## BOARD AND CISO REPORTING DECK TEMPLATE ### Executive Narrative · Risk Posture · Metrics · Decisions · Action Tracking --- | | | |---|---| | **Document ID** | CERG-TMPL-MTR-001 | | **Version** | 1.0 | | **Status** | Approved | | **Classification** | Public | | **Owner** | Governance Pillar Leader | | **Parent Document** | [`CERG-GOV-MTR-001`](../governance/CERG-GOV-MTR-001_Metrics_Dashboard_and_Reporting.md) - Metrics Dashboard and Reporting | | **Supporting Documents** | [`CERG-GOV-MAT-001`](../governance/CERG-GOV-MAT-001_Maturity_Self_Assessment_and_Scorecard.md) · [`CERG-PRC-RM-001`](../procedures/CERG-PRC-RM-001_Risk_Register_and_Exception_Process.md) · [`CERG-GOV-RAC-001`](../governance/CERG-GOV-RAC-001_Consolidated_Roles_and_RACI_Instrument.md) | | **Review Cycle** | Annual / On process or control change | | **Frameworks** | NIST CSF 2.0 GOVERN · NIST 800-55 · ISO/IEC 27001 Clause 9 | | **Regulations** | Cross-cutting; board, executive, audit, and customer assurance reporting | | **Environments** | All in-scope CERG environments where this template is used | --- ## Table of Contents 1. [Purpose and Use](#1-purpose-and-use) 2. [Template Instructions](#2-template-instructions) 3. [Fill-In Template](#3-fill-in-template) 4. [Review and Approval](#4-review-and-approval) 5. [Document Control](#5-document-control) --- ## 1. Purpose and Use This template structures recurring CISO and board reporting. It converts control and risk data into an executive narrative: what changed, what matters, what decisions are needed, and whether the program is improving. > **Executives Need Decisions, Not Dashboard Exhaust** > > A board deck is not a dump of every metric the program can produce. It should show risk movement, material decisions, exceptions, investments, incidents, readiness gaps, and whether leadership action is needed. --- ## 2. Template Instructions 1. Copy this template before use. 2. Replace every bracketed field with case-specific information. 3. Do not delete fields that appear not applicable. Mark them `Not Applicable` and explain why. 4. Use canonical CERG role names from `CERG-GOV-OM-001`. 5. Link risks, findings, exceptions, evidence, and approvals to the system of record. 6. Store the completed artifact in the evidence library governed by `CERG-PRC-AUD-001`. --- ## 3. Fill-In Template ### 3.1 Deck Outline | **Slide** | **Title** | **Purpose** | |---|---|---| | 1 | Executive Summary | One-page answer: better, worse, or stable, and why. | | 2 | Material Risk Changes | High and Critical risks added, closed, accepted, or escalated. | | 3 | Scenario Defense Posture | For each named crown-jewel loss scenario (`CERG-GOV-CJ-001`), red/amber/green on whether the kill chain is fully broken (sourced from RM-007). Top-down companion to the bottom-up top risks. | | 4 | Control Posture | Maturity, control gaps, and major remediation themes. | | 5 | Incident and Resilience Update | Material incidents, exercises, recovery gaps, and lessons. | | 6 | Regulatory and Audit Readiness | SOX, CMMC, CIP, ISO, privacy, customer assurance. | | 7 | Third-Party and Supply Chain Risk | Critical vendors, open findings, concentration risk. | | 8 | Metrics Dashboard | Small set of trend metrics from `CERG-GOV-MTR-001`. | | 9 | Decisions Needed | Risk acceptances, funding, staffing, scope, policy decisions. | | 10 | Action Tracker | Open executive actions and due dates. | ### 3.2 Executive Summary Slide | **Question** | **Answer** | |---|---| | Overall posture | `[Improving / stable / worsening]` | | Top change since last report | `[Change]` | | Most important risk | `[Risk]` | | Decision needed | `[Decision]` | | CISO recommendation | `[Recommendation]` | ### 3.3 Decision Log | **Decision Needed** | **Recommendation** | **Owner** | **Due Date** | **Consequence of Delay** | |---|---|---|---|---| | `[Decision]` | `[Recommendation]` | `[Owner]` | `[Date]` | `[Consequence]` | --- ## 4. Review and Approval | **Reviewer / Approver** | **Review Meaning** | **Name / Date** | |---|---|---| | Governance Pillar Leader | Confirms report completeness and narrative quality. | `[Name / Date]` | | Risk Pillar Leader | Confirms risk posture and risk acceptance content. | `[Name / Date]` | | Engineering Pillar Leader | Confirms technical control and resilience content. | `[Name / Date]` | | Chief Information Security Officer (CISO) | Approves final executive message. | `[Name / Date]` | Completed templates are reviewed at the cadence defined by their parent procedure or plan. Material changes require a new review. --- ## 5. Document Control | Field | Value | |---|---| | **Document ID** | CERG-TMPL-MTR-001 | | **Version** | 1.0 | | **Status** | Approved | | **Effective Date** | 2026-05-22 | | **Classification** | Public | | **Owner** | Governance Pillar Leader | | **Approved By** | CISO | | **Parent Document** | [`CERG-GOV-MTR-001`](../governance/CERG-GOV-MTR-001_Metrics_Dashboard_and_Reporting.md) - Metrics Dashboard and Reporting | | **Review Cycle** | Annual; and on process or control change | | **Next Scheduled Review** | 2027-05-22 | | **Frameworks** | NIST CSF 2.0 GOVERN · NIST 800-55 · ISO/IEC 27001 Clause 9 | | **Regulations** | Cross-cutting; board, executive, audit, and customer assurance reporting | | **Environments** | All in-scope CERG environments where this template is used | ### Revision History | **Version** | **Date** | **Author** | **Change Summary** | |---|---|---|---| | 1.0 Draft | 2026-05-22 | Cyber Governance | Initial release. Establishes a standalone fill-in template for board and ciso reporting deck template. | ### Review Triggers - Parent procedure or plan change - Audit, assessment, or tabletop finding related to this template - Role or approval model change - Direction from the CISO ### Related Documents | **Document** | **ID** | **Relationship** | |---|---|---| | Metrics Dashboard and Reporting | [`CERG-GOV-MTR-001`](../governance/CERG-GOV-MTR-001_Metrics_Dashboard_and_Reporting.md) | Governing metric source | | Maturity Self-Assessment and Scorecard | [`CERG-GOV-MAT-001`](../governance/CERG-GOV-MAT-001_Maturity_Self_Assessment_and_Scorecard.md) | Maturity reporting input |