ISMS Home — Management Governance Dashboard
Confluence page header and placement
Page title: 00 · ISMS Home
Parent: ISMS Confluence Space root
SCM variant: The all-staff content (purpose, policies, incident reporting,
contacts) appears first with no SCM wrapper.
This dashboard content appears immediately below the all-staff
section, wrapped in the isms-management SCM macro:
{scroll-content:variant=isms-management}
[content below]
{scroll-content}
Visible to: isms-management · isms-security
NOT visible to: isms-all-staff · isms-it-staff
Dashboard owner: CISO
Updated: Quarterly (status indicators and commentary)
Monthly (metrics pulled from EV-F02)
Per event (governance actions queue)
Design intent
This dashboard is the first thing a Director, Operations Director, or HR Manager sees when they open the ISMS space. It answers in under five minutes: is the organisation's security posture currently acceptable; are the certifications we depend on commercially still current; is anything overdue that needs a management decision; and where do I go for more detail on any of these topics.
It is not a news feed and not a technical operations summary. Everything here is either a status that management must be aware of, a metric that management has approved a target for, or an action that only management can unblock. Everything else lives in the detail pages linked from each section.
The CISO updates the content each quarter as part of the quarterly management risk posture cycle, and immediately following any event that changes a status indicator or adds a governance action. The update timestamp at the top of the dashboard tells management whether what they are reading is current.
Dashboard header
╔══════════════════════════════════════════════════════════════════════════╗
║ ISMS GOVERNANCE DASHBOARD — MANAGEMENT VIEW ║
║ Last updated: [DATE] by [CISO name] ║
║ Next scheduled update: [DATE + 3 months] ║
║ Questions: [ciso@organisation.com] · [CISO direct line] ║
╚══════════════════════════════════════════════════════════════════════════╝
OVERALL POSTURE: [🟢 Stable and current / ⚠️ Action required on [N] items /
🔴 Management decision overdue — see Governance Actions]
CISO ONE-LINE SUMMARY:
[One sentence written fresh each quarter. Plain English. States what has
changed since the prior quarter and what management's attention is needed on.
Example: "All certifications are current; the C3PAO assessment preparation
is on track for [DATE]; one investment decision (EDR upgrade) remains open
and must be resolved by [DATE] to avoid a conditional CMMC certificate."]
Panel 1 — Compliance and certification status
Detailed view: [Compliance Status and Certification Roadmap]
CERTIFICATION STATUS — as of [DATE]
Certification Status Expires / Due Action
──────────────────────────────────────────────────────────────────────────────
ISO 27001:2022 🟢 Current [DATE] Surv. audit [DATE]
Cyber Essentials 🟢 Current [DATE] Renewal due [DATE]
Cyber Essentials Plus ⚠️ Renew soon [DATE — N weeks] CE+ technical [DATE]
CMMC L2 Self-assessment ⚠️ Due [DATE] Annual affirmation Affirmation [DATE]
CMMC L2 C3PAO 🔴 Prep needed Not yet obtained Assessment [DATE]
NIST 800-171 SSP 🟢 Current Living document Annual review [DATE]
DEFSTAN [Ref 1] 🟢 Current Contract end [DATE] Ev. pack due [DATE]
DEFSTAN [Ref 2] ⚠️ Gap open Contract end [DATE] Supplier assess. due
DFARS affirmation 🟢 Current Annual — due [DATE] —
UK GDPR / DPO 🟢 Current Ongoing ROPA review [DATE]
──────────────────────────────────────────────────────────────────────────────
STATUS KEY:
🟢 Current No action required at management level
⚠️ Action Preparation or renewal in progress — awareness required
🔴 Decision Management decision required — see Panel 5 (Governance Actions)
NEXT COMMERCIAL IMPACT EVENT:
[Certification / obligation] — [DATE — N weeks]
