BOARD AND CISO REPORTING DECK TEMPLATE
Executive Narrative · Risk Posture · Metrics · Decisions · Action Tracking
| Document ID | CERG-TMPL-MTR-001 |
| Version | 1.0 |
| Status | Approved |
| Classification | Public |
| Owner | Governance Pillar Leader |
| Parent Document | CERG-GOV-MTR-001 - Metrics Dashboard and Reporting |
| Supporting Documents | CERG-GOV-MAT-001 · CERG-PRC-RM-001 · CERG-GOV-RAC-001 |
| Review Cycle | Annual / On process or control change |
| Frameworks | NIST CSF 2.0 GOVERN · NIST 800-55 · ISO/IEC 27001 Clause 9 |
| Regulations | Cross-cutting; board, executive, audit, and customer assurance reporting |
| Environments | All in-scope CERG environments where this template is used |
Table of Contents
1. Purpose and Use
This template structures recurring CISO and board reporting. It converts control and risk data into an executive narrative: what changed, what matters, what decisions are needed, and whether the program is improving.
Executives Need Decisions, Not Dashboard Exhaust
A board deck is not a dump of every metric the program can produce. It should show risk movement, material decisions, exceptions, investments, incidents, readiness gaps, and whether leadership action is needed.
2. Template Instructions
- Copy this template before use.
- Replace every bracketed field with case-specific information.
- Do not delete fields that appear not applicable. Mark them
Not Applicableand explain why. - Use canonical CERG role names from
CERG-GOV-OM-001. - Link risks, findings, exceptions, evidence, and approvals to the system of record.
- Store the completed artifact in the evidence library governed by
CERG-PRC-AUD-001.
3. Fill-In Template
3.1 Deck Outline
| Slide | Title | Purpose |
|---|---|---|
| 1 | Executive Summary | One-page answer: better, worse, or stable, and why. |
| 2 | Material Risk Changes | High and Critical risks added, closed, accepted, or escalated. |
| 3 | Scenario Defense Posture | For each named crown-jewel loss scenario (CERG-GOV-CJ-001), red/amber/green on whether the kill chain is fully broken (sourced from RM-007). Top-down companion to the bottom-up top risks. |
| 4 | Control Posture | Maturity, control gaps, and major remediation themes. |
| 5 | Incident and Resilience Update | Material incidents, exercises, recovery gaps, and lessons. |
| 6 | Regulatory and Audit Readiness | SOX, CMMC, CIP, ISO, privacy, customer assurance. |
| 7 | Third-Party and Supply Chain Risk | Critical vendors, open findings, concentration risk. |
| 8 | Metrics Dashboard | Small set of trend metrics from CERG-GOV-MTR-001. |
| 9 | Decisions Needed | Risk acceptances, funding, staffing, scope, policy decisions. |
| 10 | Action Tracker | Open executive actions and due dates. |
3.2 Executive Summary Slide
| Question | Answer |
|---|---|
| Overall posture | [Improving / stable / worsening] |
| Top change since last report | [Change] |
| Most important risk | [Risk] |
| Decision needed | [Decision] |
| CISO recommendation | [Recommendation] |
3.3 Decision Log
| Decision Needed | Recommendation | Owner | Due Date | Consequence of Delay |
|---|---|---|---|---|
[Decision] |
[Recommendation] |
[Owner] |
[Date] |
[Consequence] |
4. Review and Approval
| Reviewer / Approver | Review Meaning | Name / Date |
|---|---|---|
| Governance Pillar Leader | Confirms report completeness and narrative quality. | [Name / Date] |
| Risk Pillar Leader | Confirms risk posture and risk acceptance content. | [Name / Date] |
| Engineering Pillar Leader | Confirms technical control and resilience content. | [Name / Date] |
| Chief Information Security Officer (CISO) | Approves final executive message. | [Name / Date] |
Completed templates are reviewed at the cadence defined by their parent procedure or plan. Material changes require a new review.
5. Document Control
| Field | Value |
|---|---|
| Document ID | CERG-TMPL-MTR-001 |
| Version | 1.0 |
| Status | Approved |
| Effective Date | 2026-05-22 |
| Classification | Public |
| Owner | Governance Pillar Leader |
| Approved By | CISO |
| Parent Document | CERG-GOV-MTR-001 - Metrics Dashboard and Reporting |
| Review Cycle | Annual; and on process or control change |
| Next Scheduled Review | 2027-05-22 |
| Frameworks | NIST CSF 2.0 GOVERN · NIST 800-55 · ISO/IEC 27001 Clause 9 |
| Regulations | Cross-cutting; board, executive, audit, and customer assurance reporting |
| Environments | All in-scope CERG environments where this template is used |
Revision History
| Version | Date | Author | Change Summary |
|---|---|---|---|
| 1.0 Draft | 2026-05-22 | Cyber Governance | Initial release. Establishes a standalone fill-in template for board and ciso reporting deck template. |
Review Triggers
- Parent procedure or plan change
- Audit, assessment, or tabletop finding related to this template
- Role or approval model change
- Direction from the CISO
Related Documents
| Document | ID | Relationship |
|---|---|---|
| Metrics Dashboard and Reporting | CERG-GOV-MTR-001 |
Governing metric source |
| Maturity Self-Assessment and Scorecard | CERG-GOV-MAT-001 |
Maturity reporting input |
Source: templates/CERG-TMPL-MTR-001_Board_and_CISO_Reporting_Deck_Template.md ·
Download .md ·
View on GitHub