CISO vs. ISO: Two Titles, Two Roles and Why the Difference Matters for NIS2

When companies organize their information security, two terms quickly come up: CISO and ISO. Both sound similar but mean fundamentally different things. And especially for NIS2-affected mid-sized companies, the distinction is critical. Filling the wrong role or defining the right one incorrectly risks not just compliance gaps, but real governance failures.

What Is an ISO (Information Security Officer)?

The Information Security Officer, or ISB (Informationssicherheitsbeauftragter) in German, is a regulatory role firmly established in Germany. It is explicitly required under BSI IT-Grundschutz, mandatory for KRITIS companies, and obligatory in sectors like healthcare, energy, and finance through sector-specific regulation.

The ISO focuses on operational security, documentation, compliance, and risk management according to standards. They are typically not an executive in the traditional sense: they report to management but rarely make independent strategic decisions. Their work follows control frameworks like ISO 27001, BSI IT-Grundschutz, or TISAX.

Specifically, their responsibilities include maintaining the Information Security Management System (ISMS), conducting internal audits, coordinating awareness measures, and creating security policies. They are the operational anchor ensuring that processes are documented, controls are verifiable, and risks are systematically recorded.

What Is a CISO (Chief Information Security Officer)?

The CISO is a C-level term originating in the Anglo-Saxon world. They are a member of the executive team or positioned directly below it. Their focus is on security strategy, risk appetite, business alignment, and crisis leadership. They communicate directly with the CEO, CFO, board of directors, and insurers, bearing personal responsibility for security decisions.

The CISO thinks in business risks, not control catalogs. They prioritize what truly endangers the company and make decisions that go beyond technology. When evaluating a new cloud provider, the ISO asks about certifications. The CISO asks: What happens if this provider fails tomorrow?

A good CISO connects security with business strategy. They translate technical risks into financial impacts, prioritize investments by business impact, and ensure security is perceived not as a cost center but as a prerequisite for business capability.

The Key Differences at a Glance

The ISO has a legal basis (BSI IT-Grundschutz, KRITIS, NIS2) and is mandatory in many sectors. The CISO is not legally required but embodies the NIS2 spirit of management responsibility. While the ISO works in a staff position reporting to management, the CISO operates at C-level with real decision-making authority.

The ISO ensures compliance and documentation; the CISO drives strategy and risk management. In daily practice, the difference is clear: the ISO creates the audit report. The CISO decides which risks the company consciously accepts and which must be addressed immediately.

Reporting and Decision Authority

A frequently underestimated difference lies in the reporting line. The ISO typically reports to IT management or general management. The CISO ideally sits on the executive board or reports directly to the CEO. This difference determines how much weight security decisions carry in the organization. When the security lead is two hierarchy levels below the executive board, critical decisions get delayed or diluted.

Cost Comparison

In terms of cost, the roles are far apart: an internal ISO costs approximately 60,000 to 90,000 euros per year. An internal CISO ranges from 150,000 to 250,000 euros. For mid-sized companies, this is often unrealistic, which is why the vCISO is gaining importance as an alternative. A virtual CISO typically costs from 3,600 euros per month, depending on scope and complexity.

What NIS2 Specifically Requires

NIS2 explicitly states: Management must know, assess, and approve cybersecurity risk measures. Violations can lead to personal liability for executives. This is a fundamental departure from earlier regulations that treated cybersecurity as a purely operational matter.

Article 20 of the NIS2 Directive makes clear: governing bodies must approve risk management measures, oversee their implementation, and can be held liable for violations. In practice, this means: the executive board cannot delegate responsibility to an ISO and lean back.

Specifically: an ISO alone is insufficient if management is not involved. A CISO without documented processes fails to meet evidence requirements. Ideally, both work together: the ISO as operational implementer, the CISO as strategic leader.

Case Study: How a Mid-Sized Company Implemented Role Separation

A machinery manufacturer with 800 employees faced exactly this challenge: the internal IT manager had taken on the ISO role as a side responsibility. Documentation existed, but strategic governance was completely absent. When the NIS2 assessment revealed the company fell under the directive, it became clear: this approach was no longer sustainable.

The solution was pragmatic: the IT manager remained ISO with a clear operational mandate. In parallel, an external vCISO was engaged for two days per month to handle strategic governance. Within three months, the company had its first board-level risk report, a prioritized action list, and clear accountability structures.

The board commented: 'Finally we understand where we stand and what we need to do next.' That was the real breakthrough: not compliance, but visibility.

When Is an ISO Sufficient, When Do You Need a CISO?

The question cannot be answered universally, but there are clear indicators:

An ISO alone typically suffices when the company has fewer than 250 employees, does not fall under KRITIS or NIS2, operates an established ISMS with clear processes, and the executive team actively engages with security matters.

A CISO function becomes necessary when the company falls under NIS2 or KRITIS, the IT landscape is complex (multi-cloud, AI deployment, global locations), the executive team needs management-level risk assessments, or regulatory requirements demand demonstrable management accountability.

The vCISO as a Pragmatic Solution for Mid-Sized Companies

For most mid-sized companies: the ISO is often legally required and can realistically be staffed part-time or externally. The CISO function as a full-time position is rarely affordable. This is where the vCISO, or Virtual CISO, offers a pragmatic alternative.

An external vCISO takes on the strategic CISO function on an hourly or daily basis. They communicate with the executive team, set priorities, develop the security strategy, and bear responsibility in emergencies. Combined with an internal or external ISO, the company covers both levels: compliance and leadership.

The advantages are clear: immediate access to senior expertise, no fixed costs of a full-time position, fresh perspective from experience across different industries and companies, and a clear point of contact for the executive team on security matters.

Frequently Asked Questions

Can one person fill both roles simultaneously?

Theoretically yes, but in practice it almost always leads to conflicts of interest. The ISO audits and documents. The CISO prioritizes and decides. Anyone doing both is auditing their own decisions. Additionally, an ISO in a dual role often lacks the direct access to the executive board that a CISO needs.

Is the CISO legally required in Germany?

No, the CISO is not a legally defined role in Germany. However, NIS2 requires demonstrable management responsibility for cybersecurity. This functionally corresponds to a CISO role, even if the title is not prescribed. What matters is not the title but the function: Who bears management-level responsibility for information security?

What does a vCISO cost compared to an internal CISO?

An internal CISO costs 150,000 to 250,000 euros per year including salary, overhead, and professional development. A vCISO starts from around 43,200 euros annually depending on scope. For most mid-sized companies, the vCISO is the more economical solution without compromising on strategic quality.

Conclusion: Two Roles, One Goal

CISO and ISO are not alternatives but complements. The ISO ensures that processes run and evidence exists. The CISO or vCISO ensures that the right priorities are set and that management truly bears responsibility.

Mid-sized companies need both. The question is not whether, but how to implement it affordably and effectively. The combination of an internal ISO and external vCISO has proven to be the most pragmatic path in practice, fulfilling both requirements: operational compliance and strategic leadership.