C CERG Cyber Engineering, Risk & Governance
Markdown GitHub
Document ID CERG-GOV-IMP-003
Version 1.02
Status Approved
Classification Public
Owner Governance Pillar Leader
Parent Policy CERG-POL-001 - Cybersecurity Policy
Review Cycle Annual
Frameworks NIST CSF 2.0
Regulations Cross-cutting
Environments Small-team CERG adopters (≤8 people)

Table of Contents

  1. Who This Is For
  2. The CERG Lite Package
  3. Operating Rhythm for a 5-Person Team
  4. Role Consolidation Map
  5. First 10 Records to Create
  6. First Month Success Criteria
  7. Manual Fallback Schemas
  8. Minimum Viable Evidence Library
  9. Document Control

1. Who This Is For

This guide is for teams of 8 people or fewer who want to run CERG as their operating model. It assumes you have read the Adoption Safety Guide and confirmed the prerequisites in §1.

The full CERG corpus describes what a 60-person security team looks like at NIST CSF Adaptive maturity. That is the upper bound. This guide describes the lower bound — what a 5-person team can actually operate without burning out.

The rule: adopt fewer documents, run a lighter cadence, produce simpler evidence, and add complexity only when the team grows or the risk demands it.

2. The CERG Lite Package

These are the documents you actually need first. Everything else in the repo can wait.

Adopt Immediately: MVC (8 documents)

Document Why
Cybersecurity Policy (POL-001) Board/CISO must approve. One page.
CERG Framework (FRM-001) Explains the three-pillar model every other document assumes.
Operating Model (OM-001) Defines your consolidated roles. Read §6.1, skip the 60-person examples.
Document Catalog (CAT-001) Inventory of what exists and what you have adopted.
Risk Management Framework (RMF-001) How you score, treat, and accept risk.
Risk Register and Exception Process (PRC-RM-001) Your operational risk workflow.
Risk Register Templates (TMPL-RM-001) The spreadsheet/template layer that makes the register real.
Exposure Management Procedure (PRC-VM-001) Your operational vulnerability workflow.

Use as adoption aids, not additional MVC requirements

Document Use
Implementation Guide (IMP-001) How to adapt the corpus. Fill in your org profile.
Adoption Safety Guide (IMP-002) How to avoid failure modes.
This document (IMP-003) How to run CERG with a small team.
Role-Based Implementation Checklists (IMP-006) What each consolidated role should do first.
Job Families Overview (JF-001) Useful for hiring and consolidation, not required to run MVC.
NICE Crosswalk (JF-002) Optional skills-gap and hiring reference.

Adopt When Ready (layered on as the team grows)

When Add These
You are ready to formalize controls Unified Control Baseline (CB-001); start with the 6 families you can evidence.
You have cloud, SaaS, or managed infrastructure Access, Asset, Configuration, IT/Cloud/SaaS, Logging, and Resilience standards as applicable.
You have a compliance requirement The applicable regulatory package (CIP, CUI, SOX, ISO, Privacy).
You are onboarding vendors Third-Party Risk Procedure (PRC-TPRM-001).
You have a detection capability Threat Intelligence Procedure (PRC-TI-001) and Adversarial Validation Procedure (PRC-AV-001).
You have an incident response function Cross-Pillar Flows (FLOW-001) for F-06 integration; IR remains owned by the standing IR team.
Team grows beyond 8 people Per-role JD documents for hiring; full workforce planning.

Do Not Adopt Yet

The following are explicitly deferred for small teams. Document the deferral in your Decision Log:

  • Full workforce planning (WFP-001)
  • Succession planning (SUCC-001)
  • Maturity self-assessment (MAT-001)
  • Any regulatory package that does not apply
  • Board/CISO reporting deck template — use a simple status report instead
  • Per-role JD documents — JF-001 and JF-002 are sufficient
  • Contractor integration guide (CON-001) — unless you have contractors
  • Cross-pillar operational flows (FLOW-001) — the procedures themselves (PRC-*) are sufficient for initial adoption
  • Stakeholder perception survey (TMPL-GOV-001) — first run at month 2, then annually per IMP-002

3. Operating Rhythm for a 5-Person Team

The full calendar (CAL-001) assumes a 60-person team. Scale it down.

