Schedule introductory call (20 min)

Best fit for organisations facing customer audits, supplier liabilities, cloud exposure, and rising compliance pressure.

Why do most ISO 27001 implementations fail?

They implement ISO 27001 for the certificate, not for control. They adopt AI and cloud tools without updating their governance. They respond to NIS2 under pressure instead of planning ahead. And they collect evidence manually, just before the audit. The result is risk theatre: paperwork that looks like governance but doesn't hold up when a supplier questionnaire, a cyber incident, or an inspector asks the hard questions. A 2025 BSI survey found that only 24% of certified organisations maintained their ISMS controls between audits.

Luméro builds governance that is defensible and operational.

Trust: clear evidence, clear ownership, clear reporting.

Authority: mapped to ISO 27001 Annex A and NIS2 duty-of-care.

Cadence: a monthly operating rhythm that keeps controls working.

Luméro | Simplicity. Certainty. Progress.

What ISO 27001 & NIS2 services does Luméro offer?

Luméro's ISO 27001 & NIS2 services follow a stepped approach from clarity to continuous assurance. Controls map to ISO 27001:2022 Annex A, NIS2 Article 21 duty-of-care requirements, and the OWASP ASVS 5.0 verification standard. Fixed scope, fixed fee, clear deliverables.

Step 1: Executive Risk & AI Exposure Scan

Three packages, each specifically tailored to each type of organisation. Aimed at getting a bird's-eye view of the organisation's risk posture and NIS2 obligations (Cyber Security Act), and an actionable treatment plan within days. The Scan fee is credited for 20% when starting the Blueprint or Continuous Assurance System™ subscription.

Scan Lite (Starter)

For straightforward organisations. An inventory that gives clear insight into your organisation's compliance status, threat exposure and response readiness, plus supplier and AI tool exposure risks.

Deliverables:

Executive Summary (2–4 pages)
90-day roadmap
IT Supplier Action Pack
AI Usage Register

€3,200 for 2 days

Bridge Roadmap

For most SMEs. Complete critical asset mapping against the ISO 27001 baseline and NIS2 duty-of-care, plus AI governance.

Deliverables:

Everything in Scan Lite
Risk register (v1)
Control priorities
Evidence requirements
Implementation order

€6,800 for 6 days

Scan Deep

For heavier risk and certification readiness. The de-risked path to certification. Board presentation & pack, Statement of Applicability (SoA) draft, pre-audit check, and Closure Plan for findings.

Deliverables:

Everything in Bridge Roadmap
Audit-ready upgrade pack

€12,500 for 11 days

Step 2: ISMS Implementation

A Fixed-Price Setup Sprint delivered in 2-week iterations. Step 2 typically runs 2–4 sprints (6–12 weeks), depending on complexity. The exact scope and number of sprints is confirmed after the Step 1 Scan.

ISOS™ Build & Handover – Fixed-Price Sprint

Luméro installs the minimum viable security operating model, so controls run through normal business workflows and produce defensible evidence.

Included:

Deployment of the Luméro Minimum Control Engine
Monitoring signals and reliability checks (CCM-light)
One full monthly operating cycle executed together
Hypercare handover period

At the end of Step 2, you are running an Information Security Operating System™ (ISOS).

Step 3: Luméro Continuous Assurance System™ (subscription)

Luméro directs. Your IT partner executes. Your organisation focuses on its business. Luméro owns governance, roadmap, evidence quality, and reporting, so controls remain working. 3-month minimum. Annual plans available with 10% discount for prepayments.

Control Sentinel

For Scan Lite graduates. Up to 4 hours/month of expert time for governance, evidence reviews, and decision support.

Risk register updates
Quarterly compliance snapshot
Evidence health review
AI usage register refresh

€800 per month

Governance Custodian

For Bridge Roadmap graduates. Up to 8 hours/month of expert time.

Everything in Control Sentinel
Quarterly management/board briefing
Control testing rhythm
Supplier & vendor risk cadence
Annual pre-audit readiness cycle

€1,500 per month

Strategic Partner

For Scan Deep graduates. Up to 16 hours/month of expert time.

Monthly governance session
Incident coordination & reporting readiness
Evidence design review
AI governance oversight
Executive risk advisory

€2,500 per month

Request Executive Risk & AI Exposure Scan

Mapped to ISO 27001 Annex A • NIS2 duty-of-care • AI governance baseline • Fixed scope, fixed fee

How does Luméro implement ISO 27001 for SMEs?

Short sprints with visible results. Governance first. Evidence always.

Start

Interviews, artefact review, and an evidence-first risk snapshot.

Direction

Scope, priorities, and success criteria → one clear plan.

Build

Controls live, evidence structured, owners assigned.

Steer

Monthly rhythm, control health, supplier checks, continuous improvement.

What do you get from an ISO 27001 engagement?

Executive clarity: what’s good, what’s urgent, what’s next.

Customer trust: evidence you can show without scrambling.

Supplier control: clear requirements and verification.

Ready to discuss your ISO 27001 or NIS2 requirements?

A brief, no-obligation call to decide whether this approach fits your situation and what the shortest path to continuous assurance is.