Commercial consequence if missed: [plain English — e.g. "CE certificate
lapse would affect bid eligibility for [contract type] within 30 days"]
Preparation status: [On track / Behind — see Governance Actions]
→ Full certification detail, renewal timelines, and investment options:
Compliance Status and Certification Roadmap
Panel 2 — Information security objectives performance
Detailed view: EV-A → Management System → Security Objectives → [YYYY]
SECURITY OBJECTIVES — [YEAR] — approved at management review [DATE]
Obj Title Owner Status
───────────────────────────────────────────────────────────────────────────────
O1 [Reduce critical patch MTTR to <5 days IT Manager 🟢 On track
by [DATE]] Q3: 5.2 days
Target: 5 days
O2 [Achieve 100% security awareness training HR Manager ⚠️ At risk
completion by [DATE]] Q3: 87%
Target: 100%
Risk: [N] staff
not yet enrolled
O3 [Complete C3PAO pre-assessment readiness CISO 🟢 On track
by [DATE — 4 weeks before assessment]] Evidence pack
[% complete]
O4 [Close EDR platform POA&M item by [DATE]] IT Manager 🔴 Blocked
Budget decision
outstanding —
see Panel 5
O5 [Achieve phishing simulation click rate CISO / 🟢 On track
below 5% by [DATE]] HR Q3: 7%
Trend: ↓ from 12%
───────────────────────────────────────────────────────────────────────────────
OBJECTIVES SUMMARY:
On track: [N] At risk: [N] Blocked (management action needed): [N]
Completed early: [N] Not started: [N]
YEAR-END FORECAST:
[Brief one-paragraph CISO assessment of whether the year's objectives will
be achieved. Flag any objective where the year-end outcome looks unlikely
and what management can do to change the trajectory.]
Example: "O1 through O3 and O5 are expected to be achieved by year-end.
O4 is blocked on the EDR budget decision. If the investment is not approved
by [DATE], O4 will not be achieved this year and will carry forward into
[YEAR+1] as both a security objective and a POA&M obligation. The C3PAO
assessment timeline makes this the most time-sensitive decision currently
sitting with management."
→ Objectives detail and milestone tracking: EV-A06 → [YYYY]
Panel 3 — Open risk summary
Detailed view: Management Risk Posture · 05 · Risk Register
RISK REGISTER SUMMARY — as of [DATE]
POSTURE AT A GLANCE:
Total active risks: [N]
Within risk appetite: [N] ← these need no management action
Exceeding risk appetite: [N] ← each requires a management decision
Accepted (signed off): [N] ← management has formally accepted these
By level:
🔴 Very High (20–25): [N] [must be zero or have board-level sign-off]
🟠 High (10–19): [N] [requires CISO notification + management awareness]
🟡 Moderate (5–9): [N] [within appetite — CISO manages]
🟢 Low (1–4): [N] [within appetite — CISO manages]
RISKS REQUIRING MANAGEMENT AWARENESS THIS QUARTER:
Risk 1: [Risk title — 5 words maximum]
In one sentence: [Plain English — what could happen, to what, with what consequence]
Current residual rating: [High — 12/25] [exceeds appetite / within appetite]
Treatment status: [In treatment — see O4 above / Accepted [DATE] / Pending decision]
Management action: [None — awareness only / Decision required — see Panel 5]
Risk 2: [Risk title]
[Same format]
Risk 3: [Risk title]
[Same format]
[N additional risks require management awareness — see Management Risk Posture for full detail]
RISK APPETITE CONFIRMATION STATUS:
Last confirmed by management: [DATE — at management review]
Next confirmation required: [DATE — at next management review]
Current appetite statement: [link to Management Risk Posture → Section 4]
CISO assessment: [Risk appetite remains appropriate for current business
context / The following change to context may warrant a review of appetite:
[describe] — CISO will bring to next management review]
TOP RISK MOVEMENT THIS QUARTER:
