Plan to reduce the risks. We'll manage it together.
Choose the level of support that matches your team, your audit pressure, and the amount of day-to-day operational help you need.
Start with the amount of operational ownership you need today, then scale up as audits, stakeholders, and environments get more complex.
Choose Essentials if you need a clear baseline and lighter-touch guidance.
Move to Starter or Advanced when you need leadership support, annual assessments, and audit help.
Use Enterprise when regulation, scale, or complexity changes the shape of the work.
Each tier is designed around the operating burden you want us to absorb, not just a checklist of services.
Essentials
Best for small organizations that need baseline coverage without building an internal program first.
Establish a working starting point with monthly guidance, reusable policies, and visibility into core hygiene issues.
Monthly compliance & cybersecurity bulletin
Policy and procedure template library
DMARC monitoring · 1 domain
Endpoint patch management add-on
Starter
Best for growing businesses that need more structure, leadership input, and a repeatable annual rhythm.
Move from reactive work to a managed program with CXO guidance, a yearly assessment, and incident planning.
Everything in Essentials, plus
Fractional CXO support
NIST CSF 2.0 annual assessment
Incident-response planning · annual training
DMARC · up to 3 domains
Advanced
Best for teams preparing for audits, customer diligence, and a more mature operating cadence.
Run a fuller compliance program with audit support, tabletop exercises, and recurring training across the year.
Everything in Starter, plus
Support during external audits
Annual tabletop exercises
Quarterly live virtual training
DMARC · up to 5 domains · 25 endpoints
Enterprise
Best for larger or more regulated organizations with broader environments, more stakeholders, and higher scrutiny.
Coordinate a tailored retainer with deeper audit readiness, OWASP maturity work, and higher service limits.
Everything in Advanced, plus
Audit-readiness assessment
Annual OWASP maturity assessment
Monthly virtual training · hosted security meetings
DMARC · up to 10 domains · 100 endpoints
Compliance Expertise
Every level is backed by our compliance experts with a deep understanding of your regulatory requirements.
Quarterly report
Executive-level summary of your compliance posture and progress, delivered quarterly.
Twelve-month plan
A dated, resourced plan — not a backlog. Your compliance goals are mapped to a realistic roadmap
On-going support
When questions get hard, ComplianceXO experts are available to provide guidance and support.
Can we switch levels mid-term?
Yes. We can add or remove services beginning the following month and adjust billing accordingly.
Who actually does the work?
Senior leaders provide fractional CXO oversight, with analysts and trusted partners supporting execution where needed.
Will you work with our auditor directly?
Yes. Advanced and Enterprise plans include direct auditor liaison, including pre-audit kickoff and post-audit response support.
What about one-off assessments?
See our Expert Assessments. Standalone engagements are billed at a fixed fee based on the scope of work.
Is there a free tier?
Yes. The self-assessments on the homepage are free and require no account. If you are not ready to engage, you can also follow The Risk Register for ongoing guidance.
Do you do the audit?
No. We prepare you for the audit and support you through it, but we do not perform audits ourselves.
“ComplianceXO subscriptions are designed to give you a complete compliance program, complementing your existing internal IT, MSP, or MSSP to enable you to build a successful program.”
Custom programs — designed for every company.
Multi-entity groups, regulated industries, sovereign-data requirements, post-incident remediation. Let us know your requirements and we'll design a program specifically for your organization.