What is a security program quarterly review?

A security program quarterly review is the scheduled leadership meeting that reads the state of the security programme against the targets it committed to at the start of the quarter and decides where the next quarter has to spend its capacity. It is not the weekly operational queue read that the security operations team runs against the live record, and it is not the annual audit committee briefing that pairs to the audit cycle. It is the ninety-day cadence that the CISO, the heads of AppSec, vulnerability management, GRC, security engineering, and security operations bring to one table so the open posture, the closed posture, the deferred posture, the audit posture, the incident posture, the people posture, and the budget posture all read together as one programme rather than as a set of independent reports. A defensible quarterly review answers four questions: where is the programme today against where it committed to be, what changed in the operating environment that the next quarter has to respond to, what does the next quarter commit to, and what does leadership need to decide now to make the commitment achievable.

How is a quarterly review different from a weekly stand-up and an annual board briefing?

The three artefacts sit at three different layers of the programme. The weekly stand-up reads the live operational queue (open critical findings, breached SLAs, scans in flight, active engagements, exceptions under review) and decides what the team works on this week. The quarterly review reads the rolling state of the programme over the prior ninety days, names the trends rather than the snapshot, and commits the next ninety days to a small set of named priorities with named owners. The annual board briefing reads the programme posture against multi-year strategy, the regulatory environment, and the business risk model, and surfaces decisions that require board authority such as budget, scope of the programme, regulatory exposure, and major control commitments. A mature programme keeps the three in sync: the weekly view is the queue, the quarterly view is the trajectory, the annual view is the strategic posture. The quarterly review template is the cadence vehicle that bridges the operational queue and the strategic posture.

What sections does a defensible quarterly review template contain?

Fourteen sections produce a quarterly review that survives a leadership read and an audit committee read. Cover and attendance (period, attendees, chair, scribe, prior review reference). Executive summary (one-paragraph state of the programme, two-paragraph trajectory, three named decisions). Programme posture (open findings by severity and aging band, closure rate, breached SLAs, exception register state, retest backlog). Risk posture (top open risks tied to business impact, residual risk after compensating controls, risk acceptance register changes, risk decay observations). Threat and exposure posture (notable industry incidents, vulnerability advisories that landed in scope, scanner coverage changes, new attack surfaces, threat intelligence input). Audit and compliance posture (active audit cycles, evidence requests fulfilled, control findings raised, framework readiness for the next audit, regulatory engagement). Incident posture (incidents activated, runbooks exercised, post-incident review actions closed and open, near-miss observations, regulatory notifications). Engagement and assessment posture (pentests delivered, vulnerability assessments completed, third-party assessments received, retests outstanding, advisory and disclosure intake). Programme operations (headcount changes, role coverage, training completed, on-call cadence, vendor changes). Initiative progress (quarter commitments restated, actual versus committed, root cause for variance, lessons captured). Budget and capacity (spend against budget, capacity utilisation, anticipated next-quarter spend, capacity asks). Decisions sought (the named decisions leadership has to make at the review meeting). Next quarter commitments (the small set of named priorities with named owners and named success criteria). Action log and closure (the named actions captured during the review with owners and due dates).

Who attends the quarterly review and who owns it?

The quarterly review is chaired by the CISO or the head of security and attended by the heads of the operating disciplines: AppSec, vulnerability management, GRC and compliance, security engineering, security operations, identity, and where applicable cloud security, product security, and detection engineering. The chair owns the review. A named scribe captures the action log on the workspace activity log so the actions raised at the review become tracked items on the engagement record rather than chat messages that decay. Standing optional attendees include the data protection officer for regulatory exposure questions, legal counsel for litigation-adjacent topics, the head of platform engineering or platform leadership for cross-cutting programme dependencies, and a delegate from internal audit when the period contains active audit activity. The review is not a status meeting for the operations team; it is a leadership-tier cadence that translates the operational read into the strategic posture. Cadence-keeping responsibility (the discipline that the review actually runs every quarter on a fixed date, prior reading lands twenty-four hours ahead, action log closes within five business days) is one of the durable indicators of programme maturity.

What evidence does the quarterly review pull from, and how does the workspace help?