↑ Elevated: [Risk title] — [reason in one sentence — e.g. "supplier incident
increased likelihood score from 2 to 4"]
↓ Reduced: [Risk title] — [reason — e.g. "PAM deployment complete;
residual reduced from High to Moderate"]
● New: [Risk title] — [reason — e.g. "new contract introduces CMMC C3PAO
obligation; risk added for readiness gap"]
✓ Closed: [Risk title] — [reason — e.g. "control implemented; risk treated
to within appetite; no further management attention required"]
→ Full risk register: 05 · Risk Register
→ Management risk posture detail and top 5 risks: Management Risk Posture
→ Treatment investment proposals: Compliance Status → Section 3
Panel 4 — Incident KPIs
Detailed view: EV-D → Incident Response · EV-F02 (monthly metrics)
INCIDENT KPIs — rolling 12 months ending [DATE]
INCIDENT VOLUME AND CLASSIFICATION:
Class Description This year Prior year
───────────────────────────────────────────────────────────────────────────────
Class 1 Detected and auto-remediated — [N] [N]
no execution; no human intervention
needed (e.g. AV quarantine)
Class 2 Execution suspected — manual [N] [N]
investigation required; no confirmed
breach
Class 3 Confirmed breach — CUI or OFFICIAL [N] [N]
data affected; regulatory notification
decision required
Class 4 Major incident — ransomware, [N] [N]
extended outage, or multiple systems
affected
Total incidents this year: [N]
Requiring management notification: [N] (Class 2+)
Resulting in regulatory notification: [N] — [describe each or "None"]
Year-on-year trend: [↑ +N% / ↓ -N% / → Stable]
CISO assessment of trend: [Brief — e.g. "The increase in Class 1 events
reflects improved AV detection coverage, not an increase in genuine attack
volume. Class 2 events are stable. No Class 3 or 4 events this year."]
REGULATORY NOTIFICATIONS MADE:
DFARS notifications (72-hour): [N] — [brief: dates and outcomes, or "None"]
ICO notifications (72-hour): [N] — [brief: dates and outcomes, or "None"]
DEFSTAN notifications (24-hour): [N] — [brief: dates and outcomes, or "None"]
ICO enforcement action received: [N] — [describe or "None"]
RESPONSE PERFORMANCE:
Mean time from detection to containment (Class 2+): [N hours]
Target (from IRP): [N hours]
Status: [On target / Below target — corrective action: [describe]]
Mean time from detection to CISO notification of management (Class 2+): [N hours]
Target: 4 hours (business hours) / 8 hours (out of hours)
Status: [On target / Below target]
Regulatory notification SLA compliance:
DFARS 72-hour: [N of N] submitted within SLA — [100% / [N]% — describe any breach]
ICO 72-hour: [N of N] submitted within SLA
DEFSTAN 24-hour: [N of N] submitted within SLA
INCIDENT RESPONSE PROGRAMME STATUS:
IRP last reviewed: [DATE] — [current / [N] months overdue for review]
Annual IR exercise: [Completed [DATE] — findings: [N] / Scheduled [DATE] / Overdue]
IRT contact list last verified: [DATE] — [all contacts current / [N] numbers outdated]
Playbook library current: [Yes / Partial — [N] playbooks need updating]
POST-INCIDENT REVIEW COMPLETION:
Class 2+ incidents requiring PIR: [N]
PIRs completed within 10 days: [N of N] ([%])
PIR findings creating corrective actions: [N] — open: [N] / closed: [N]
NOTABLE INCIDENTS FOR MANAGEMENT AWARENESS:
[If any Class 2+ incident this quarter warrants a brief management summary:]
[DATE] — Class [N] incident — [brief title]
What happened: [2 sentences plain English]
Data affected: [CUI: Yes/No; Personal data: Yes/No; OFFICIAL: Yes/No]
Notifications made: [describe or "None required"]
Status: [Resolved — PIR complete / Under ongoing investigation]
Lessons learned: [1 sentence or "See EV-D13 for full PIR"]
Management action required: [None / [describe]]
[Or: "No Class 2 or above incidents in the past quarter requiring management
summary. Class 1 incident log reviewed in EV-F01 monthly SIEM reviews."]
