You don’t need a part-time vCISO or vCCO until you’re getting at least a half dozen security questionnaires per year or at least 1 request from a significant customer to perform an onsite security review. Large organizations or spending hundreds of millions, if not billions, of dollars, on “Vendor Management”. These folks take their jobs and themselves very seriously, and they will expect you to have a fairly mature information security and compliance program.
If you’re just looking to pass an audit, a project-based engagement would be adequate.