Weekly (1 hour)

Activity Who Duration
High/Critical risk review CISO + whoever owns Risk that week 20 min
Vulnerability remediation review Risk person 20 min
Open exceptions check (any expiring this month?) Governance person 10 min
New project intake review (any new requests?) Engineering person 10 min

Biweekly (1 hour)

Activity Who Duration
Vulnerability SLA review (any past due?) Risk person 15 min
Change review (any security-significant changes this period?) Engineering person 15 min
Evidence freshness check (any stale evidence?) Governance person 15 min
Cross-training check (did anyone do their 4 hours?) Everyone 15 min

Monthly (2 hours)

Activity Who Duration
Full risk register review Everyone 45 min
Exception review (renew, close, escalate) Governance + Risk 20 min
Vendor risk review (any new vendors? any expiring assessments?) Risk person 15 min
Metrics collection for monthly report Governance person 20 min
Improvement backlog review Everyone 20 min

Quarterly (half day)

Activity Who Duration
Executive risk brief preparation CISO 1 hour
Control evidence refresh (pick 2-3 control families) Governance + Engineering 1 hour
Access review (sample of privileged accounts) Identity person 1 hour
Policy/standards review (any changes needed?) Governance 30 min
Lessons learned from incidents or near-misses Everyone 30 min

Semi-Annual (1 day)

Activity Who Duration
Full access review Identity person + system owners 3 hours
Backup restore test (pick 2 critical systems) Engineering person 2 hours
Tabletop exercise (pick 1 scenario) Everyone 2 hours
Policy review and update Governance 1 hour

Annual (2-3 days)

Activity Who Duration
Full maturity self-assessment (optional for small teams) Governance 2 hours
Risk appetite calibration CISO + executive sponsor 1 hour
Full policy/standards review cycle Governance 4 hours
Annual report to executive leadership CISO 2 hours
Budget and resource planning CISO 2 hours
Team training and development planning Everyone 1 hour

4. Role Consolidation Map

A 5-person team covers all 27 canonical roles by consolidating them. The map below is one example — adapt it to your team’s skills. Document your actual assignments in the Decision Log.

Person Canonical Roles Consolidated Primary Family
Person 1 — CISO / Governance Lead CISO, Governance Pillar Leader, Policy & Standards Manager, Risk Register Owner, Evidence Librarian JF-EXEC / JF-GOVCOMP
Person 2 — Risk Lead Risk Pillar Leader, Exposure Management Lead, Threat Intelligence Analyst, Detection Engineer, Vendor Risk Analyst JF-RISKOPS
Person 3 — Engineering Lead Engineering Pillar Leader, Cloud Security Engineer, Identity Engineer, Endpoint Engineer JF-SECENG
Person 4 — Security Engineer Application Security Engineer, Cryptography Engineer, OT Security Engineer (if applicable), Pre-production Reviewer JF-SECENG
Person 5 — Compliance / IR Liaison NERC-CIP Compliance Manager, CMMC/Federal Compliance Manager, SOX ITGC Lead, IR liaison (Incident Commander and Lead Investigator remain with standing IR team) JF-GOVCOMP / JF-ADJUNCT

If you have 3 people: Consolidate further. Person 1 = CISO + Governance + Risk Register. Person 2 = Engineering + Cloud + Identity. Person 3 = Risk + Compliance + VM. Document every consolidation in the Decision Log per IMP-002 §4. The Role Collision Guide (IMP-002 §7) defines which consolidations require compensating controls.

Authority guardrail: heads collapse; business consequence acceptance does not. A small team still needs a Business Owner or Executive Sponsor outside the security assessor role to acknowledge accepted residual risk. If the CISO/Risk/Governance work is held by one person, use IMP-002 §5 and RMF-001 §9.7 for independent acceptance and escalation.

If you have 1 person: You are not ready to adopt CERG as an operating model. Use CERG as a planning reference. Hire your second person before attempting adoption.

5. First 10 Records to Create

Before you run your first meeting, create these records. They prove the program is operational, not just documented.

Record 1: Organization Profile (IMP-001)

Fill in the organization profile in the Implementation Guide. This is a single document, not a recurring record.

  • Organization name
  • Named CISO
  • Named executive sponsor
  • Defined system scope
  • Known regulatory obligations
  • Tooling inventory

Record 2: Role Assignment Map

A simple table mapping your actual people to canonical roles. Example:

Person Canonical Roles Email
Jane Smith CISO, Governance Pillar Leader jane@example.com
Alex Chen Risk Pillar Leader, Exposure Management Lead, Threat Intel alex@example.com

Record 3: Asset Inventory Extract

Do not build a full CMDB. Start with a spreadsheet. List every system you know about. If you do not know about it, write “unknown” in the owner column — that is your first finding.