→ Full incident records: EV-D → Incident Response → Incidents → [YYYY]
→ IRP and playbooks: AT-IR → IRP Document
→ Monthly metrics detail: EV-F → Continuous Monitoring → Metrics Reports
Panel 5 — Governance actions queue
The single most important panel for management. This is the list of things that only management can do and that are currently outstanding. Nothing that the CISO or IT Manager can resolve independently appears here.
Updated by the CISO immediately when a new management action is identified. Cleared by the CISO when a management decision is received and acted upon.
GOVERNANCE ACTIONS — open items requiring management response
Priority key:
🔴 Urgent — deadline within 30 days; delay has compliance or commercial consequence
🟠 Important — deadline within 90 days; should be resolved at next scheduled touchpoint
🟢 Planned — no immediate deadline; include in next management review agenda
────────────────────────────────────────────────────────────────────────────────────────
🔴 ACTION 1 — CMMC senior official affirmation signature
What: The annual CMMC self-assessment is complete. The SPRS score of [N]
is ready to submit. A Director-level signature is required on the affirmation
before SPRS submission.
Deadline: [DATE] — SPRS must be updated before this date
Who: [Director name] — affirmation signatory
CISO briefing: scheduled [DATE] / available on request
What happens if this is missed: The SPRS submission is late. Contracting
officers checking SPRS will see an out-of-date entry. This is a DFARS
compliance gap with immediate effect on any contract renewal or new bid
that checks SPRS.
Required action: [Director name] to contact CISO to schedule the 30-minute
briefing before signing. Do not sign without the briefing — the affirmation
has False Claims Act implications.
Status: ⏳ Awaiting Director scheduling confirmation
Contact: [ciso@organisation.com] or [direct line]
────────────────────────────────────────────────────────────────────────────────────────
🔴 ACTION 2 — EDR platform upgrade — investment decision
What: The upgrade to close CMMC control 3.14.7 (Partially Implemented) must
be approved and implemented before the C3PAO assessment on [DATE].
If approved now: full CMMC Level 2 certificate expected.
If deferred: conditional certificate expected; commercial risk at bid stage.
Cost: £[X] net additional annual cost (replaces existing platform)
Decision needed by: [DATE — [N] weeks from now]
Who decides: [Director / management collectively]
Options: Full detail in Compliance Status → Section 3 → Investment 1
CISO recommendation: Approve — the cost of the upgrade is lower than the
commercial risk of a conditional CMMC certificate in a competitive defence
bid environment.
Status: ⏳ Awaiting management decision
To decide: review Investment 1 in Compliance Status → Section 3, then
notify CISO of the decision by [DATE]
────────────────────────────────────────────────────────────────────────────────────────
🟠 ACTION 3 — Annual security training completion — management chase required
What: Security awareness training completion is at [87%] against a 100%
target with [N] weeks remaining. [N] staff members have not started the
module. Line managers are the primary chase mechanism.
Deadline: [DATE — training completion deadline]
Who: All line managers with direct reports who have not completed
CISO action: LMS report showing individual non-completers distributed
to line managers on [DATE] — line managers should have chased already
Management action: If any Director has direct reports who have not
completed, chase them directly. If any line manager is not chasing their
team, escalate to HR.
Status: ⏳ Line manager chase in progress — [N] completions still needed
Non-completer report: [link to LMS report or EV-B05 status page]
────────────────────────────────────────────────────────────────────────────────────────
🟠 ACTION 4 — Policy 07 (Business Continuity) re-approval
What: Policy 07 is due for annual re-approval. The Operations Director is
the named approving authority. No content changes are proposed — this is
a confirmation that the policy remains appropriate.
Deadline: [DATE — before annual management review]
Who: [Operations Director name]
To approve: open 01 · Policies → Policy 07, read the current version
(no material changes from last year), then notify the CISO by email
confirming approval with the date. The CISO will update the policy review
log.
