ROLE READER PATHS

Sequenced Reading Orders for New CERG Roles · CISO, Risk Lead, Engineering Lead, Business Owner


Document ID	CERG-GOV-IMP-007
Version	1.1
Status	Approved
Classification	Public
Owner	Governance Pillar Leader (Policy & Standards)
Parent Policy	`CERG-POL-001` - Cybersecurity Policy
Review Cycle	Annual / On adoption-architecture change
Frameworks	NIST CSF 2.0 (GOVERN: Organizational Context)
Regulations	Cross-cutting
Environments	All CERG adopters

Purpose and Scope
The Reader Path Format
CISO Reader Path
Risk Lead Reader Path
Engineering Lead Reader Path
Business Owner / System Sponsor Reader Path
When to Skip the Path
Document Control

1. Purpose and Scope

CERG is intentionally complete. That completeness can make the first hour difficult for a new reader. This document is the antidote.

Each section below is a sequenced reading order for a specific role. The order is chosen because each document in the sequence builds on the previous one. Total time for the CISO path is approximately 35 minutes. Total time for the Risk and Engineering paths is approximately 30 minutes each.

Use this document when:

A new CISO, Risk Lead, Engineering Lead, Business Owner, or System Sponsor joins a team that has adopted CERG.
An existing leader takes on a new CERG role or accountable business-owner role for the first time.
An executive sponsor wants to understand what the leader they hired will be reading.

This document does not replace the documents it points at. It tells the reader which document to open next and why.

2. The Reader Path Format

Each reader path follows the same format:

Field	Meaning
Read time	Approximate minutes for the focused reader
Goal	What the reader should be able to do or say after finishing
Sequence	Documents in the order to read them, with a one-line reason before each
Skip if	Conditions under which a step can be omitted
After the path	What to do once the sequence is complete

The reader path is a reading list, not an action list. For action items, see the role-based implementation checklists (CERG-GOV-IMP-006). For the adoption-mode selection that determines which reader path is relevant, see CERG-GOV-IMP-005.

3. CISO Reader Path

Read time: 35 minutes.

Goal: You can explain the CERG program to a board member in five minutes, name the three pillars and what each one owns, identify your adoption mode (Lite, Standard, Regulated), and produce your first quarterly oversight checklist.

Sequence:

#	Document	Time	Why this comes next
1	`README.md`	5 min	Establishes what CERG is and what it is not. The mission statement, the three pillars, and the link to START-HERE.md.
2	`CERG-GOV-FRM-001`	5 min	The narrative Framework. Explains the conceptual organization: principles, three pillars, operating layers, value driver maturity.
3	`CERG-GOV-OM-001` §6 only	5 min	Role consolidation for small teams. If you are CERG Lite, §6 tells you which canonical roles collapse onto which people. If you are Standard or Regulated, skim §6 to understand the consolidation logic and then move on.
4	`CERG-GOV-FRM-002`	5 min	The system map. Front door for the rest of the library. Use it as a navigation reference, not a cover-to-cover read.
5	`CERG-GOV-IMP-005`	5 min	The decision tree and dependency matrix. Pick your adoption mode (Lite, Standard, Regulated) and learn what must be adopted together.
6	`CERG-GOV-IMP-006` §3	5 min	The CISO checklist at 48 hours, 30 days, and 90 days. This is your action list once the reading is done.
7	Day in the Life Story 10	5 min	A worked example: another new CISO’s first 90 days. Read this last, when the framework is in your head, to see it all in motion.

Skip if:

You have held a CISO role at a CERG-adopting organization before. Skip step 7 and read steps 1-6 only.
You are CERG Lite with fewer than 5 people. Spend the OM-001 time on the consolidation map (step 3) and the Small Team Adoption Path (CERG-GOV-IMP-003) instead of the Operating Model detail.

