Reminder: The method for ordering VITA services has changed. Please follow the revised instructions in the "How to Order" section, below.

Centralized Information Security Officer (ISO) Service

generic network product image

Price: No Cost

Unit of Measure: Usage Based

Pricing Type: No Charge

Billing Cycle: N/A

Service Lead: Ed Miller


The Centralized Information Security Officer (ISO) service will assist agencies in performing and documenting:  Business Impact Analysis and IT System Security Plans (consisting of IT Security Risk Assessment and Risk Treatment Plans) including required annual updates.  ISO Service analysts will also be able to provide consulting and other ISO services.

For additional information visit: ​Commonwealth Security and Risk Management.

How to Order

Effective 12/15/18, this service can be ordered from the VITA Service Catalog in the new VITA Service Portal. To submit your request:

  • Customers who have Commonwealth of Virginia (COV) accounts (including executive branch agencies) should access the VITA Service Catalog via the VITA Service Portal to place service requests using the automated form provided in the catalog.
  • Customers who do not have COV accounts (including some local government customers) or customers who are unable to gain access to the portal may order the service by sending an e-mail to the VITA Customer Care Center (VCCC) services desk at Please include the following information:
    • The words "Service request" in the "Subject" line
    • The name of the service being ordered
    • The quantity desired (if applicable)
    • Any other information you deem relevant

If you are uncertain as to whether you have a COV account, start by trying to access the VITA Service Portal. If you are unable to do so, then use the email-to-the-VCCC method.

If you need additional assistance, you may check with your agency information technology resource (AITR) or call the VCCC at 866-637-8482.

You will be contacted to confirm that your request has been received and to obtain any additional required information.

Frequently Asked Questions

Click on question to show or hide answer.

The Centralized ISO Service includes a qualified information security specialist who will create Business Impact Analyses (BIA) and system security plans (which include risk assessments & risk treatment plans) and will help the agency stay in compliance with commonwealth IT security policies and standards.

Funding has been made available for each agency to use to acquire ISO Services. The amount appropriated for each agency is different. Please contact your Department of Planning and Budget (DPB) analyst for agency funding information.

Yes. VITA Commonwealth Security and Risk Management (CSRM) will assist in determining the type and complexity of BIA and system security plans that your agency requires.

Once ordered and scheduled, based on complexity, a BIA can take anywhere from 2 weeks to 2 months. Once ordered and scheduled, based on complexity, a System Security Plan, which includes Risk Assessment and a Risk Treatment Plan, can take a week to a month. All times are based on the agency's ability to provide all requested documentation and information in a timely manner.

Service offerings will be scheduled as resources become available. We will coordinate with the agency to ensure that services performed do not overlap or interfere with critical business periods.

No, an agency may choose to use the funding provided to contract with an outside firm or consultant or hire staff. However, the agency must submit an updated IT Risk Assessment plan to CSRM. CSRM will review and determine if the plan is acceptable and will bring the agency in compliance of the risk management requirements mandated by SEC501, the IT Security Standard.

BIAs, Risk Assessments, and System Security Plans are living documents, meaning that they must be continually reviewed and updated as circumstances within your agency, your IT systems, or the environment in which they function change. VITA Centralized services will be in routine communication with your agency and will monitor your BIA, Risk Assessments, System Security Plans and all related documentation to ensure that they are maintained and kept current.