A defensible quarterly review reads from the live operational record rather than from a parallel deck assembled the week before the meeting. SecPortal carries the findings record on the workspace findings view scoped by workspace_id; the quarterly view reads cross-engagement cohorts (open critical, breached SLA, aging buckets, exception register, retest queue) directly from the dashboard with CSV and PDF export rather than re-creating the numbers in a spreadsheet. The activity log captures the timestamped chain of state changes per user (open to in-progress, severity reclassifications, override decisions, retest closures, exception expirations) so the headline indicators are derived from the underlying record and the audit reading reconciles by query rather than by claim. The compliance tracking feature pairs the framework readings to the same record so the audit posture section is one read of the same data rather than a parallel claim. The AI report generation feature drafts the executive summary and the trajectory narrative from the underlying record, which the chair edits rather than writes from a blank page. The document management feature carries each quarterly review pack as a versioned artefact paired to the engagement record so the prior review is one click away during the meeting and the audit reads the four quarterly reviews in a year as one consistent operating discipline.

How should programme posture be reported in the quarterly review?

Programme posture is the operational state of the security work over the prior ninety days. The defensible reading layers five views. First, open findings by severity (critical, high, medium, low, info) and by aging band (less than 30 days, 30-90 days, 90-180 days, more than 180 days) so the leadership can read whether the open queue is mostly fresh work or mostly accumulated debt. Second, closure rate by severity over the prior quarter against the SLA targets the programme committed to, so on-time closure is measured rather than asserted. Third, the breached SLA count and the structural reason (capacity bottleneck, dependency on a third-party fix, control gap that requires a programme change) so the breach signal carries the diagnosis the next quarter has to act on. Fourth, the exception register state (new exceptions added, existing exceptions expiring, exceptions overdue for review) so deferred risk is reported alongside closed risk rather than hidden behind a clean closure number. Fifth, the retest backlog and the inbound assessment intake so the operational queue is read alongside the closure rate rather than as a separate concern. The five views together produce a leadership reading that is honest about both the closed posture and the deferred posture.

How should risk posture be reported in the quarterly review?

Risk posture is the strategic-tier view of the open exposure that the programme carries, separate from the operational queue. The defensible reading layers four views. First, the top open risks tied to business impact (the named exposures that would materially affect revenue, customer trust, regulatory standing, or service availability if they were exploited) so the leadership reads the consequential exposures rather than the queue volume. Second, the residual risk after compensating controls (the open risks that have a partial mitigation in place but still carry exposure the programme has not eliminated) so the compensating-control discipline is visible rather than implicit. Third, the risk acceptance register changes (new acceptances added with reason and expiry, existing acceptances renewed, existing acceptances retired through remediation) so the register is treated as a living artefact rather than a static document. Fourth, risk decay observations (the structural pattern that as time passes from initial acceptance the compensating control may weaken, the business context may change, and the acceptance condition may no longer hold) so the periodic review of accepted risk is an explicit discipline rather than a cadence the audit asks about after a gap. The four views together produce a risk posture reading that the audit committee can read against the operational posture.

How are decisions captured and committed at the review?

The decisions section is the highest-value output of the quarterly review. Three disciplines hold the line. First, the chair names the decisions sought in the prior reading pack circulated twenty-four hours before the meeting so attendees come prepared to commit rather than to debate first principles. Each named decision carries a short context, the named option set, the recommendation, and the owner who will act on the decision. Second, the review captures the decision outcome in the action log on the workspace activity log with the named decision-maker, the named owner of the action, the named success criterion, and the named due date. Decisions that need wider authority (board, executive risk forum, audit committee) are explicitly marked as referred decisions with the named escalation path rather than implicitly deferred. Third, the next-quarter commitments section restates the small set of named priorities the programme will spend its capacity on over the next ninety days with the named success criterion for each. The success criteria are observable rather than aspirational (close SLA breach root cause X by Y date, deliver the audit evidence pack for Z framework, complete the operationalisation of the new product security guardrail in N services). The discipline of naming success criteria observably is one of the durable indicators that the quarterly review is functioning as a decision cadence rather than a reporting ritual.

How does the quarterly review align to ISO 27001, SOC 2, and other framework expectations?

