## ROLE-BASED IMPLEMENTATION CHECKLISTS
### First 48 Hours · First 30 Days · First 90 Days

---

| | |
|---|---|
| **Document ID** | CERG-GOV-IMP-006 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Classification** | Public |
| **Owner** | Governance Pillar Leader |
| **Parent Policy** | [CERG-POL-001](CERG-POL-001_Cybersecurity_Policy.md) - Cybersecurity Policy |
| **Review Cycle** | Quarterly / Upon adoption path or role model change |
| **Frameworks** | NIST CSF 2.0 (GOVERN) |
| **Regulations** | Cross-cutting |
| **Environments** | All CERG adoption paths |

---

## Table of Contents

1. [Purpose and Scope](#1-purpose-and-scope)
2. [How to Use These Checklists](#2-how-to-use-these-checklists)
3. [CISO or Security Lead Checklist](#3-ciso-or-security-lead-checklist)
4. [Governance Lead Checklist](#4-governance-lead-checklist)
5. [Risk Lead Checklist](#5-risk-lead-checklist)
6. [Engineering Lead Checklist](#6-engineering-lead-checklist)
7. [Small-Team Consolidated Checklist](#7-small-team-consolidated-checklist)
8. [First 90-Day Completion Criteria](#8-first-90-day-completion-criteria)
9. [Document Control](#9-document-control)

---

## 1. Purpose and Scope

CERG adoption fails when everyone agrees with the framework but no one knows what to do next. This document converts the adoption model into role-based action.

It is designed for first adoption, restart, or rescue of a stalled implementation. It does not replace the Implementation Guide. It gives each accountable role a concrete checklist.

---

## 2. How to Use These Checklists

1. Pick an adoption path using [IMP-005](CERG-GOV-IMP-005_Adoption_Decision_Tree_and_Dependency_Matrix.md).
2. Complete the Organization Adaptation Profile in [VAR-001](CERG-GOV-VAR-001_Organization_Adaptation_Profile.md).
3. Assign people to the roles below. One person may hold multiple roles in CERG Lite.
4. Create the first records listed in [CAT-002](CERG-GOV-CAT-002_Record_Catalog.md).
5. Review checklist status weekly for the first 30 days.
6. Move incomplete items into the Program Improvement Register after day 30.

Completion means there is an artifact, record, decision, or evidence link. A verbal agreement is not complete.

---

## 3. CISO or Security Lead Checklist

### 3.1 First 48 hours

| Done | Action | Output |
|---|---|---|
| [ ] | Name the Executive Sponsor. | Executive Sponsor recorded in Role Assignment Map. |
| [ ] | Confirm the organization is ready to adopt CERG. | Readiness answers documented using IMP-005 §2.1. |
| [ ] | Select adoption path: Lite, Standard, or Regulated overlay. | Path decision recorded. |
| [ ] | Approve initial in-scope business units, systems, and regulators. | Organization Adaptation Profile started. |
| [ ] | Assign interim owners for Engineering, Risk, and Governance. | Role Assignment Map created. |
| [ ] | Approve use of a temporary evidence store if no GRC platform exists. | Evidence storage decision recorded. |

### 3.2 First 30 days

| Done | Action | Output |
|---|---|---|
| [ ] | Sign or route the Cybersecurity Policy for approval. | Approved policy or approval workflow record. |
| [ ] | Approve the first 10 risks. | Initial risk register reviewed. |
| [ ] | Approve risk appetite defaults or schedule calibration. | Risk appetite decision or meeting scheduled. |
| [ ] | Establish Cyber Oversight Group or equivalent. | Meeting cadence and membership recorded. |
| [ ] | Review first exposure backlog. | Backlog triage decision record. |
| [ ] | Confirm exception and risk acceptance authority. | Authority map recorded. |
| [ ] | Approve 30-day improvement backlog. | Program Improvement Register seeded. |

### 3.3 First 90 days

| Done | Action | Output |
|---|---|---|
| [ ] | Review first metrics dashboard. | CISO dashboard record. |
| [ ] | Review control implementation snapshot. | Control baseline status reviewed. |
| [ ] | Approve Standard or Regulated expansion if needed. | Adoption expansion decision. |
| [ ] | Review open high risks and expired exceptions. | Oversight decision record. |
| [ ] | Sponsor resourcing decisions from observed workload. | Budget, staffing, or deferral decision. |