Estimated time: 15 minutes
Status: ⏳ Awaiting Operations Director review and confirmation
────────────────────────────────────────────────────────────────────────────────────────
🟢 ACTION 5 — Annual management review scheduling
What: The annual ISMS management review (ISO 27001 clause 9.3) is due in
[MONTH — e.g. November]. The CISO will circulate proposed dates in [MONTH —
e.g. September]. This action is a reminder to keep the diary clear.
Deadline: [DATE — management review must occur by]
Duration: 120 minutes minimum
Required attendees: all Directors + CISO + IT Manager + HR Manager
Action: hold the dates that will be proposed — the CISO will confirm
the exact date in [MONTH]. Decline any invitation to delegate attendance
to the CISO alone — the review requires top management participation to
satisfy ISO 27001 clause 5.1.
Status: 🗓️ Pre-planned — dates to be circulated [MONTH]
────────────────────────────────────────────────────────────────────────────────────────
🟢 ACTION 6 — DEFSTAN [Contract ref 2] supplier assessment
What: The evidence pack for [Contract ref 2] contains an overdue supplier
assessment for [Supplier name]. This does not affect current compliance
status but would be a finding at the contract renewal review in [DATE].
The CISO is managing the assessment scheduling — no management decision
is required unless the supplier refuses to cooperate.
Deadline: CISO to complete by [DATE — 6 weeks from now]
Management involvement: awareness only — escalation if supplier
refuses assessment (would require a management decision on the supplier
relationship)
Status: 🔄 CISO managing — no management action currently required
────────────────────────────────────────────────────────────────────────────────────────
COMPLETED ACTIONS — resolved since last dashboard update:
✅ [DATE] — ISO 27001 Surveillance Audit 1
Outcome: Passed — [N] observations, [N] minor nonconformities, all closed
Certification body confirmed: certificate remains in good standing
Management role: [Director name] attended management interview — no issues
✅ [DATE] — Cyber Essentials renewal
Outcome: Renewed — certificate valid until [DATE]
Certificate number: [N] — verifiable at ncsc.gov.uk/cyberessentials/search
✅ [DATE] — RISK-2024-003 risk acceptance
Risk: [title]
Decision: formally accepted at Moderate by [Director name] on [DATE]
Review date: next management review
Panel 6 — Evidence and governance calendar
The governance calendar gives management a 90-day view of compliance events, evidence due dates, and management touchpoints. Updated quarterly.
GOVERNANCE CALENDAR — next 90 days from [DATE]
Events are grouped by week. Management-required events are highlighted.
CISO-managed events are shown for awareness only.
WEEK OF [DATE]:
[DATE] 🔴 MANAGEMENT REQUIRED — CMMC affirmation signature
[Director name] — 30-min briefing with CISO + signature
→ Action 1 above
[DATE] CISO manages — CE Plus technical assessment
CISO and IT Operations on-site with assessor
Outcome reported to management within 24 hours
WEEK OF [DATE]:
[DATE] 🟠 MANAGEMENT REQUIRED — EDR investment decision
Deadline for management decision to avoid C3PAO timeline risk
→ Action 2 above
[DATE] CISO manages — DEFSTAN evidence pack refresh ([Contract ref 1])
No management involvement unless gap is found
WEEK OF [DATE]:
[DATE] CISO manages — Monthly SIEM log review (EV-F01) due
[DATE] CISO manages — Monthly security metrics report (EV-F02) due
[DATE] CISO manages — Monthly AV/EDR coverage report (EV-D32) due
These are produced monthly — management visibility via EV-F02 dashboard section
WEEK OF [DATE]:
[DATE] 🟠 MANAGEMENT REQUIRED — Security training completion deadline
Line managers must have completed their team chasing by this date