Asset Type Owner Classification Criticality In Scope?
ExampleApp SaaS Jane Smith Internal High Yes

Aim for 80% coverage in month one. The remaining 20% is your asset discovery backlog.

Record 4: Initial Top 10 Risks

Do not try to build a complete risk register in week one. Identify the 10 risks that keep you up at night. Score them. Assign owners. Schedule treatment.

Risk ID Risk Statement Inherent Residual Owner Treatment Due
RISK-2026-001 Unpatched internet-facing systems could enable ransomware High Medium Alex Chen Remediate — patch cycle 2026-07-15

Record 5: Exposure Backlog

Export your vulnerability scanner results. Prioritize by severity and asset criticality. Assign the top 20 to owners.

Finding ID CVE/ID Severity Asset Owner Due
FIND-2026-001 CVE-2026-12345 Critical ExampleApp Alex Chen 2026-06-13

Record 6: Exception Register (starts empty)

Create the structure. It will populate as you find things you cannot fix on schedule.

Exception ID Control Rationale Compensating Controls Approver Expires

Record 7: Evidence Index

Create the folder structure (see §8). Add one entry for each piece of evidence you already have.

Evidence ID Control Description Date Source Stored At

Record 8: Control Implementation Snapshot

If CB-001 is not yet adopted, start with a preliminary snapshot for the obvious control families (AC, IA, CM, CP, RA, SI) and mark it preliminary. Once CB-001 is adopted, convert the snapshot to CB-001 control IDs and record its current status honestly.

Control ID Status Evidence? Notes
AC-2 Partially Implemented JML log collected Access review not yet performed
IA-2 Implemented MFA enforced via IdP policy Evidence: IdP config export 2026-06-01

Record 9: Regulatory Applicability Decision

For each regulatory framework referenced in CERG, decide: Applicable? Deferred? Not applicable?

Framework Applies? Decision Rationale
NERC-CIP No Not applicable Not a registered entity
CMMC Yes Deferred Will adopt CUI package in Q3
SOX Yes Applicable Public company — ITGC scope defined

Record 10: 30-Day Improvement Backlog

Five things you will fix in the first 30 days. Be specific.

ID Action Owner Due
IMP-001 Complete asset inventory for cloud environments Engineering Lead 2026-07-11
IMP-002 Run first access review for privileged accounts Identity person 2026-07-11

6. First Month Success Criteria

After 30 days of operating CERG with a small team, you should be able to answer “yes” to these questions:

Governance

  • [ ] Policy approved by CISO and executive sponsor
  • [ ] Organization profile completed
  • [ ] Decision log created with at least: role consolidation decisions, regulatory applicability decisions, deferred document decisions
  • [ ] Evidence library structure created with at least one piece of evidence per spine control family
  • [ ] Document catalog reviewed — deferred documents noted

Risk

  • [ ] Top 10 risks identified, scored, and assigned to owners
  • [ ] First risk register review held — decisions documented
  • [ ] Exposure backlog triaged — criticals assigned, highs prioritized
  • [ ] Exception process tested — at least one exception created or the register confirmed empty with rationale
  • [ ] Vendor list compiled — high-risk vendors flagged for assessment

Engineering

  • [ ] Architecture review process tested — at least one project went through intake
  • [ ] Pre-production review conducted for any new systems or major changes
  • [ ] Control baseline snapshot completed — honest status for spine controls
  • [ ] Asset inventory initiated — 80% coverage target set

Operations

  • [ ] First monthly report produced (can be a simple email, not a deck)
  • [ ] Improvement backlog created with at least 5 items
  • [ ] Team trained on their consolidated roles and handoffs
  • [ ] Cross-training plan initiated — each person identified one skill to develop outside their primary pillar

If You Cannot Answer Yes

  • Do not declare CERG adopted. You are in the planning phase.
  • Do not add more documents. Fix the gaps in the spine first.
  • Do not skip the risk register review. It is the heartbeat of the program.
  • Do not pretend “Partially Implemented” means “Implemented.” Honest gaps are better than false claims.

7. Manual Fallback Schemas

If you do not have a GRC platform, ticketing system, or evidence management tool, use spreadsheets. These schemas define the minimum columns for each record type. Add columns as needed — do not remove the ones listed.

