DPO DPO Israel
Open as Markdown

GRC + Privacy.
CISO + DPO. One vendor.

Integrated Governance, Risk & Compliance + Privacy package for organizations needing one comprehensive solution. CISO + DPO as a Service, ISO 27001 / 27701 readiness, periodic risk assessments, policies, internal audits, SOC 2 readiness, and combined tender response. Exactly the package required by municipal, cluster, and academic tenders.

What's included

Eight components in the package

01

Core DPO as a Service

Formal Chief DPO appointment, Authority response, management advice, staff training, incident response.

02

Part-time CISO / GRC

One-two days per month of senior CISO/GRC. Responsible for the information security framework, risk assessments, technical controls.

03

ISO 27001 readiness

Build ISMS per ISO 27001:2022. Documentation, risk assessments, controls, internal audits.

04

ISO 27701 readiness

Extend ISMS to a PIMS — the international privacy standard that integrates with ISO 27001.

05

Periodic risk assessments

Annual information-security + privacy risk assessment, with severity × likelihood × effort matrix and treatment plan.

06

SOC 2 Type II readiness

Mainly for SaaS targeting US Enterprise customers. Controls build, documentation, external auditor support.

07

Policies and awareness program

Comprehensive policies — information security, privacy, incident, vendors, employees, assets. Annual training program.

08

Internal audits

Periodic internal audits per ISO and tender requirements. Audit reports for audit committee and management.

Audience

Which organizations this fits

Local authorities (combined tenders)

"Information security and DPO services" tenders (like Ganei Tikva 2/2026). Requires dedicated professional staff + collaboration framework.

Council for Higher Education, universities

"Information security, cyber, and privacy" tenders (like CHE 03/2025). Requires two role-holders, CISO and DPO, as-a-service.

Regional clusters

Framework tenders 36-60 months, sub-procurements, 4% management fee. Requires structured commercial-tender vendor model.

Healthcare

Large clinics, clinic networks, labs. ISO 27001/27799 (for health), Privacy controls, medical SaaS vendor management.

SaaS with Enterprise customers

Procurement survey demands ISO 27001 / SOC 2 / GDPR. Package fits B2B targeting EU/US.

Finance and fintech

Mid-size banks, credit, fintech, asset management. Double regulation — Amendment 13 + Bank of Israel proper banking management / CMC regulation.

Tender response

Ready for tenders from day one

One of the package’s core capabilities: response to public DPO tenders and combined CISO+DPO tenders. Seven documents we keep ready in advance — not preparing them during tender season.

DocumentDetail
Framework response document Generic response that can be adapted to any tender within 48 hours
Structured CVs CVs for Chief DPO, CISO, and bench partners — designed, current, in Hebrew and English
SLA addendum Sample SLA for monitoring and periodic reporting that fits most tenders
Conflict-of-interest declaration Signed addendum addressing independence requirements
Financial certifications Bookkeeping certificate, tax withholding certificate, professional liability insurance
Liability insurance Active professional liability + cyber insurance
Client references Organized list of clients willing to provide references

Frequent questions about GRC + Privacy

When choose this package over just DPO as a Service?
Depends on organization: DPO as a Service is enough for most mid-size organizations. GRC + Privacy package is required when: (1) tender requires combined CISO+DPO; (2) Enterprise client demands SOC 2 / ISO 27001; (3) sector requires deep technical control (healthcare, fintech); (4) organization plans to achieve ISO 27701.

Are you the CISO?
No. The CISO in the bench is a separate professional with deep cyber and technology background. I, as DPO, lead the privacy side. We work in close coordination — both roles have unique requirements and complement each other. In tenders we present both individuals, with clear RACI.

How long to achieve ISO 27701?
Starting from ISO 27001 (if not already) — 9-12 months. Adding PIMS for 27701 on top of existing 27001 — 3-5 additional months. Starting from scratch can achieve both within 12-18 months, depending on size and internal engagement.

What are critical ISO 27701 controls?
ISO 27701 adds 49 privacy controls on top of ISO 27001. Key ones: PIMS-specific roles (DPO), processing documentation, data-subject rights, minimization tradeoffs, Privacy Impact Assessment, processor management. Package includes building all these controls.

What about technical controls?
Bench CISO handles technical controls — access management, network security, asset management, monitoring, backups, cyber risk management. Pentesting and code review handled by dedicated providers — we manage the process but don’t execute ourselves.

Do you submit tenders on behalf of clients?
Two models: (a) client is the primary submitter, we attach as vendor; (b) we are primary submitters (clients looking for public-sector access through us). Both models active — depends on what client is seeking.

How much does it cost?
DPO + GRC Lite package — 15,000-28,000 ILS per month. Includes Chief DPO + part-time CISO/GRC days + risk assessments + ISO support. Project-based work (full ISO certification, SOC 2, tender response) priced separately.

Need a combined CISO + DPO solution?

Free 30-minute call — understand needs, propose a specific model.

Book a call