---

## 4. Governance Lead Checklist

### 4.1 First 48 hours

| Done | Action | Output |
|---|---|---|
| [ ] | Create or update the Document Catalog. | Local catalog entry set. |
| [ ] | Create the Evidence Index. | Evidence index record. |
| [ ] | Create the Role Assignment Map. | Named accountable roles. |
| [ ] | Start the Organization Adaptation Profile. | Draft profile with scope and regulators. |
| [ ] | Identify which regulatory packages are applicable. | Regulatory applicability decision. |

### 4.2 First 30 days

| Done | Action | Output |
|---|---|---|
| [ ] | Label adopted artifacts as Required-Core, Conditional, Recommended, Example, Deferred, or Not Applicable. | Local catalog labels. |
| [ ] | Establish evidence quality expectations. | Evidence Quality Standard adopted or tailored. |
| [ ] | Create the initial control implementation snapshot. | Control implementation records. |
| [ ] | Set the annual governance calendar. | Calendar record. |
| [ ] | Define where policies, standards, procedures, and evidence live. | Repository or document library decision. |
| [ ] | Prepare first CISO metrics view. | Dashboard draft. |
| [ ] | Create the Program Improvement Register. | Active improvement register. |

### 4.3 First 90 days

| Done | Action | Output |
|---|---|---|
| [ ] | Run first evidence quality review. | Evidence quality findings or acceptance. |
| [ ] | Complete first maturity self-assessment checkpoint. | Maturity record and gaps. |
| [ ] | Map core controls to procedures and evidence. | Traceability matrix or control records updated. |
| [ ] | Prepare first oversight package. | COG or board-ready brief. |
| [ ] | Update documents based on adoption lessons. | Approved document changes or improvement items. |

---

## 5. Risk Lead Checklist

### 5.1 First 48 hours

| Done | Action | Output |
|---|---|---|
| [ ] | Create the risk register. | Risk register with required fields. |
| [ ] | Create the exception register. | Empty or active exception register. |
| [ ] | Define severity and risk scoring approach. | Scoring basis recorded. |
| [ ] | Seed initial top risks. | Initial top 10 risk records. |
| [ ] | Identify current vulnerability sources. | Scanner, audit, EDR, cloud, or manual source list. |

### 5.2 First 30 days

| Done | Action | Output |
|---|---|---|
| [ ] | Run or ingest first exposure scan cycle. | Exposure backlog. |
| [ ] | Triage vulnerabilities against asset criticality and reachability. | Validated finding records. |
| [ ] | Route remediation to Engineering. | Assigned remediation records. |
| [ ] | Establish exception workflow. | Exception intake and approval path. |
| [ ] | Identify high-risk vendors or SaaS platforms. | Initial vendor tiering list. |
| [ ] | Identify crown jewels or critical services. | Draft crown jewel entries. |
| [ ] | Define threat intelligence sources. | TI source list and review cadence. |

### 5.3 First 90 days

| Done | Action | Output |
|---|---|---|
| [ ] | Verify closure evidence for remediated findings. | Verified closure records. |
| [ ] | Escalate overdue high-risk findings. | Escalation record. |
| [ ] | Complete first vendor risk assessment for highest-risk vendor. | Vendor assessment record. |
| [ ] | Create first threat-informed detection or validation priority. | TI-to-detection action. |
| [ ] | Review accepted risks and expiring exceptions with CISO. | Oversight decision record. |
| [ ] | Feed recurring failure patterns into improvement register. | Program improvement items. |

---

## 6. Engineering Lead Checklist

### 6.1 First 48 hours

| Done | Action | Output |
|---|---|---|
| [ ] | Identify authoritative asset inventory source. | Asset source decision. |
| [ ] | Identify highest-risk systems and owners. | Critical asset owner list. |
| [ ] | Identify identity provider and privileged access owners. | Identity ownership record. |
| [ ] | Identify logging, endpoint, backup, and exposure-management tooling. | Coverage source list. |
| [ ] | Name intake path for new projects and changes. | Project intake path recorded. |

### 6.2 First 30 days

| Done | Action | Output |
|---|---|---|
| [ ] | Produce asset inventory extract. | Asset inventory record set. |
| [ ] | Create asset coverage snapshot for critical systems. | Coverage records for scan, log, backup, endpoint, identity. |
| [ ] | Define first secure configuration baseline scope. | Baseline scope record. |
| [ ] | Start remediation work for validated high findings. | Remediation records. |
| [ ] | Establish architecture review intake for new work. | Intake form or queue. |
| [ ] | Identify privileged groups and service accounts for first review. | Access review scope. |
| [ ] | Produce backup/restore evidence for one critical system. | Recovery test or restore evidence. |

