# Beginner Guide to Using CERG

This guide is for people who are not GitHub users, do not write code, or just want to use CERG without learning developer workflows first.

## 1. What CERG is

CERG is a cybersecurity operating model. It gives you reusable documents and workflows for running a security program: policy, standards, procedures, records, roles, and evidence.

Do not approve everything on day one. Start small, assign owners, produce records from real work, and expand only when the operating loop is working.

## 2. What this repository is

A GitHub repository is a shared folder with version history. In CERG, most files are Markdown documents. Markdown is plain text with simple formatting.

You can use CERG in three ways:

| Method | Best for |
|---|---|
| Download ZIP | Beginners who just want the files |
| Fork repository | Teams that want their own editable copy with history |
| Agent-assisted adoption | Teams using an AI assistant to guide setup |

## 3. Fastest no-code start

1. Open the GitHub repository in a browser.
2. Select **Code**.
3. Select **Download ZIP**.
4. Unzip the folder on your computer.
5. Open `START-HERE.md`.
6. If you are a small team, open `adoption-packs/cerg-lite/README.md` next.

You can copy Markdown text into Word, Google Docs, Notion, Confluence, or a GRC tool. Keep the CERG document identifiers unless you intentionally create your own local numbering system.

## 4. What to read first

Read only these at the beginning:

1. [START-HERE.md](START-HERE.md)
2. [CERG Lite adoption pack](adoption-packs/cerg-lite/README.md)
3. [Cybersecurity Policy](governance/CERG-POL-001_Cybersecurity_Policy.md)
4. [CERG Framework](governance/CERG-GOV-FRM-001_CERG_Framework.md)
5. [Organization Adaptation Profile](governance/CERG-GOV-VAR-001_Organization_Adaptation_Profile.md)
6. [Risk Register Templates](templates/CERG-TMPL-RM-001_Risk_Register_Templates_and_Reporting.md)

Do not start with the full document catalog unless you are already comfortable navigating large frameworks.

## 5. First records to create

CERG becomes real when it creates records. In the first week, aim for these:

- Named security owner
- Executive sponsor or business approver
- Initial scope statement
- First risk register entry
- First exposure or vulnerability backlog entry
- First exception or decision log entry, if a risk cannot be fixed immediately

## 6. Using an AI assistant safely

If you are using an AI assistant, start with [ADOPT-WITH-AN-AGENT.md](ADOPT-WITH-AN-AGENT.md).

Give the agent small tasks. Good examples:

- "Help me choose CERG Lite, Standard, or Regulated."
- "Ask me the questions needed to complete the Organization Adaptation Profile."
- "Create a first 30-day checklist from the CERG Lite adoption pack."
- "Summarize which documents I can defer and why."

Avoid unsafe prompts:

- "Make us compliant."
- "Approve all documents."
- "Delete sections that look complicated."
- "Claim CMMC/NERC/SOX readiness without evidence."

## 7. When to fork instead of download

Download ZIP if you are exploring.

Fork the repository if you want to:

- Track changes over time.
- Review edits before approval.
- Run validation checks.
- Keep your local CERG program synchronized with upstream improvements.

If GitHub is unfamiliar, start with ZIP, learn the shape of the program, then fork later.

## 8. What not to change first

Do not begin by editing every standard. Start by tailoring:

1. Organization name and scope.
2. Owners and approvers.
3. Review cadence.
4. Risk thresholds and acceptance authority.
5. Record locations.

Keep the core operating model intact until you understand the dependencies.

## 9. Getting help

Open a GitHub issue or discussion if you find broken links, confusing adoption guidance, unclear document dependencies, or missing beginner examples.