A defensible quarterly review evidences several framework expectations even when it is not the only artefact for any single one. ISO/IEC 27001 Clause 9.3 (management review) requires periodic review of the ISMS by top management with named inputs (audit results, fulfillment of objectives, risk treatment status, opportunities for continual improvement) and named outputs (decisions, actions, resource needs); the quarterly review template covers most of these and pairs to the annual management review for the full Clause 9.3 reading. ISO/IEC 27001 Clause 9.1 (monitoring, measurement, analysis, evaluation) is evidenced by the programme-posture and risk-posture sections that read indicators on a defined cadence. SOC 2 CC4.1 (the entity monitors the system to evaluate the quality of internal control performance) and CC4.2 (the entity evaluates and communicates internal control deficiencies) are evidenced by the deficiency, decision, and action capture in every review. NIST SP 800-53 CA-7 (continuous monitoring) and PM-9 (risk management strategy) are evidenced by the trajectory reading and the strategic-tier risk posture. PCI DSS Requirement 12.4 (security policy and programme management) is evidenced by the programme governance section. NIST CSF 2.0 GV.OV (oversight) and GV.RM (risk management strategy) are evidenced by the governance discipline the review enforces. The quarterly review is one of the durable evidence vehicles for these expectations because the cadence is observable, the decisions are captured, and the outputs are paired to the live record rather than to a one-off document.

What is the prior-reading discipline and why does it matter?

The prior-reading discipline is the practice of circulating the quarterly review pack twenty-four hours before the meeting so attendees read the indicators, the trends, and the decisions sought before they walk into the room. A review that is read at the meeting becomes a status-update meeting where the chair narrates the slides and the attendees consume the information for the first time; little is decided and the action log is thin. A review that is read before the meeting becomes a decision cadence where attendees come prepared with their reading positions, the discussion is targeted, and the decisions are made with the depth they require. Three rules support the discipline. First, the pack is generated from the live workspace record rather than authored from a blank page so it is reliably ready twenty-four hours ahead. Second, the chair commits to circulating the pack on a calendar discipline (Wednesday afternoon for a Friday morning review) and the team treats the deadline as a hard one. Third, the prior reviews and the prior action logs are paired to the new pack so attendees can read the trajectory rather than the snapshot. The prior-reading discipline is one of the durable indicators that the quarterly review is functioning as a decision cadence rather than a reporting ritual.

How is the action log from the review tracked and closed?

The action log is the durable output of the review that connects the leadership cadence to the operational record. Three disciplines hold the line. First, every action captured at the review is recorded on the workspace activity log with the named decision-maker, the named owner, the named success criterion, and the named due date; the action is paired to the engagement record or the finding record where the work will land so it is part of the operational queue rather than a parallel artefact. Second, the action log is reviewed at the next quarterly review as the first agenda item after the executive summary so closure of prior actions is visible against the new period. Actions that closed in the period are reported with the closure evidence; actions still open are reported with the structural reason and a revised target; actions that drifted past their due date without progress are reported as such and the structural reason is discussed in the leadership cadence rather than escalated only when the next regulator interaction surfaces them. Third, the action log carries a small set of programme-level metrics over time (number of actions raised per review, average closure latency, closure rate within the next quarter, actions closed with evidence versus claim) so the leadership cadence has its own quality indicators. The action-log discipline is one of the most observable signals that the quarterly review is operating as a real cadence rather than a checkbox exercise.

What failure modes does the quarterly review have to design against?

Seven failure modes recur across enterprise programmes. The review becomes a status report where the chair narrates the slides and the attendees consume the information at the meeting; the fix is the prior-reading discipline twenty-four hours ahead. The leadership view drifts from the operational record because the pack is authored from spreadsheets rather than read from the live workspace; the fix is reading the cohort views (open critical, breached SLA, aging buckets, exception register, retest queue) directly from the workspace findings view rather than re-creating them. The decisions sought are not named in advance and the meeting debates first principles rather than commitments; the fix is the named decision section in the prior reading. The action log is captured in chat or in a side document and decays; the fix is the workspace activity log as the system of record. The cadence slips and quarterly reviews happen on a six- or eight-month cadence; the fix is calendar-anchored review dates set at the start of the year and treated as fixed appointments. The review covers operations but ignores risk posture and audit posture so the leadership cadence misses the strategic-tier view; the fix is the four-quadrant reading (programme, risk, threat, audit) on every review. The next-quarter commitments are aspirational rather than observable; the fix is naming success criteria observably (close X by Y date, deliver Z evidence pack) rather than as themes. The seven failure modes are recognisable enough that designing against each is one of the durable disciplines that distinguishes a maturing programme from a stalling one.