### 6.3 First 90 days

| Done | Action | Output |
|---|---|---|
| [ ] | Complete first privileged access review. | Access review record. |
| [ ] | Complete first baseline drift check or configuration review. | Baseline evidence. |
| [ ] | Complete architecture review for at least one active project. | Project security review record. |
| [ ] | Validate logging coverage for critical systems. | Detection or logging coverage record. |
| [ ] | Close or exception top remediation items. | Closure evidence or exception records. |
| [ ] | Document engineering constraints blocking risk reduction. | Oversight or improvement record. |

---

## 7. Small-Team Consolidated Checklist

For CERG Lite, one person may act as Security Lead, Governance Lead, Risk Lead, and Engineering Lead. Do not try to do every checklist item at once. Use this order.

### Week 1

1. Confirm executive sponsor.
2. Select CERG Lite.
3. Complete Organization Adaptation Profile.
4. Create Role Assignment Map.
5. Create risk register.
6. Create evidence index.
7. Export asset inventory.
8. Seed initial top 10 risks.
9. Create exposure backlog.
10. Record regulatory applicability decision.

### Weeks 2 to 4

1. Run exposure triage.
2. Assign remediation owners.
3. Start exception register.
4. Identify critical systems.
5. Capture first access review evidence for privileged groups.
6. Capture first backup or restore evidence for a critical system.
7. Adopt the minimum document set in the local catalog.
8. Prepare first simple metrics view.
9. Create 30-day improvement backlog.
10. Review status with executive sponsor.

### Days 31 to 90

1. Add architecture intake.
2. Add vendor tiering for top vendors.
3. Add core standards based on actual scope.
4. Create control implementation snapshot.
5. Run first maturity checkpoint.
6. Hold first Cyber Oversight Group or equivalent meeting.
7. Move unresolved adoption gaps into the Program Improvement Register.

---

## 8. First 90-Day Completion Criteria

A first adoption is complete enough to operate when the organization can answer yes to these questions:

| Area | Question |
|---|---|
| Governance | Is there a signed policy or active approval record? |
| Governance | Is the adopted document set known and labeled? |
| Governance | Does an evidence index exist? |
| Governance | Is there an owner for every CERG pillar or consolidated role? |
| Risk | Does the risk register contain current risks with owners and treatment? |
| Risk | Are exceptions documented with expiration and approval? |
| Risk | Are vulnerability findings triaged and assigned? |
| Engineering | Is there an asset inventory extract with owners? |
| Engineering | Are critical systems covered for at least vulnerability, identity, logging, and backup decisions? |
| Engineering | Is there a project or change intake path for security review? |
| Oversight | Has the CISO or sponsor reviewed metrics, risks, and blockers? |
| Improvement | Are unresolved gaps tracked as improvement work? |

If any answer is no after 90 days, create a Program Improvement Record and assign an owner.

---

## 9. Document Control

| | |
|---|---|
| **Document ID** | CERG-GOV-IMP-006 |
| **Version** | 1.0 |
| **Status** | Approved |
| **Approved By** | CISO |
| **Owner** | Governance Pillar Leader |
| **Next Review** | Quarterly / Upon adoption path or role model change |

### Revision History

| **Version** | **Date** | **Author** | **Change** |
|---|---|---|---|
| 1.0 | 2026-06-13 | Governance Pillar Leader | Initial publication. Adds role-based implementation checklists for CISO, Governance, Risk, Engineering, and small-team consolidated adoption. |

### Review Triggers

- Change to adoption paths.
- Change to canonical roles or role consolidation model.
- Feedback from first-time adopters.
- New minimum record or evidence requirement.
- Material change to the first 90-day rollout model.

### Related Documents

- [START-HERE](../START-HERE.md) - First 48 hours guide
- [CERG-GOV-IMP-001](CERG-GOV-IMP-001_Implementation_and_Adaptation_Guide.md) - Implementation and Adaptation Guide
- [CERG-GOV-IMP-003](CERG-GOV-IMP-003_Small_Team_Adoption_Path.md) - Small Team Adoption Path
- [CERG-GOV-IMP-005](CERG-GOV-IMP-005_Adoption_Decision_Tree_and_Dependency_Matrix.md) - Adoption Decision Tree and Dependency Matrix
- [CERG-GOV-CAT-002](CERG-GOV-CAT-002_Record_Catalog.md) - Record Catalog
- [CERG-GOV-RAC-001](CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) - RACI Instrument