Risk Register Spreadsheet

Column Example Notes
Risk ID RISK-2026-001 Use the format RISK-YYYY-NNN
Risk Statement Unpatched internet-facing systems… FAIR-aligned: threat actor, action, asset, effect, impact
Inherent Likelihood 4 1-5 scale per RMF-001
Inherent Impact 4 1-5 scale per RMF-001
Inherent Score 16 Likelihood × Impact
Residual Likelihood 2 After treatment
Residual Impact 3 After treatment
Residual Score 6 Residual Likelihood × Impact
Severity Medium Per RMF-001 §9.5 bands
Treatment Strategy Mitigate Avoid / Mitigate / Transfer / Accept
Treatment Plan Implement WAF by Q3 Specific, actionable
Business Owner Jane Smith Must be outside security
Risk Owner (Security) Alex Chen Security point of contact
Date Identified 2026-06-15
Treatment Due 2026-09-15
Status In Treatment New / In Treatment / Accepted / Closed
Last Reviewed 2026-07-01
Next Review 2026-08-01

Exception Register Spreadsheet

Column Example Notes
Exception ID EXC-2026-001 Format EXC-YYYY-NNN
Control ID AC-2 From CB-001
Requirement Quarterly access review for all systems What is not being met
Affected Assets ExampleApp, ExampleDB
Business Justification Access review tool not yet deployed Why the exception is needed
Compensating Controls Manual review of privileged accounts monthly What is in place instead
Residual Risk Medium
Business Owner Jane Smith
Approver CISO
Approval Date 2026-06-15
Expiration Date 2026-09-15
Monitoring Cadence Monthly
Status Active Active / Expired / Closed

Evidence Index Spreadsheet

Column Example Notes
Evidence ID EVD-2026-001 Format EVD-YYYY-NNN
Control ID AC-2 From CB-001
Control Name Account Management
Evidence Description JML log export for June 2026 What the evidence shows
Evidence Tier E2 E1/E2/E3 per FLOW-001 §17
Source System Azure AD / HRIS feed Where the evidence came from
Generated Date 2026-06-30 When the evidence was produced
Collected Date 2026-07-01 When it was added to the library
Collection Method Automated export How it was obtained
Period Covered June 2026 What time period the evidence covers
Stored At /evidence/02-access/jml-2026-06.csv File path or URL
Retention 3 years
Expiration/Freshness Refresh monthly When this evidence becomes stale
Quality Status Accepted Pending / Accepted / Rejected / Stale
Reviewed By Governance Lead

Exposure Backlog Spreadsheet

Column Example Notes
Finding ID FIND-2026-001 Format FIND-YYYY-NNN
CVE / ID CVE-2026-12345
CVSS Score 9.8
KEV Listed? No Check CISA KEV catalog
Severity Critical Critical / High / Medium / Low
Asset ExampleApp (public-facing)
Asset Tier Tier 1 Per criticality model
Exploitability Network-exploitable, no auth required
Discovered Date 2026-06-15
Triage Date 2026-06-15
Triage SLA Met? Yes
Assigned To Alex Chen
Treatment Patch to version 2.4.1
Due Date 2026-06-17 Critical = 48 hours
Closure Date
Validation Method Authenticated re-scan
Validated By
SLA Met?
Status In Remediation

Asset Inventory Spreadsheet

Column Example Notes
Asset ID AST-001
Asset Name ExampleApp
Asset Type SaaS Application
Asset Class Persistent Persistent / Dynamic / Ephemeral
Environment Production
Business Owner Jane Smith
Technical Owner Engineering Lead
Data Classification Internal
Regulatory Scope SOX
Criticality High
Internet-Exposed? Yes
Scan Coverage Yes — Tenable scan configured
Logging Source Yes — Splunk integration
Backup Required? Yes — vendor-managed
Access Review Required? Yes — quarterly
Status Fully Covered

Vendor Inventory Spreadsheet

Column Example Notes
Vendor ID VEN-001
Vendor Name ExampleVendor Inc.
Service Provided Cloud hosting
Data Accessed Customer PII
Data Classification Confidential
Criticality High
Risk Rating Medium
SOC 2 Available? Yes — expires 2026-09
Contractual Security Requirements MFA, encryption, incident notification 24h
Last Assessment Date 2026-03-15
Next Assessment Due 2026-09-15
Business Owner Jane Smith
Status Active

Decision Log Spreadsheet

Column Example Notes
Decision ID DEC-2026-001
Date 2026-06-15
Decision Defer ISO 27001 package One sentence
Rationale Not pursuing ISO certification
Alternatives Considered Adopt anyway — rejected
Risk Created Future ISO pursuit requires backfill
Documents Affected CAT-001, IMP-001
Approver CISO
Review Date 2027-06-15

8. Minimum Viable Evidence Library

Create this folder structure in your shared drive, document management system, or evidence repository. You do not need a GRC platform to start.

