It is natural to reflect a carved-out business area’s cyber programme against the parent’s. That works while the business sits inside the parent. Once it stands on its own, the programme can find itself sized for a company that is no longer the one it serves.

This happens whenever a business changes shape. A business area carves out from a listed parent. Two organisations merge and integrate IT. A regulated programme stands up a new entity to deliver on a major capital project. In each case, the cyber function arrives on the new shape carrying the old shape’s habits, vendor stack, control catalogue and team structure. A good deal of it does not transfer cleanly.

The question the inherited frame tends to supply is “how do we scale the parent’s programme down?” The question worth asking, and the one the planning phase exists to answer, is “what does this entity actually need?”

Three inputs answer it. The new entity’s market position. The actual intentions of its management. The mandatory floor of regulation and customer expectation that cannot be optimised below. From those three the programme dimensions itself. From the parent’s programme it does not.

What follows is one way to do that. It is drawn from working these decisions on real carve-outs, offered as a working discipline rather than a method to apply uniformly. Other approaches work. The points worth holding onto are the three inputs, the ISMS capability set as the spine, and the four moves applied per capability. Adapt the rest to the entity in front of you.

The best time to ask these questions is during planning, not after Day-1.

Influence early, or inherit late

A cyber programme is a project, and project decisions get baked in at the planning phase. By the time the entity is operational, structural choices about authority, budget, reporting line, scope and risk routing have already been drawn. They were drawn either by the people sized to draw them, or by whoever happened to be in the room when the deadline pressed.

Transformation programmes are particularly demanding on this point. Two hundred parallel streams running against a fixed legal date. Every stream is making good-enough calls. If cyber is not at the table while those calls are being made, the cyber function inherits whichever interpretation of cyber landed first in the planning room. That interpretation may not match what the new entity actually needs.

The discipline that addresses this is not novel. It is project leadership applied to the security programme itself. Get sized into the planning phase. Bring the questions below. Settle the answers while the planning phase is still open.

Market position decides what value is being protected

What does the new entity sell, to whom, and against what disruption? The answer drives the protection scope. An industrial manufacturer with physical assets, a few hundred customers and a B2B contract base sits in a different risk picture than a SaaS platform serving regulated healthcare, even when both happen to share the phrase “carved out from a listed parent.” The cyber programme protects the value the business actually creates, not the abstract surface area inherited from a parent’s threat model.

That is the point most often missed when a programme gets sized down by template. A 90% reduction of the parent’s controls catalogue is not a smaller programme. It is a programme designed for a different company than the one being stood up.

In transformation cases the operational layer typically moves wholesale. Sites, plants, customer-facing systems, local IT and OT all transfer with the business. What unwraps, and what the new programme has to rebuild around, is the centre of the parent. Group identity, central monitoring, shared enterprise tooling, the security team that served the whole group. Size the programme around the unwrapped centre.

Management intent decides the design

Management’s intentions are the second input. The honest read of them is the revealed one, not the stated one.

What is actually being built here? A long-term independent operator, or a tidy package being prepared for sale within three years? A business that will absorb cost to keep risk low, or one whose unit economics force a different appetite? The cyber programme that serves each of these is different, even when the regulatory floor is identical.

Read the intent including the parts management has not said. Hiring profiles, cost expectations, board composition, sale-readiness language in the early decks, who is being lined up for which seat. Stated intent is what gets written into the strategy paper. Revealed intent is what gets resourced. The second is what the cyber function ends up serving.

The mandatory floor is the line

The floor is non-negotiable and is the first thing to fix. Below the floor there is no optimisation. Meeting it is a precondition for operating at all.

Four categories sit on the floor for most newly standalone businesses. Applicable regulation, scoped against the entity’s actual properties. Customer-imposed requirements flowed down in contracts. Insurer requirements that condition coverage. Listed-company obligations, where the entity is or will be listed.

On the regulatory side, some obligations apply by default. GDPR and national data protection law. Employment and HR data rules. Customer contractual security clauses. Insurer underwriting requirements for any business carrying cyber cover. These do not change with the entity’s properties; they apply.

Others apply only if the entity meets certain criteria, and those criteria are exactly what a carve-out resets. NIS2 depends on sector classification and size; the standalone entity may sit in or out of direct scope where the parent was clearly in, and may still face flow-down from in-scope customers. DORA reaches financial entities. The Cyber Resilience Act reaches manufacturers of products with digital elements. The AI Act reaches deployers and providers of high-risk AI systems. CSRD has size and revenue thresholds. Sector-specific regulation (healthcare, energy, aviation, finance, defence) follows the entity’s classification, not the parent’s. National security and critical-infrastructure rules vary by jurisdiction.