Free Tool

Security Program Quarterly Review Template
fourteen sections for programme posture, risk posture, audit posture, incident posture, decisions, and next-quarter commitments

A free, copy-ready security program quarterly review template. Fourteen structured sections covering cover and attendance, executive summary, programme posture (open findings by severity and aging, closure rate, breached SLAs, exception register), risk posture (top risks, residual risk, acceptance register, risk decay), threat and exposure posture (industry incidents, advisories, scanner coverage, new attack surface), audit and compliance posture (active cycles, evidence requests, control findings, framework readiness), incident posture (activations, runbooks exercised, post-incident actions), engagement and assessment posture, programme operations (people, capacity, vendors), initiative progress against commitments, budget and capacity, decisions sought with named decision-makers, next-quarter commitments with observable success criteria, and action log with cadence-quality metrics. Aligned with ISO/IEC 27001 Clause 9.3 and Clause 9.1, SOC 2 CC4.1 and CC4.2, NIST SP 800-53 CA-7 and PM-9, PCI DSS Requirement 12.4, and NIST CSF 2.0 GV.OV and GV.RM.

Get Started Free

No credit card required. Free plan available forever.

Fourteen sections that turn a quarterly review into a decision cadence

A security program quarterly review is the leadership cadence that reads the rolling ninety-day state of the security programme, names the trends, captures the decisions, and commits the next ninety days to a small set of named priorities. It is not the weekly operational queue read that the security operations team runs against the live record, and it is not the annual audit committee briefing that pairs to the audit cycle. The quarterly review is the cadence vehicle that bridges the operational queue and the strategic posture so the leadership reading and the operational reading are the same record rather than two independently edited documents.

The fourteen sections below cover the durable shape of one review against ISO/IEC 27001 Clause 9.3 (management review), Clause 9.1 (monitoring, measurement, analysis, evaluation), SOC 2 CC4.1 and CC4.2, NIST SP 800-53 CA-7 and PM-9, PCI DSS Requirement 12.4, and NIST CSF 2.0 GV.OV and GV.RM. The package is not a substitute for the live operational workflow that runs the security work day to day, the audit committee briefing that pairs to the annual cycle, or the board-level strategy review that names multi-year posture. Pair it with the security leadership reporting workflow for the cadence narrative across weekly, monthly, quarterly, and board views, the CISO security metrics dashboard guide for the indicator selection underneath the pack, the security programme KPIs and metrics framework for the trajectory definitions, and the board-level security reporting guide for the audience the annual briefing reads to. Copy the section that fits your stage and paste the rest as you go.

Copy the full quarterly review pack (all fourteen sections) as one block.

1. Cover and attendance

Open the quarterly review pack with the boundary, the period, and the people. A reviewer should be able to read in the first lines which quarter the review covers, who attended, who chaired, who took the action log, and which prior review the current review builds on. Without explicit cover and attendance the audit cannot trace which reviews ran on which dates, and the leadership cadence becomes an undated stream of slide decks.

Quarterly review period: {{PERIOD_LABEL}}
Period start date: {{PERIOD_START_DATE}}
Period end date: {{PERIOD_END_DATE}}
Review meeting date: {{REVIEW_MEETING_DATE}}
Review meeting location or platform: {{REVIEW_MEETING_LOCATION}}

Chair (the role that runs the review and owns the cadence):
- Role: {{CHAIR_ROLE}}
- Named person: {{CHAIR_NAME}}

Scribe (the role that captures the action log on the workspace activity log):
- Role: {{SCRIBE_ROLE}}
- Named person: {{SCRIBE_NAME}}