→ Action 3 above
WEEK OF [DATE]:
[DATE] 🟠 MANAGEMENT REQUIRED — Policy 07 re-approval
Operations Director review and confirmation to CISO
→ Action 4 above
WEEK OF [DATE]:
[DATE] 🔴 MANAGEMENT REQUIRED — C3PAO pre-assessment evidence submission
Evidence pack submitted to C3PAO [N] weeks before assessment
CISO leads — management available for Director interview scheduling
confirmation
WEEK OF [DATE]:
[DATE] 🔴 MANAGEMENT REQUIRED — C3PAO assessment begins
Director interview: [Director name] — 45 minutes on governance topics
CISO briefing for Director: [DATE — 1 week before]
Full assessment duration: [N] days
30-DAY LOOKAHEAD:
Key management events beyond this quarter:
[DATE] Annual management review — [DATE TBC — CISO to circulate invitations in [MONTH]]
[DATE] CMMC annual self-assessment — CISO to initiate in [MONTH]
[DATE] ISO 27001 Surveillance Audit 2 — [DATE TBC — certification body to confirm]
EVIDENCE PRODUCTION STATUS (for reference — CISO manages):
EV-F01 (SIEM log review): Last produced [DATE] — next due [DATE]
EV-F02 (security metrics): Last produced [DATE] — next due [DATE]
EV-D01 (privileged account): Last produced [DATE — QN] — next due [DATE — QN+1]
EV-D05 (MFA coverage): Last produced [DATE — QN] — next due [DATE — QN+1]
EV-D32 (AV coverage): Last produced [DATE] — next due [DATE]
EV-F03 (firewall rule review): Last produced [DATE — H1/H2] — next due [DATE]
POA&M review (EV-A04): Last reviewed [DATE] — next due [DATE]
Any evidence overdue: [N] — [describe or "None"]
Panel 7 — Quick reference for management
Links to the pages management needs most often, without navigating the full ISMS space.
MANAGEMENT QUICK REFERENCE
Security posture and risk:
→ Current risk posture, top 5 risks, risk appetite:
Management Risk Posture
→ Full risk register:
05 · Risk Register
Compliance and certification:
→ Certification status, renewal dates, C3PAO preparation, DEFSTAN calendar:
Compliance Status and Certification Roadmap
→ CMMC self-assessment details and SPRS score:
EV-E → CMMC → Self-Assessments → [YYYY]
→ ISO 27001 certificate and surveillance audit records:
EV-E → ISO 27001 → [audit year]
Management obligations and accountability:
→ What you need to sign, approve, or attend:
Management Policy Accountability
→ Annual management review agenda, minutes template, and output pipeline:
Management Review Pack
→ Supplier security risk and BCM governance responsibilities:
Supplier Governance and Business Continuity Oversight
Metrics and monitoring:
→ Monthly security metrics report (patch compliance, MFA, AV, alerts):
EV-F → Continuous Monitoring → Metrics Reports → [YYYY-MM]
→ Monthly SIEM log review summary:
EV-F → Continuous Monitoring → Log Reviews → [YYYY-MM]
Incidents:
→ Current and past incident records:
EV-D → Incident Response → Incidents → [YYYY]
→ Incident response plan (who does what and when):
AT-IR → IRP Document
→ To report a security concern right now:
Call [CISO name] directly on [number]
Do not email for anything urgent — the CISO monitors their phone
Policies (for management sign-off obligations):
→ All 12 ISMS policies:
01 · Policies
→ Policy review log (which policies are current):
Management Policy Accountability → Section 3
CISO CONTACT:
[CISO name]
[ciso@organisation.com]
[Office number]
[Mobile — for out-of-hours incidents and urgent decisions]
If the CISO is unavailable: [IT Manager name] — [number]
For a confirmed significant incident: call, do not email.
SCM and update instructions for the CISO
Operational guidance for whoever maintains this dashboard. This section is visible only to isms-security and appears below the dashboard in the Confluence page, separated by a horizontal rule.