A separate category lands when the transformation produces a listed entity. The listed-company suite (market abuse, financial reporting integrity, audit oversight) is newly applicable from listing day rather than inherited. It is the most visible example of a carve-out creating obligations the parent never had to carry as this entity.

The work is property-led, and it is where carve-out cyber dimensioning most repays a careful read. A standalone entity’s properties differ from what they were inside the parent. Size. Sector. Ownership status. Customer mix. Geographic footprint. Each property change can flip an obligation into or out of scope. Some obligations the parent carried drop off the new entity. Some new obligations land that the parent never had to face directly. Compliance is not an inherited setting. It is a fresh property-based scoping exercise, and the parent’s apparatus is not a guide to it.

Above the floor, cost-and-value optimisation rules. The discipline is to know exactly where the line is, not optimise below it, then optimise hard above it.

The ISMS capability set is the spine

What has to be covered comes from the ISMS capability set. The parent’s organisation chart is not the guide.

The seven core capabilities I have described elsewhere are: risk management, governance, policy and guideline (with KPIs), instructions, communication, controls and assurance. Each capability has to be covered in some form, regardless of entity scale.

The thin-team reality of a standalone business is that one person frequently holds what an enterprise splits across several. That is not a failure mode. It is a sizing choice. The practical question is the minimum viable way to cover each of the seven with a lean team plus managed services and advisers. Treat the three-lines-of-defence separation as a guide, not a mandate. The one separation worth preserving even when lean is independent assurance for listed-company audit and board oversight. Manufacture the rest only if the entity can actually resource it.

The capability set is the spine because it does not change with the entity’s size. The same seven things have to function in a fifty-person business as in a fifty-thousand-person one. What changes is how each is covered, by whom and at what scale. That is what the next section is about.

Keep, transform, leave behind, stand up

Four moves are available. Per capability, against the three dimensioning inputs, the question becomes which move applies.

Keep what is portable and lightweight. Method, judgement, framework structure, decision logic, supplier-contracting patterns. These cost almost nothing to carry across and do not penalise a smaller entity. The heritage worth taking travels with the person, not the cost base.

Transform what still has to function but needs different scale or delivery. Operations from multi-vendor RACI to single managed-service-provider on a single platform. Vulnerability management from multi-tool enterprise apparatus to one SaaS tool with managed triage. Same function, different bill. Most of the cost savings sit here, not in cutting controls.

Leave behind what the entity does not legally carry, does not need, or cannot resource. Parent-only obligations. Enterprise-scale machinery sized for the parent’s risk profile. The specialist office structures that only work at parent scale. Naming what to leave behind is some of the most useful work in the phase. The trap is treating it as a downsizing of existing capabilities rather than a fresh read of what the new company needs. A carve-out is one of the rare moments when nothing is yet fixed and defended. That window closes fast, and what comes back by default is the parent’s programme scaled down.

Stand up what is genuinely new. A carve-out creates obligations as well as redistributing them. Listed-company disclosure capability the entity never had as a business area. Direct customer-facing security contact instead of one routed through group procurement. Sale-readiness packaging for buyer due diligence. Board cyber governance built from scratch. This is the bucket most carve-out cyber thinking does not name. Getting the stand-up decisions right prepares the new entity to answer the questions it will face from listing day onwards, including ones the parent never had to face as this entity.

Run each of the seven capabilities through the four moves, against the three dimensioning inputs. That is the working spine of the planning phase.

What this achieves

A programme dimensioned by market position, management intent and the mandatory floor, with the ISMS capability set as the spine and the four-move triage as the working tool, has a particular shape. It is leaner than the parent’s. It is more focused on the value the business actually creates and on the floors it has to clear. There is no inherited cost that cannot be justified by reference to the new entity’s reality.

It is also defendable. Defendable here has a specific meaning. Every line in the programme is traceable to one of the three dimensioning inputs. Each control is there because it protects identified value, meets a customer or regulatory floor, or supports management’s actual intent for the business. Defendable against the auditor, the board, the cost-cutting conversation that will eventually arrive, and the buyer due diligence that may follow it.

That is the target. Not maximum security. Not minimum compliance. The right programme for the company that actually exists, with the discipline set at the start, while the planning phase is still open.