Standing attendees by discipline (named role; named person for this period):
- Head of AppSec: {{APPSEC_LEAD_NAME}}
- Head of vulnerability management: {{VM_LEAD_NAME}}
- Head of GRC and compliance: {{GRC_LEAD_NAME}}
- Head of security engineering: {{SECENG_LEAD_NAME}}
- Head of security operations: {{SECOPS_LEAD_NAME}}
- Head of identity: {{IDENTITY_LEAD_NAME}}
- Head of cloud security (if applicable): {{CLOUD_LEAD_NAME}}
- Head of product security (if applicable): {{PRODSEC_LEAD_NAME}}
- Head of detection engineering (if applicable): {{DETECTION_LEAD_NAME}}

Standing optional attendees (attend when the period warrants):
- Data protection officer: {{DPO_NAME}}
- Legal counsel: {{LEGAL_COUNSEL_NAME}}
- Head of platform engineering: {{PLATFORM_LEAD_NAME}}
- Internal audit delegate: {{INTERNAL_AUDIT_DELEGATE_NAME}}

Absentees with delegates (named role; named delegate):
- {{ABSENTEE_DELEGATE_LIST}}

Prior quarterly review reference:
- Prior review period: {{PRIOR_REVIEW_PERIOD}}
- Prior review document identifier: {{PRIOR_REVIEW_DOCUMENT_ID}}
- Prior action log open count at the start of this review: {{PRIOR_OPEN_ACTION_COUNT}}

Framework expectations evidenced by the quarterly review cadence:
- ISO/IEC 27001 Clause 9.3 (management review) inputs and outputs.
- ISO/IEC 27001 Clause 9.1 (monitoring, measurement, analysis, evaluation).
- SOC 2 CC4.1 and CC4.2 (monitoring and communication of deficiencies).
- NIST SP 800-53 CA-7 (continuous monitoring) and PM-9 (risk management strategy).
- PCI DSS Requirement 12.4 (security policy and programme management).
- NIST CSF 2.0 GV.OV (oversight) and GV.RM (risk management strategy).
- Internal policy: {{INTERNAL_POLICY_REFERENCE}}

2. Executive summary

The first page after attendance summarises the state of the programme in three short paragraphs and names the decisions sought. A reader who has only ninety seconds should walk away with the trajectory and the decision points. The summary is the chair narrative; the supporting sections produce the evidence the summary stands on.

State of the programme paragraph (one paragraph, three to five sentences):
The security programme {{STATE_OF_PROGRAMME_PARAGRAPH}}

Trajectory paragraph (one paragraph; the rolling four-quarter direction):
Across the trailing four quarters the programme {{TRAJECTORY_PARAGRAPH}}

What changed in the operating environment paragraph (one paragraph; what the next quarter has to respond to):
The operating environment over the period saw {{ENVIRONMENT_CHANGE_PARAGRAPH}}

Named decisions sought at the review meeting (three to five named decisions; each carries a short context line):
1. {{DECISION_1_HEADLINE}}
   - Context: {{DECISION_1_CONTEXT}}
2. {{DECISION_2_HEADLINE}}
   - Context: {{DECISION_2_CONTEXT}}
3. {{DECISION_3_HEADLINE}}
   - Context: {{DECISION_3_CONTEXT}}
4. {{DECISION_4_HEADLINE}}
   - Context: {{DECISION_4_CONTEXT}}
5. {{DECISION_5_HEADLINE}}
   - Context: {{DECISION_5_CONTEXT}}

Quarter-on-quarter direction (one sentence each, kept short):
- Programme posture direction: {{PROGRAMME_POSTURE_DIRECTION}}
- Risk posture direction: {{RISK_POSTURE_DIRECTION}}
- Audit posture direction: {{AUDIT_POSTURE_DIRECTION}}
- Incident posture direction: {{INCIDENT_POSTURE_DIRECTION}}
- People and capacity direction: {{PEOPLE_CAPACITY_DIRECTION}}

3. Programme posture

Programme posture is the operational state of the security work over the prior ninety days. Layer five views so the leadership reads both the closed posture and the deferred posture rather than only the headline closure number. Each number is read from the live workspace record rather than re-created in a spreadsheet so the audit reconciles by query rather than by claim.

