The security master plan defines a 24-36 month cybersecurity strategy, prioritizing projects by risk analysis and current maturity. SME phase 1 cost: 8,000-25,000 euros.
The security master plan (SMP) is the strategic document that defines where your company's cybersecurity should go over the next 24 to 36 months, which projects will be executed, with what priority, what resources are needed and how security will be governed. While the operational cybersecurity plan (the 20 essential measures) solves the urgent, the master plan solves the important: building a solid, sustainable security posture aligned with the business strategy. If you do not yet have the basic measures in place, first read my cybersecurity plan for SMEs. If you are looking for the real-world case, jump to the Spanish insurer case.
What is, and is not, a security master plan?
The SMP is a strategic document that starts from a diagnosis of the current security situation, defines a target state based on the risks and needs of the business, prioritizes the projects required to move from the current state to the target, estimates the resources (budget, staff, technology) needed, sets indicators of progress and success, and defines security governance (who decides what, how things escalate, how reporting works).
What the SMP is not: it is not a 200-page document that no one reads; it is not a catalog of security products to buy; it is not a theoretical exercise disconnected from the business. A good SMP fits in 20-30 pages, can be understood by management and contains concrete decisions with assigned resources.
The five phases of the security master plan
Phase 1: diagnosis of the current situation
The diagnosis assesses the organization's security maturity across all its dimensions. The INCIBE model for SMEs is a practical reference that rates maturity in five levels (non-existent, initial, managed, optimized, excellent) in areas such as security governance, risk management, asset protection, threat detection and response capability.
The diagnosis should include an information-asset inventory (what you have and where it is), a risk analysis (what threats you face and their potential impact), a regulatory compliance assessment (ENS, ISO 27001, GDPR, NIS2), a technical vulnerability assessment, and an organizational assessment (roles, processes, training, security culture).
Phase 2: definition of the target state
Based on the diagnosis, the identified risks and the business requirements, this defines the security level the organization needs to reach. The factors that determine the target state are the legal and contractual obligations (ENS if you are a public-sector supplier, GDPR if you process personal data, NIS2 if you are an essential-service operator), the level of risk acceptable to management, the expectations of clients and partners, and the business strategy (if you are going to grow, expand internationally or digitalize more processes, security must support that evolution).
Phase 3: selection and prioritization of projects
This identifies all the projects needed to close the gap between the current state and the target. For each project, it defines the concrete objective (what improvement it produces), the expected risk reduction, the estimated cost, the execution timeframe, the dependencies on other projects, and the owner.
Prioritize the projects using an impact-effort matrix. High-impact, low-effort projects (quick wins) are executed first. High-impact, high-effort projects are planned for the medium term. Low-impact projects are assessed case by case.
Phase 4: resource and budget planning
Estimate the total SMP budget broken down by year. A reference budget for cybersecurity in an SME is 5 to 10% of the IT budget, although it can be higher in the first year if you start from a very low maturity level. Identify the funding sources: internal budget, Kit Consulting (up to 18,000 euros in cybersecurity), Kit Digital (up to 29,000 euros in managed cybersecurity), regional grants (DigitalICE, Digiempresas, Innobonos) and the tax deduction for technological innovation.
Phase 5: definition of governance
Establish the security governance structure: who is responsible for information security (the CISO, although in SMEs this is usually a role combined with another function or outsourced), which committee reviews security and how often, how the security status is reported to management, how incidents are escalated, and which indicators are monitored.
2026 budget table · Security master plan
Typical cost structure of an SMP for a Spanish SME by size. Figures exclude VAT and are based on real 2025-2026 projects:
| Item | SME 25-60 emp | SME 60-150 emp | Timeframe |
|---|---|---|---|
| Maturity diagnosis (INCIBE / NIST CSF) | 2,500-4,000 € | 4,000-6,500 € | 3-5 weeks |
| Risk analysis (MAGERIT) | 2,000-3,500 € | 3,500-5,500 € | 2-4 weeks |
| SMP drafting (20-30 pages + annexes) | 2,500-4,500 € | 4,500-7,000 € | 3-4 weeks |
| Validation committee and management approval | 800-1,500 € | 1,500-2,500 € | 1-2 weeks |
| Subtotal SMP design | 7,800-13,500 € | 13,500-21,500 € | 9-15 weeks |
| Kickoff of 2-3 priority projects, year 1 | 5,000-12,000 € | 12,000-25,000 € | 6-9 months |
| Fractional external CISO (24 months) | 1,500 €/month | 2,500 €/month | annual contract |
| Total phase 1 investment (month 0-9) | 12,800-25,500 € | 25,500-46,500 € | 9 months |
| Recurring annual budget, years 2-3 | 15,000-35,000 €/year | 35,000-80,000 €/year | annual |
Kit Consulting (Red.es, Order TDF/38/2026) covers up to 18,000 euros of the prior strategic advice, reducing the effective outlay for the design and kickoff of the SMP.
