1. Client Information
Client Company
[Company Name]
ABN / ACN
[Australian Business Number]
Primary Contact
[Full Name, Title]
Billing Address
[Street, City, State, Postcode]
Industry
[Industry / Sector]
2. Executive Summary
lilMONSTER Cybersecurity proposes to deliver [brief description of engagement] to [Client Company]. This engagement follows the D.E.F.R.A.G. methodology — Detect, Evaluate, Fortify, Respond, Audit, Govern — and is designed to address the priority risks identified during the discovery phase. The total investment for this engagement is [Total AUD] (ex GST) delivered over [Duration].
3. Scope of Work
Comprehensive review of existing security controls, asset inventory, network architecture, identity systems, and policy framework. Includes stakeholder interviews and documentation review.
- Current-Posture Assessment Report (PDF)
- Asset inventory & network topology map (updated)
- Gap analysis against [ISO 27001 / Essential Eight / SOC 2]
- Risk register with prioritised findings
- Executive briefing (1-hour presentation)
Develop prioritised remediation plan with immediate "quick wins" that reduce risk within the first 30 days. Includes configuration changes, policy templates, and tooling recommendations.
- Top 5 prioritised actions with implementation timeline
- MFA enforcement plan for all admin/privileged accounts
- Security policy template pack (AUP, Access Control, Incident Response)
- Vendor recommendation matrix (EDR, SIEM, email security)
- 30-60-90 day implementation roadmap
Hands-on guidance during implementation of priority controls. Configuration validation, testing, and tuning. Includes staff awareness training and tabletop exercise.
- EDR deployment validation & tuning
- SIEM use-case configuration (top 10 detection rules)
- Security awareness training session (1.5 hours, all staff)
- Tabletop exercise — ransomware scenario
- Validation report with retest results
Establish ongoing governance cadence, finalise documentation, and transition to BAU. Optional: ongoing vCISO retainer arrangement.
- Security governance pack (meeting cadence, reporting templates)
- Compliance mapping document
- Third-party risk assessment framework
- Final engagement report & executive summary
- Handover session with internal team / IT provider
4. Timeline & Milestones
| Milestone | Week | Deliverable | Payment |
|---|
| M1 — Kickoff | Week 0 | Project initiation, access provisioning | — |
| M2 — Assessment Complete | Week 2 | Current-Posture Report delivered | 30% |
| M3 — Roadmap Approved | Week 4 | Remediation plan signed off | 30% |
| M4 — Implementation Validated | Week 8 | Validation report, training complete | 30% |
| M5 — Project Close | Week 10 | Final report, handover complete | 10% |
5. Investment
| Item | Description | Amount (ex GST) |
|---|
| Phase 1 — Discovery & Assessment | [Detailed scope] | AUD $[X,XXX] |
| Phase 2 — Roadmap & Quick Wins | [Detailed scope] | AUD $[X,XXX] |
| Phase 3 — Implementation Guidance | [Detailed scope] | AUD $[X,XXX] |
| Phase 4 — Governance & Handover | [Detailed scope] | AUD $[X,XXX] |
Total Investment: AUD $[XX,XXX] (ex GST)
Payment Terms: As per milestone schedule above. Invoices issued on milestone completion, net 14 days. GST will be added for Australian clients. All amounts in Australian Dollars (AUD).
6. Terms & Conditions
- Engagement Period: This SOW covers the period [Start Date] to [End Date]. Any work outside this scope will be handled via a separate SOW or change request.
- Client Obligations: Client agrees to provide timely access to systems, personnel, and documentation required to complete the deliverables. Delays caused by Client may impact the timeline and are not the responsibility of lilMONSTER.
- Confidentiality: All information shared during this engagement is treated as confidential under our standard NDA. lilMONSTER will not disclose Client information to third parties without prior written consent, except as required by law.
- Intellectual Property: Deliverables produced under this SOW are licensed to Client for internal business use. lilMONSTER retains ownership of methodologies, tools, and templates used in delivery.
- Limitation of Liability: To the maximum extent permitted by law, lilMONSTER's total liability under this SOW is limited to the total fees paid. lilMONSTER provides consulting and advisory services; implementation decisions and outcomes remain the Client's responsibility.
- Termination: Either party may terminate this SOW with 14 days written notice. Client will pay for all work completed up to the termination date.
- Insurance: lilMONSTER maintains Professional Indemnity and Public Liability insurance. Certificates available on request.
- Governing Law: This SOW is governed by the laws of Victoria, Australia.
7. Agreement
This Scope of Work represents the agreement between the parties. By signing below, both parties accept the terms, scope, and investment outlined in this document.
For lilMONSTER
[Consultant Name], lilMONSTER Cybersecurity
Date: _________________
For [Client Company]
[Client Signatory Name], [Title]
Date: _________________