After the path:

Run CERG-GOV-IMP-006 §3.1 (First 48 hours) immediately. The reader path is preparation, not a substitute.
Schedule the first 30-day review (step §3.2) before the 30th day.
Bookmark CERG-GOV-FRM-002 for the duration of your tenure. It is the navigation reference.
Add the Day in the Life stories to your onboarding checklist for future new hires on your team.

4. Risk Lead Reader Path

Read time: 30 minutes.

Goal: You can name the risk pillar’s scope (exposure management, threat intelligence, threat modeling, adversarial validation, vendor risk), describe the canonical cross-pillar flows, and triage a critical finding from intake to closure.

Sequence:

#	Document	Time	Why this comes next
1	`CERG-GOV-FRM-001` §3-4	5 min	Risk pillar scope within the framework narrative.
2	`CERG-GOV-RMF-001`	8 min	Risk taxonomy, scoring, treatment, acceptance, monitoring. The Risk pillar’s parent governance instrument.
3	`CERG-GOV-FLOW-001` F-04	5 min	The Finding to Remediation flow. The Risk pillar’s most-used flow. Read the SLA and decision logic carefully.
4	`CERG-PRC-VM-001`	5 min	The Exposure Management Procedure. Your operating procedure for vulnerability and finding work.
5	`CERG-PRC-TPRM-001`	5 min	The TPRM Procedure. Your operating procedure for vendor risk.
6	Day in the Life Story 2	2 min	A critical vulnerability walked end to end through F-04. Read this last, when the framework is in your head, to see it all in motion.

Skip if:

You have held a Risk Lead role at a CERG-adopting organization before. Skip step 6.

After the path:

Open the risk register and the exposure backlog. Read both before the next weekly cadence.
Run the biweekly vulnerability SLA review per CERG-GOV-IMP-003 §3.
Bookmark CERG-GOV-FLOW-001 §2 (Operating Principles) for reference.

5. Engineering Lead Reader Path

Read time: 30 minutes.

Goal: You can name the engineering pillar’s scope (architecture review, asset coverage, configuration baseline, secure development, remediation), describe how a project goes through intake to disposition, and route a high-risk architecture review correctly.

Sequence:

#	Document	Time	Why this comes next
1	`CERG-GOV-FRM-001` §3-4	5 min	Engineering pillar scope within the framework narrative.
2	`CERG-GOV-OM-001` §4-5	5 min	Engineering pillar ownership of the consulting model and architecture review.
3	`CERG-GOV-FLOW-001` F-02	5 min	The Project Intake, Architecture Review, and Threat Modeling flow. The Engineering pillar’s most-used flow. Read the tier routing carefully.
4	`CERG-PRC-AR-001`	5 min	The Architecture Review and Project Intake Procedure. Your operating procedure for project intake work.
5	`CERG-STD-CFG-001`	5 min	The Secure Configuration Baseline (DISH). Your default hardening reference for new systems.
6	Day in the Life Story 1	5 min	A new SaaS application walked through F-02 end to end. Read this last, when the framework is in your head, to see it all in motion.

Skip if:

You have held an Engineering Lead role at a CERG-adopting organization before. Skip step 6.

After the path:

Open the architecture review queue and the asset coverage report. Read both before the next weekly cadence.
Run the weekly intake review per CERG-GOV-IMP-003 §3.
Bookmark the standards catalog (CERG-GOV-CAT-001 §5.3) for the standards you are most likely to apply this quarter.

Read time: 25 minutes.

Goal: You can explain what CERG expects from a business owner or system sponsor: own the business objective, provide scope and priority, fund or accept treatment decisions, approve go-live for your system, and understand that Security/Risk recommends while the business owns residual consequence.