Indicators (KPIs) of the security master plan
The KPIs that demonstrate the SMP's progress and that management should review quarterly:
- % of projects completed against the plan (target: 90%+ per quarter).
- Overall maturity level measured with the same model as the diagnosis (target: rise 1 level every 12-18 months).
- Number and severity of incidents (target: a downward trend).
- MTTD / MTTR: Mean Time To Detect / To Respond (target: MTTD < 24h, MTTR < 8h in an average incident).
- % of critical/high vulnerabilities fixed within the SLA (target: 95% within 30 days).
- Simulated-phishing click rate (target: a downward trend, < 5% at 12 months).
- % of employees trained in awareness (target: 100% annually).
- Regulatory compliance status (target: gaps closed vs pending).
How the SMP relates to ISO 27001, ENS and NIS2
The security master plan is the natural bridge to ISO 27001 certification, ENS adaptation or NIS2 compliance. A well-built SMP already contains much of the documentation these frameworks require: the risk analysis, the control selection, the risk treatment plan and the performance indicators.
If your medium-term goal is to get certified, design the SMP directly aligned with the requirements of ISO 27001 (Annex A controls) or ENS (Annex II of Royal Decree 311/2022). This will avoid duplication and significantly reduce the cost of the subsequent certification project.
Real-world case: a 30-month SMP at a Spanish insurer with 95 employees
A mid-sized Spanish insurer with 95 employees, headquarters in Madrid and two regional offices commissioned the full design of the SMP after the NIS2 Directive and Royal Decree 311/2022 (ENS) came into force, given its status as a financial-services provider handling specially protected data. The initial diagnosis showed an overall maturity of level 2 out of 5 (Initial-Managed), with major gaps in governance, supplier management and threat detection.
The project ran with a 30-month horizon and a phase 1 of 22,000 € (diagnosis 4,500 € + MAGERIT risk analysis 4,000 € + SMP drafting 5,500 € + approval committee 1,500 € + kickoff of priority projects 6,500 €). Five key deliverables:
- An SMP document of 26 pages + 9 annexes, approved by the board of directors.
- A catalog of 14 prioritized projects with a multi-year budget (year 1: 78,000 €; year 2: 65,000 €; year 3: 42,000 €).
- A Security Committee charter, monthly meetings, a fractional CISO 3 days/month.
- A compliance matrix for NIS2 + ENS Medium + ISO 27001 + DORA with owners and deadlines.
- A KPI dashboard (Power BI) with 12 indicators updated monthly and reviewed quarterly by management.
Results at month 12: overall maturity rose to level 3 (Managed-Optimized), 6 projects closed, 4 in progress, 4 in the backlog. MTTD dropped from 96h to 18h. The simulated-phishing click rate fell from 31% to 7%. An external ENS Medium audit started at month 15 with certification forecast for month 20.
Mini glossary of the security master plan
- SMP: security master plan.
- NIST CSF 2.0: NIST Cybersecurity Framework version 2.0 (2024): the Govern, Identify, Protect, Detect, Respond, Recover functions.
- MAGERIT: the CCN's Methodology for Information Systems Risk Analysis and Management.
- SoA: Statement of Applicability · the declaration of applicable controls (ISO 27001 clause 6.1.3).
- MTTD / MTTR: Mean Time To Detect / To Respond.
- SLA: Service Level Agreement · a time commitment for actions (remediation, response, recovery).
- Quick win: a high-impact, low-effort project, a candidate to execute first.
- Fractional CISO: an external part-time CISO (usually 1-3 days/month).
Do you need to design your company's security master plan? Let's talk. I help you create a realistic, budgeted SMP aligned with your business strategy, making the most of every available grant.
Authored by Ángel Ortega Castro · independent consultant in strategy, quality and digitalization for SMEs, based in Aranda de Duero (Burgos).