{scroll-content:variant=isms-security}
DASHBOARD MAINTENANCE GUIDE — for CISO and security team
UPDATE FREQUENCY:
Quarterly (at the start of each quarter):
Panel 1: Certification status table — update dates and action items
Panel 2: Objectives — update status, progress figures, and year-end forecast
Panel 3: Risk summary — update counts, risk movement summary, appetite status
Panel 4: Incident KPIs — update rolling 12-month counts and narrative
Panel 5: Governance actions — update queue, close completed items, add new
Panel 6: Calendar — advance 3 months; add newly confirmed events
Monthly:
Panel 4: Incident KPIs — update incident count after each monthly EV-F02
Panel 5: Governance actions — check for newly overdue items; check deadlines
Dashboard header: CISO one-line summary — update if posture has changed
Per event:
Panel 1: Update status if a certification lapses, renews, or assessment occurs
Panel 3: Update if a new Very High or High risk is added or closed
Panel 4: Update incident count immediately after any Class 2+ incident
Panel 5: Add to queue immediately when new management action is identified
Panel 5: Remove from queue immediately when management decision is received
Panel 6: Add event immediately when contracting authority assessment is notified
POSTURE INDICATOR RULES:
🟢 Stable: All certifications current; no risks exceeding appetite without
formal acceptance; no management action overdue; no Class 3/4
incident in past quarter.
⚠️ Action required: At least one of — certification within 6 weeks of expiry;
a risk exceeding appetite without formal acceptance; a management
action in Panel 5 that is overdue; a Class 2 incident in past quarter.
🔴 Decision overdue: At least one of — certification lapsed or will lapse within
2 weeks without management action; a Very High risk without board
sign-off; a Governance Actions item where the deadline has passed
without a management decision; a Class 3 or 4 incident in past quarter.
EVIDENCE SOURCES FOR EACH PANEL:
Panel 1: EV-E filing series; certification body correspondence; SPRS portal
Panel 2: EV-A06 (objectives) — update from objective owner; ITSM tracker
Panel 3: 05 · Risk Register (live page) — monthly CISO review produces counts
Panel 4: EV-D12 (incident records); EV-F02 (monthly metrics MTTR data)
Panel 5: CISO judgement — review weekly; any item where management authority
is needed and not yet obtained
Panel 6: CISO calendar; certification body notifications; contracting authority
WHAT SHOULD NOT APPEAR IN THIS DASHBOARD:
Technical vulnerability details or CVE references (Panel 3 and 4 are non-technical)
Named system hostnames or IP addresses
Internal security team investigation details
Names of staff involved in incidents (refer to role or incident reference only)
Supplier names in a context that would be commercially sensitive
The dashboard is visible to all isms-management users — this may include
Directors who are not involved in security operations. Write every sentence
as if the Operations Director will read it cold with no prior context.
GOVERNANCE ACTIONS QUEUE MANAGEMENT:
The queue in Panel 5 is only valuable if it is accurate and current.
A queue that grows and is never cleared becomes background noise.
Rules for the queue:
1. An item goes on the queue ONLY when management authority is genuinely
required. If the CISO can resolve it, it should not be on the queue.
2. An item is removed from the queue THE DAY the management decision
is received — not at the next quarterly update.
3. Completed items are moved to the "Completed actions" section at the
bottom of Panel 5 and kept for one quarter for reference.
4. The queue should never have more than 8 items. More than 8 items
means either we are not resolving decisions fast enough (escalate to
management) or we are putting non-management items on the queue (review).
5. If an isms-management user asks the CISO about the queue, that conversation
is itself a management action — record the outcome.
{scroll-content}
Version and filing
This content sits on the ISMS Home page (00 · Home).
The all-staff content appears first with no SCM wrapper.
The isms-management content (this dashboard) appears below.
The isms-security content (maintenance guide above) appears last.
The Home page itself has no version history entry — it is updated in place.
The dated evidence records that feed this dashboard are filed separately in
the EV-A through EV-F evidence filing structure.
Dashboard owner: CISO
Page questions: [ciso@organisation.com]