For security program managers
who run the programme between assessments and audits

A security programme management platform built around the live engagement record

Security program managers (PgMs) and security programme leads carry the rolling state of the security programme between assessments, audits, and incident response activations. The work spans the programme plan, the RAID log, the dependency map, the cross-team RACI, the governance forum cadence, the programme onboarding for new applications and business units, the steering committee report, the programme board pack, the audit committee submission, and the audit-evidence pull for surveillance time. Most programmes carry this work in a Confluence space, a recurring meeting calendar, a Slack channel, a folder of plans and RAID logs, a spreadsheet for the dependency map, a deck for the steering committee, and a separate deck for the audit committee, and pay the cost in reconciliation hours each cycle and in residual programme risk between cycles.

SecPortal gives in-house security program managers one workspace for engagement records per workstream, findings management with CVSS 3.1 scoring and owner-of-record across every source, document management for plans and RAID logs and minutes, compliance tracking that maps one engagement against multiple frameworks at once, AI-assisted programme reporting that regenerates summaries from the live record, role-based access control and multi-factor authentication for the cross-team participants, notifications routing for the recurring cadence, and an append-only activity log that ties the trail together. The programme reads from one record rather than from a deck, a wiki, a spreadsheet, and a folder of meeting notes.

Capabilities security program managers use day to day

How security program managers operate the programme inside SecPortal

A security programme that holds up under audit, incident review, and steering committee scrutiny operates on a small set of disciplines. Workstream plans, RAID entries, dependencies, cross-team RACI, exception decisions, control mappings, and the audit-evidence trail inherit each one rather than carving out a parallel operating model per artefact.

From programme plan to audit committee report, on one engagement record

The programme management loop is open the workstream, land the findings, map the controls, record the exceptions, route the cross-team work, generate the leadership view, and read the recurring cadence. SecPortal runs a single workflow that the programme manager, the workstream owners, the security leader, the audit committee, and the engineering owners can all work against without re-keying state into another tool.

1. 1Open an engagement per programme workstream. Capture the workstream plan, the named owners, the dependency notes, the milestone set, and the governance forum cadence on the engagement record. Attach the RAID log, the RACI table, the onboarding pack, and the stakeholder map as documents. The programme reads from one workspace from the first forum.
2. 2Land every security finding from across vulnerability management, AppSec, GRC, security engineering, and PSIRT-style intake on the relevant engagement record with auto-calculated CVSS 3.1 vector, severity, evidence, named owner, and remediation status. Scanner imports, code scans, authenticated DAST, external scans, and manually logged third-party pentest findings consolidate on the same record, so the workstream picture reads from one queue.
3. 3Map findings and controls against ISO 27001 Annex A, SOC 2 Trust Services Criteria, PCI DSS requirements, NIST SP 800-53 control families, NIST CSF 2.0 functions, and the other supported frameworks through compliance tracking. One mapping satisfies multiple audit packs in parallel, so the programme manager does not rebuild the trail per framework each surveillance cycle.
4. 4Capture risk acceptances, exceptions, and compensating-control decisions on the same record as the findings they cover, with linked finding, severity, compensating controls, residual likelihood, residual impact, business rationale, expiry, and review cadence. The exception register reads as a queue of dated decisions with named owners and explicit expiry rather than as a narrative document the audit committee cannot reconstruct decision chains from.
5. 5Route the work through role-based access control and multi-factor authentication. Workstream owners, engineering owners, audit observers, and steering committee participants see the engagements they need rather than the entire workspace, so the cross-team access model is enforced by the platform rather than asserted in an onboarding email.
6. 6Generate the steering committee deck, the programme board pack, the audit committee report, and the executive risk forum view from the live engagement record through AI-assisted reporting. The leadership view regenerates from the same record the workstream owners run on, so the picture does not drift between cycles and the programme manager edits drafts rather than writes the deck from a blank page.
7. 7Read the recurring cadence from the append-only activity log. Every finding update, scan run, document upload, retest run, exception decision, comment, and team change is recorded with the actor, the timestamp, and the action. Plan retention covers 30, 90, or 365 days, and CSV export keeps the programme trail reproducible at audit time.

