A financial organization based in Portugal needed to ensure that its low maturity cybersecurity complies with regulations. The organization also required support in the implementation of controls and monitoring of their effectiveness. A combination of GRC and RTS activities was provided to address and solve the institution's problems. GRC activities included ISOaaS (Information Security Officer as a Service) based on various best practices, covering CIS Controls, CIS Benchmarks, financial sector regulations, etc., while the RTS activities consisted of penetration testing and scanning.

The following outcomes, considered as benefits, arose from this approach:

1. Flexibility: ISOaaS can now be adapted to complement in-house capabilities with specialist skills in specific areas where these competencies or capabilities may not be available within the organization.
2. Responsiveness: Having ISOaaS and a pool of resources on request means that the organization can have faster access to expertise or short-term assistance when needed.
3. Scalability: The service can be scaled for more or less time depending on the identified need. For example, the organization may want to increase the number of days of service when starting a project and then return to business as usual.

Last but not least, RTS opportunities regarding penetration testing and scanning (cross-selling) were another great outcome in this case.