Schedule intro call (20 min)

You will be redirected to Calendly, a third-party scheduling service with its own privacy policy.

Frequently asked questions about ISO 27001 & NIS2

Can you act as an interim Information Security Manager?

Yes. We can temporarily fill the ISM role, including operational embedding and handover.

How do you ensure continuity after the engagement?

By defining ownership, making documentation transferable and setting up practical management processes.

Do you also support training or security awareness?

If needed, we provide short, practical sessions focused on immediate adoption and real-world behaviour.

What are the main NIS2 requirements for SMEs?

NIS2 (EU Directive 2022/2555) requires essential and important entities to implement risk-based security measures covering incident handling, supply chain security, business continuity, and governance accountability. EU Member States must transpose NIS2 into national law; in the Netherlands this becomes the Cyberbeveiligingswet (Cbw). Luméro helps SMEs map existing controls to NIS2 Article 21 requirements and close the gaps efficiently.

How long does ISO 27001 certification take?

For a typical SME (50–250 employees), Luméro delivers audit-ready status in 3 to 6 months. Timeline depends on scope complexity, existing maturity, and internal availability. We use sprint-based delivery so you see measurable progress every two weeks rather than waiting months for a big-bang handover.

What does ISO 27001 implementation cost for an SME?

Implementation costs vary by scope and maturity. For a focused SME engagement, expect an investment of EUR 15,000–40,000 for consultancy support, plus certification body audit fees (typically EUR 5,000–15,000). Luméro's sprint model avoids open-ended billing; you get a fixed scope and transparent pricing per phase.

How does AI governance relate to ISO 27001 and NIS2?

The EU AI Act (Regulation 2024/1689) creates obligations that overlap with ISO 27001 and NIS2: data quality, risk management, transparency, and human oversight. ISO 42001 (AI Management System) aligns with ISO 27001's structure, making integrated implementation practical. Luméro helps organisations build a unified governance framework covering information security, cyber resilience, and responsible AI use.

What is a virtual CISO (vCISO) and when do you need one?

A virtual CISO provides strategic security leadership on a fractional basis, typically 2–4 days per month. This is ideal for SMEs that need board-level security guidance, audit preparation, and risk oversight but cannot justify a full-time CISO hire (average salary EUR 120,000+). Luméro's vCISO service includes ISMS governance, management review facilitation, and regulatory liaison.

Get in touch with Luméro

Please briefly describe your situation. Will respond within one working day.

Name

Work email address

Phone number (optional)

Number of employees (optional)

Company (optional)

Subject

Message (situation)

* Required fields

By submitting this form, you agree to Luméro's terms and conditions and privacy policy.

Prefer a quick intro? Call directly: +31 6 11 80 48 10

Processing activity	Category of data subject	Purpose	Legal basis (GDPR art. 6)	Personal data	Retention period
Quote and assignment handling	Client, private client, contact person of a business client	Quotes, assignments, project administration	6(1)(f) legitimate interest: contacting business contacts to carry out assignments. 6(1)(b) where the data subject is the contracting party. 6(1)(c) tax administration	Name and address, contact details, job title, project data, invoice data	Invoice data 7 years. Project data for as long as needed for performance, warranty, liability and disputes
Supplier administration	Supplier, subcontractor, contact person	Procurement, payment, invoicing	6(1)(f) legitimate interest: business operations and procurement. 6(1)(b) where the data subject is the supplier. 6(1)(c) tax administration	Name and address, contact details, job title, bank account, Chamber of Commerce number, VAT number	7 years for tax administration
Client and project communication	Client, supplier, prospect, contact person	Communication, record-keeping, project delivery	6(1)(f) legitimate interest: business operations and project communication. 6(1)(b) where the data subject is the contracting party	Name, contact details, message content, channel, project reference	Duration of the project plus up to 7 years, or longer in case of a dispute
Correspondence and contact requests	Prospect, website visitor who makes contact, business relation	Answering questions via the form or email, follow-up and relationship management without an active assignment	6(1)(f) legitimate interest: communication and relationship management	Name, contact details, message content, channel	Up to 24 months after last contact, unless an ongoing relationship arises or you request deletion earlier
Newsletter	Subscriber	Sending the newsletter and measuring effectiveness	6(1)(a) consent	Name, email address, preferences, click behaviour if permitted	Until unsubscribe. Limited evidence data kept longer if necessary
Complaint handling	Client, supplier, third party	Handling and recording complaints	6(1)(f) legitimate interest: complaint handling and legal position	Name, contact details, complaint content, correspondence	2 years after resolution, longer in case of a dispute
Job applications	Applicant	Recruitment and selection	6(1)(b) pre-contractual steps. 6(1)(a) for longer retention	CV, cover letter, contact details, correspondence	4 weeks after the procedure. Up to 1 year with consent
Security reports (CVD)	Reporter of a vulnerability (security researcher)	Assessing and remediating reported vulnerabilities and coordinating disclosure	6(1)(f) legitimate interest: securing our systems	Name (if provided), contact details, content of the report	12 months after closure, longer in case of a dispute
Client references on the website	Client, contact person	Publishing a reference or testimonial	6(1)(a) consent	Name, job title, company name, photo, quote	Until consent is withdrawn