Where the programme view connects to the rest of the workspace

Most programme functions adopt SecPortal in three phases: bring every workstream onto an engagement record so the plan, the RAID entries, the dependencies, and the findings live on one record; layer in cross-framework compliance tracking so a single workstream satisfies multiple audit packs; and route the cadence through role-based access control, notifications, and AI-assisted reporting so the steering committee, the programme board, and the audit committee read from the same source the workstream owners run on. The relevant feature, workflow, framework, and blog pages explain each phase in detail.

• The engagement record model that anchors every workstream is covered on the engagement management feature page, the findings repository that consolidates the cross-workstream backlog on the findings management feature page, and the plan, RAID log, and forum minute attachment surface on the document management feature page.
• The multi-framework control mapping a single workstream rides is covered on the compliance tracking feature page, the AI-assisted steering committee summary and programme report regeneration on the AI reports feature page, and the audit-grade record of every workstream event on the activity log feature page.
• The cross-team access model the programme rides on the team management feature page and the recurring cadence notifications on the notifications and alerts feature page.
• The programme onboarding intake for new applications and business units on the new application security onboarding use case, the cross-framework crosswalk workflow that anchors one mapping against multiple frameworks on the control mapping crosswalks use case, and the audit fieldwork evidence fulfilment workflow on the audit fieldwork evidence request fulfilment use case.
• The vulnerability exception governance workflow that runs underneath the programme exception register on the vulnerability acceptance and exception management use case, the SLA breach escalation workflow that hands aging findings up to the programme manager on the vulnerability SLA breach escalation use case, and the cross-team finding handoff to engineering on the SDLC vulnerability handoff use case.
• The programme maturity model that anchors the multi-year programme plan on the vulnerability management programme maturity model research, the programme leadership KPI framework on the security programme KPIs and metrics framework, and the broader enterprise security programme maturity guide on the enterprise security programme maturity guide.
• The board-level reporting cadence that sits above the steering committee on the board-level security reporting guide, the CISO metrics dashboard that pairs to the programme view on the CISO security metrics dashboard guide, and the multi-team security operations operating model on the multi-team security operations guide.
• The RACI policy artefact for vulnerability management on the vulnerability management RACI template, the programme scorecard artefact for the steering committee on the vulnerability management programme scorecard, and the programme exception register artefact on the security exception register template.

Where the programme manager role sits next to adjacent personas

Security program managers run the cross-team coordination layer that sits between the executive sponsor (the CISO), the recurring operations cadence (the security operations leader), the per-finding queue (the vulnerability management team), the design-time controls (the security architect), the engineering-side application security work (the AppSec team), and the audit-evidence side (the GRC and compliance team). The programme manager owns the plan, the dependencies, the forum cadence, and the cross-team RACI rather than any one of those operational shapes.

If your function is programme-level executive sponsorship and board-level reporting rather than cross-team programme coordination, the SecPortal for CISOs and security leaders page covers the leadership-tier reporting workflow that sits above the programme manager view.

If a dedicated security operations leader carries the recurring SecOps cadence between the per-finding queue and the programme view, the SecPortal for security operations leaders page covers the operations-leadership tier that pairs scheduled scanning, severity-driven SLAs, exception governance, and the recurring reporting cadence on the same record.

If the day-to-day find-track-fix-verify backlog is owned by a dedicated team, the SecPortal for vulnerability management teams page covers the operator-side workflow that runs underneath the programme manager view.

If your function spans compliance evidence and audit coordination more than cross-team programme management, the SecPortal for GRC and compliance teams page covers the audit-pack workflow that reads from the same engagement record the programme manager operates on.

If your function is the design-time and architecture-review side of the programme rather than the cross-team coordination layer, the SecPortal for security architects page covers the threat modelling, design review, and control-to-architecture mapping workflow.

If the programme is part of a broader internal security operation that also covers incident response and assessments across business units, the SecPortal for internal security teams page covers the wider operational scope on the same workspace.

SecPortal is built for security program managers who want one workspace for the plan-route-track-map-report loop: engagement records per workstream, findings management with owner-of-record across every source, document management for plans and RAID logs and minutes, multi-framework compliance tracking, AI-assisted programme reporting, role-based access control with multi-factor authentication, and an append-only activity log on top. Workstream owners get a clearer signal on the cross-team RACI, security leadership gets a defensible programme posture between cycles, compliance gets reproducible evidence across frameworks, and the programme manager gets back the hours that used to disappear into reconciliation between tools.