Sequence:

#	Document	Time	Why this comes next
1	`README.md`	4 min	Establishes what CERG is and what it is not. Business owners need the operating-model view, not the whole corpus.
2	`CERG-GOV-FRM-002` §5	5 min	Shows where to go by user need: new system, risk decision, audit evidence, or exposure treatment.
3	`CERG-GOV-FLOW-001` F-02 and F-04	6 min	Shows how project intake and finding remediation move across Engineering, Risk, Governance, and the business owner.
4	`CERG-PRC-AR-001` §§2, 5, and 9	5 min	Names the sponsor responsibilities for intake, go-live, handoff, and production ownership.
5	`CERG-GOV-RMF-001` §§9.5 and 9.7	3 min	Explains treatment recommendation versus business consequence acceptance.
6	`CERG-TMPL-RM-004`	2 min	Shows what a residual-risk decision looks like when a business owner is asked to accept consequence.

Skip if:

You are only funding a one-time security project and do not own a system, business process, or residual risk decision. Read CERG-GOV-MTR-001 §3 instead.
You have already sponsored a CERG-governed system through intake, pre-production, and go-live. Use CERG-GOV-FRM-002 §5 as your quick reference.

After the path:

Confirm the named Business Owner / System Sponsor for each system or project you own.
For active projects, confirm whether CERG-TMPL-AR-001 has been submitted and whether Phase 4/5 records are required.
For accepted risks, confirm the treatment owner, funding decision, expiration date, and next review date.

7. When to Skip the Path

Reader paths are for new readers. Skip them if:

You are the executive sponsor and do not own a system, project, or residual-risk decision. Read README.md, START-HERE.md Path selection, and CERG-GOV-MTR-001 §3 (Board Reporting). Total time: 15 minutes.
You are a program-level contributor (auditor, consultant, advisor). Read README.md, CERG-GOV-FRM-002, and one Day in the Life story relevant to your engagement. Total time: 20 minutes.
You have already adopted CERG and run it for six months or more. Use CERG-GOV-CAT-001 §5 as your reference, not the reader path.

The reader paths are designed for the first hour of engagement. They are not a substitute for the operating rhythm that follows.

8. Document Control

Field	Value
Document ID	CERG-GOV-IMP-007
Version	1.1
Status	Approved
Effective Date	2026-06-18
Classification	Public
Owner	Governance Pillar Leader (Policy & Standards)
Approved By	CISO
Parent Policy	`CERG-POL-001` - Cybersecurity Policy
Review Cycle	Annual / On adoption-architecture change
Next Scheduled Review	2027-06-18
Frameworks	NIST CSF 2.0 (GOVERN: Organizational Context)
Regulations	Cross-cutting
Environments	All CERG adopters

Revision History

Version	Date	Author	Change
1.1	2026-06-18	Governance Pillar Leader (Policy & Standards)	Added Business Owner / System Sponsor reader path focused on project sponsorship, go-live ownership, and residual-risk consequence decisions.
1.0	2026-06-18	Governance Pillar Leader (Policy & Standards)	Initial publication. Establishes sequenced reading orders for the CISO, Risk Lead, and Engineering Lead roles. Each path totals 30-35 minutes and points at the documents the new reader needs in the order each builds on the previous.

Review Triggers

A change to the role consolidation map in CERG-GOV-OM-001.
A change to the canonical cross-pillar flows in CERG-GOV-FLOW-001.
A new role added to the workforce architecture in roles/ that warrants its own reader path.
A material change to adoption sequencing in CERG-GOV-IMP-001 or CERG-GOV-IMP-005.
User feedback indicating the path is too long, too short, missing a business-owner decision point, or in the wrong order.

CERG-GOV-IMP-001 - Implementation and Adaptation Guide
CERG-GOV-IMP-005 - Adoption Decision Tree and Dependency Matrix
CERG-GOV-IMP-006 - Role-Based Implementation Checklists (action lists)
CERG-GOV-FRM-002 - Framework System Map (navigation reference)
README.md - Top-level project README
START-HERE.md - First-48-hours adoption guide
examples/day-in-the-life/ - Worked examples referenced from each reader path

Source: governance/CERG-GOV-IMP-007_Role_Reader_Paths.md · Download .md · View on GitHub