# GRC + Privacy Combined | CISO + DPO as a Service Israel | ISO 27001 & 27701

> Integrated Governance, Risk & Compliance + Privacy package for organizations needing one comprehensive solution: CISO + DPO as a Service, ISO 27001 / 27701 readiness, periodic risk assessments, policies, internal audits, SOC 2 readiness, and response to combined public tenders. For municipalities, healthcare, finance, and SaaS with Enterprise customers.

**Canonical:** https://dpoisrael.com/en/services/grc-privacy/  
**Locale:** en-IL

---
CISO + DPO. One vendor.

Integrated **Governance, Risk & Compliance + Privacy** package for organizations needing one comprehensive solution. **CISO + DPO as a Service**, ISO 27001 / 27701 readiness, periodic risk assessments, policies, internal audits, SOC 2 readiness, and combined tender response. Exactly the package required by municipal, cluster, and academic tenders.

## GRC + Privacy — what's included

- **Model:** CISO + DPO as a Service from one provider
- **Price range:** 15,000-28,000 ILS / month
- **Fits:** Combined tenders, healthcare, fintech, SaaS Enterprise
- **Standards:** ISO 27001:2022 + ISO 27701:2019
- **SOC 2 support:** Type II readiness for SaaS companies
- **Readiness duration:** 9-18 months to certification
- **Ongoing deliverables:** Risk assessments, policies, audits, management reports
- **Tender response:** Documents, CVs, SLA, addenda — ready

## Eight components in the package

01

### Core DPO as a Service

Formal Chief DPO appointment, Authority response, management advice, staff training, incident response.

02

### Part-time CISO / GRC

One-two days per month of senior CISO/GRC. Responsible for the information security framework, risk assessments, technical controls.

03

### ISO 27001 readiness

Build ISMS per ISO 27001:2022. Documentation, risk assessments, controls, internal audits.

04

### ISO 27701 readiness

Extend ISMS to a PIMS — the international privacy standard that integrates with ISO 27001.

05

### Periodic risk assessments

Annual information-security + privacy risk assessment, with severity × likelihood × effort matrix and treatment plan.

06

### SOC 2 Type II readiness

Mainly for SaaS targeting US Enterprise customers. Controls build, documentation, external auditor support.

07

### Policies and awareness program

Comprehensive policies — information security, privacy, incident, vendors, employees, assets. Annual training program.

08

### Internal audits

Periodic internal audits per ISO and tender requirements. Audit reports for audit committee and management.

## Which organizations this fits

### Local authorities (combined tenders)

"Information security and DPO services" tenders (like Ganei Tikva 2/2026). Requires dedicated professional staff + collaboration framework.

### Council for Higher Education, universities

"Information security, cyber, and privacy" tenders (like CHE 03/2025). Requires two role-holders, CISO and DPO, as-a-service.

### Regional clusters

Framework tenders 36-60 months, sub-procurements, 4% management fee. Requires structured commercial-tender vendor model.

### Healthcare

Large clinics, clinic networks, labs. ISO 27001/27799 (for health), Privacy controls, medical SaaS vendor management.

### SaaS with Enterprise customers

Procurement survey demands ISO 27001 / SOC 2 / GDPR. Package fits B2B targeting EU/US.

### Finance and fintech

Mid-size banks, credit, fintech, asset management. Double regulation — Amendment 13 + Bank of Israel proper banking management / CMC regulation.

## Ready for tenders from day one

One of the package’s core capabilities: [response to public DPO tenders](/en/services/public-tenders) and combined CISO+DPO tenders. Seven documents we keep ready in advance — not preparing them during tender season.

| Document | Detail |
| --- | --- |
| Framework response document | Generic response that can be adapted to any tender within 48 hours |
| Structured CVs | CVs for Chief DPO, CISO, and bench partners — designed, current, in Hebrew and English |
| SLA addendum | Sample SLA for monitoring and periodic reporting that fits most tenders |
| Conflict-of-interest declaration | Signed addendum addressing independence requirements |
| Financial certifications | Bookkeeping certificate, tax withholding certificate, professional liability insurance |
| Liability insurance | Active professional liability + cyber insurance |
| Client references | Organized list of clients willing to provide references |

## Frequent questions about GRC + Privacy

### When choose this package over just DPO as a Service?

Depends on organization: **DPO as a Service** is enough for most mid-size organizations. **GRC + Privacy package** is required when: (1) tender requires combined CISO+DPO; (2) Enterprise client demands SOC 2 / ISO 27001; (3) sector requires deep technical control (healthcare, fintech); (4) organization plans to achieve ISO 27701.

### Are you the CISO?

No. The CISO in the bench is a separate professional with deep cyber and technology background. I, as DPO, lead the privacy side. We work in close coordination — both roles have unique requirements and complement each other. In tenders we present both individuals, with clear RACI.

### How long to achieve ISO 27701?

Starting from ISO 27001 (if not already) — 9-12 months. Adding PIMS for 27701 on top of existing 27001 — 3-5 additional months. Starting from scratch can achieve both within 12-18 months, depending on size and internal engagement.

### What are critical ISO 27701 controls?

ISO 27701 adds 49 privacy controls on top of ISO 27001. Key ones: PIMS-specific roles (DPO), processing documentation, data-subject rights, minimization tradeoffs, Privacy Impact Assessment, processor management. Package includes building all these controls.

### What about technical controls?

Bench CISO handles technical controls — access management, network security, asset management, monitoring, backups, cyber risk management. Pentesting and code review handled by dedicated providers — we manage the process but don’t execute ourselves.

### Do you submit tenders on behalf of clients?

Two models: (a) client is the primary submitter, we attach as vendor; (b) we are primary submitters (clients looking for public-sector access through us). Both models active — depends on what client is seeking.

### How much does it cost?

DPO + GRC Lite package — 15,000-28,000 ILS per month. Includes Chief DPO + part-time CISO/GRC days + risk assessments + ISO support. Project-based work (full ISO certification, SOC 2, tender response) priced separately.

## Need a combined CISO + DPO solution?

Free 30-minute call — understand needs, propose a specific model.

[Book a call](/en/contact)