/evidence/
├── 00-program-governance/
│   ├── policy-approvals/
│   ├── org-profile/
│   └── decision-log/
├── 01-risk-register/
│   ├── risk-register-current.xlsx
│   ├── risk-acceptances/
│   └── exception-register-current.xlsx
├── 02-access-management/
│   ├── access-reviews/
│   ├── jml-evidence/
│   ├── privileged-access-reviews/
│   └── mfa-configuration/
├── 03-vulnerability-management/
│   ├── scan-reports/
│   ├── remediation-evidence/
│   └── exception-records/
├── 04-change-management/
│   ├── change-records/
│   └── security-impact-analyses/
├── 05-asset-inventory/
│   ├── asset-inventory-current.xlsx
│   └── network-diagrams/
├── 06-logging-monitoring/
│   ├── log-source-inventory.xlsx
│   └── detection-rule-evidence/
├── 07-backup-recovery/
│   ├── backup-configurations/
│   └── restore-test-results/
├── 08-vendor-risk/
│   ├── vendor-inventory-current.xlsx
│   └── vendor-assessments/
├── 09-incident-response/
│   ├── incident-records/
│   └── lessons-learned/
├── 10-regulatory/
│   ├── sox-evidence/        (if applicable)
│   ├── cmmc-evidence/       (if applicable)
│   └── cip-evidence/        (if applicable)
├── 11-audit/
│   └── audit-evidence-packages/
├── 12-board-reporting/
│   └── monthly-reports/
└── README.md                (explain what is stored where)

Rules for the evidence library:

  • Every file in the library has an owner and a retention period.
  • Evidence freshness is checked at the monthly review. Stale evidence is flagged.
  • The evidence index spreadsheet (§7) maps every file to a control.
  • Start with the folders you have evidence for. Empty folders remind you what is missing.
  • If you have a GRC platform, migrate the spreadsheets into it when you outgrow manual management. The structure stays the same — the tool changes.

9. Document Control

Field Value
Document ID CERG-GOV-IMP-003
Version 1.02
Status Approved
Effective Date 2026-06-14
Classification Public
Owner Governance Pillar Leader
Approved By CISO
Parent Policy CERG-POL-001 - Cybersecurity Policy
Review Cycle Annual
Next Scheduled Review 2027-06-11
Frameworks NIST CSF 2.0
Regulations Cross-cutting
Environments Small-team CERG adopters (≤8 people)

Revision History

Version Date Author Change Summary
1.02 2026-06-18 Governance Pillar Leader Added authority guardrail requiring independent Business Owner or Executive Sponsor acknowledgement for accepted residual risk in small-team role consolidations.
1.01 2026-06-14 Governance Pillar Leader Aligned the CERG Lite package to the eight-document MVC and separated adoption aids from immediate requirements.
1.0 2026-06-11 Governance Pillar Leader Initial release. CERG Lite package, reduced operating rhythm for 5-person teams, role consolidation map, first 10 records, first month criteria, spreadsheet schemas for 7 record types, minimum viable evidence library structure.

Review Triggers

  • Feedback from small-team adopters
  • Change to the canonical role roster
  • Change to the control baseline
  • Direction from the CISO
Document ID Relationship
Cybersecurity Policy CERG-POL-001 Parent policy
Implementation and Adaptation Guide CERG-GOV-IMP-001 How to adapt CERG
Adoption Safety Guide CERG-GOV-IMP-002 Prerequisites and safety rules
Operating Model CERG-GOV-OM-001 Canonical roles and scaling map
Risk Management Framework CERG-GOV-RMF-001 Risk scoring and treatment
Cross-Pillar Operational Flows CERG-GOV-FLOW-001 Evidence tiers and automation

Source: governance/CERG-GOV-IMP-003_Small_Team_Adoption_Path.md · Download .md · View on GitHub