Kit Consulting Cybersecurity and ISO 27001 up to €24,000.

Cybersecurity is no longer optional for Spanish SMEs. The transposition of NIS2, the entry into force of the regulation on critical entities and the steady rise of ransomware attacks on companies with fewer than 250 employees have shifted security from a cost line into a critical investment. Kit Consulting (Spain advisory grant) offers up to €24,000 to fund the expert advisory required to implement an effective cybersecurity strategy and prepare ISO 27001 or ENS (Spanish National Security Framework) certification.

The cybersecurity advisory categories within Kit Consulting are structured in three progressive levels. Each level corresponds to one €6,000 service of at least 40 hours of expert support over a minimum of 3 months. The smartest strategy combines the three levels in sequence: diagnosis, design and certification readiness.

Level 1: Basic Cybersecurity (€6,000)

The starting point. Basic cybersecurity advisory diagnoses the current security posture of the company and identifies critical vulnerabilities. Typical deliverables include an asset inventory and information flows, a vulnerability map by impact, basic incident response procedures, an awareness plan for the team, and recommendations for immediate improvement (multifactor authentication, segmented backup, perimeter protection).

This level is appropriate for companies that have never carried out a formal cybersecurity diagnosis and need to establish a baseline before investing in advanced solutions. Most micro-enterprises and small companies start here.

Level 2: Advanced Cybersecurity (€6,000)

The level builds on the basic diagnosis with a formal methodology. Includes structured risk analysis using a recognized methodology (MAGERIT, ISO 27005), security architecture design, master security plan with prioritized roadmap, evaluation of security providers and preparation for regulatory compliance (GDPR, NIS2).

The advanced level is essential for medium-sized companies that handle sensitive data (health, finance, personal data at scale), companies subject to NIS2 as essential or important entities, and any company in B2B sectors where its clients require cybersecurity guarantees in contracts.

Level 3: Certification Readiness (€6,000)

The level designed specifically for companies seeking ISO 27001 certification or ENS (Spanish National Security Framework) compliance. Includes the preparation of the full Information Security Management System (ISMS) documentation, formal risk analysis aligned with the standard, definition of mandatory controls (Annex A of ISO 27001), internal audit and gap analysis, and support up to the external certification audit.

Deliverables of this level include the security policy, the statement of applicability, the risk treatment plan, the incident management procedures, the business continuity plan, the control records and the training plan. With the documentation in order and the controls implemented, the company is ready to face the certification audit with a recognized entity (AENOR, BSI, Bureau Veritas, etc.) accredited by ENAC.

Optimal strategy: combining the three levels

For a company in segment C (100-249 employees) that wants to obtain ISO 27001 certification, the optimal Kit Consulting strategy is to contract the four available services as follows: one Basic Cybersecurity service (initial diagnosis), one Advanced Cybersecurity service (risk analysis and architecture), one Certification Readiness service (ISMS documentation), and one Business Strategy and Performance service (to align the certification with the digital strategy of the business). Total subsidized: €24,000.

For a segment A company (10-49 employees) the strategy is more limited. With two services available, the most useful combination is Basic Cybersecurity + Certification Readiness if the certification target is clear, or Basic Cybersecurity + Advanced Cybersecurity if the company first needs to mature its security posture before considering certification.

Combining Kit Consulting + Kit Digital for end-to-end cybersecurity

Kit Consulting funds advice, not the technological solutions themselves. Once the strategy is defined with the advisor, the implementation can be financed with Kit Digital (Spain digitalization grant), which has a specific category of cybersecurity with grants of up to €29,000 per company.

The optimal sequence is: (1) Kit Consulting Cybersecurity Basic to diagnose, (2) Kit Consulting Cybersecurity Advanced to design the architecture, (3) Kit Digital Cybersecurity to implement the technical solutions defined, (4) Kit Consulting Certification Readiness to prepare the audit. The combination of both programs can finance the entire process for a sum higher than €50,000 for a medium-sized company.

What are the requirements for a Cybersecurity Digital Advisor?

Not every Kit Consulting Digital Advisor can provide services in cybersecurity. The catalog requires specific certifications by category. For Basic Cybersecurity and Advanced Cybersecurity the most common credentials are CISA, CISM, CISSP or ISO 27001 Lead Auditor. For Certification Readiness, the ISO 27001 Lead Auditor credential issued by a body accredited by IRCA, PECB or similar is practically mandatory.

Beyond certifications, the criteria to evaluate a cybersecurity advisor include: verifiable references from companies in similar sectors, knowledge of the regulatory framework applicable to the company (NIS2, GDPR, sector regulation), experience in supporting certification audits (not just designing the system) and capacity to coordinate with the future digitalization agent that will deploy the technical solutions.

Regulatory updates and outlook

The cybersecurity regulatory landscape in Spain is moving rapidly. NIS2 was transposed in 2024 and obliges essential and important entities to formal risk management practices, incident notification within 24-72 hours and management responsibility. The Cyber Resilience Act of the European Union, in force since 2024 with full application in 2027, extends requirements to products with digital elements.

At the national level, the National Cryptologic Centre (CCN-CERT) and INCIBE continue to publish detailed guides for SMEs. ENS (Spanish National Security Framework) is mandatory for companies providing services to the public administration; ISO 27001 is becoming a de facto requirement in B2B contracts with large corporations. The window to certify with a 24-month plan supported by Kit Consulting is unlikely to be as open again.

Want to plan your ISO 27001 certification with Kit Consulting? Book a first session and in 45 minutes we will review which of the three levels is the appropriate starting point for your company.

---

Authorship: Ángel Ortega Castro · independent consultant in strategy, quality and digitalization for SMEs. Registered Kit Consulting Digital Advisor in cybersecurity categories.

Frequently asked questions

Can I get ISO 27001 certification using only Kit Consulting?

Kit Consulting funds the advisory required to design and document the ISMS and prepare the certification audit, but it does not pay for the audit itself nor the recurring controls. You should plan a separate budget for the external certification audit with an entity accredited by ENAC.

Can the same advisor design and audit the system?

No. The certification audit must be performed by a different entity from the one that designed the ISMS to preserve independence. Kit Consulting only covers the design and readiness phase; the audit is contracted separately with an accredited certification body.

How long does ISO 27001 certification take?

In SMEs, between 9 and 18 months from the initial diagnosis to obtaining the certificate. Kit Consulting allows up to 12 months per service, which is consistent with the certification timeline if the three levels are sequenced correctly.