Open findings by severity (snapshot at period end; read from the workspace findings view scoped by status group Open and Pending):
- Critical: {{OPEN_CRITICAL_COUNT}}
- High: {{OPEN_HIGH_COUNT}}
- Medium: {{OPEN_MEDIUM_COUNT}}
- Low: {{OPEN_LOW_COUNT}}
- Info: {{OPEN_INFO_COUNT}}
- Total open: {{OPEN_TOTAL_COUNT}}

Open findings by aging band (snapshot at period end; days since the finding moved to Open):
- Less than 30 days: {{AGING_LESS_30_COUNT}}
- 30-90 days: {{AGING_30_90_COUNT}}
- 90-180 days: {{AGING_90_180_COUNT}}
- More than 180 days: {{AGING_OVER_180_COUNT}}

Closure rate by severity over the period (closed in period divided by closed in period plus open at period end):
- Critical closure rate: {{CRITICAL_CLOSURE_RATE_PERCENT}}
- High closure rate: {{HIGH_CLOSURE_RATE_PERCENT}}
- Medium closure rate: {{MEDIUM_CLOSURE_RATE_PERCENT}}
- Low closure rate: {{LOW_CLOSURE_RATE_PERCENT}}

On-time closure against documented SLA targets (the share of period closures that closed within their SLA window):
- Critical on-time closure rate: {{CRITICAL_ON_TIME_RATE_PERCENT}}
- High on-time closure rate: {{HIGH_ON_TIME_RATE_PERCENT}}
- Medium on-time closure rate: {{MEDIUM_ON_TIME_RATE_PERCENT}}
- Low on-time closure rate: {{LOW_ON_TIME_RATE_PERCENT}}

Breached SLA count over the period (with structural reason category):
- Total breaches: {{TOTAL_SLA_BREACH_COUNT}}
- Capacity bottleneck breaches: {{CAPACITY_BREACH_COUNT}}
- Third-party dependency breaches: {{THIRD_PARTY_BREACH_COUNT}}
- Control gap breaches (programme change required): {{CONTROL_GAP_BREACH_COUNT}}
- Tooling or visibility gap breaches: {{TOOLING_BREACH_COUNT}}
- Other structural reason breaches: {{OTHER_BREACH_COUNT}}

Exception register state (read from the workspace overrides record and exception register):
- New exceptions added in the period: {{NEW_EXCEPTIONS_COUNT}}
- Existing exceptions renewed in the period: {{RENEWED_EXCEPTIONS_COUNT}}
- Exceptions expired in the period without renewal: {{EXPIRED_EXCEPTIONS_COUNT}}
- Exceptions overdue for review at period end: {{OVERDUE_EXCEPTIONS_COUNT}}
- Total live exceptions at period end: {{TOTAL_LIVE_EXCEPTIONS_COUNT}}

Retest backlog and inbound assessment intake:
- Retests outstanding at period end: {{RETEST_BACKLOG_COUNT}}
- Inbound new findings from external scans in the period: {{INBOUND_EXTERNAL_FINDINGS_COUNT}}
- Inbound new findings from authenticated scans in the period: {{INBOUND_AUTH_FINDINGS_COUNT}}
- Inbound new findings from code scans in the period: {{INBOUND_CODE_FINDINGS_COUNT}}
- Inbound new findings from bulk import or third-party assessments in the period: {{INBOUND_IMPORT_FINDINGS_COUNT}}

Observation paragraph (what the five views say together; two to four sentences):
{{PROGRAMME_POSTURE_OBSERVATION_PARAGRAPH}}

4. Risk posture

Risk posture is the strategic-tier view of open exposure that the programme carries, separate from the operational queue. Layer four views so the leadership reading separates consequential exposures from queue volume. Risk posture is the section the audit committee and the executive risk forum read in detail.

Top open risks tied to business impact (rank-ordered; each carries owner and compensating-control status):
1. {{TOP_RISK_1_HEADLINE}}
   - Business impact: {{TOP_RISK_1_BUSINESS_IMPACT}}
   - Owner: {{TOP_RISK_1_OWNER}}
   - Compensating control in place: {{TOP_RISK_1_COMPENSATING_CONTROL}}
   - Remediation plan and target close date: {{TOP_RISK_1_REMEDIATION_PLAN}}
2. {{TOP_RISK_2_HEADLINE}}
   - Business impact: {{TOP_RISK_2_BUSINESS_IMPACT}}
   - Owner: {{TOP_RISK_2_OWNER}}
   - Compensating control in place: {{TOP_RISK_2_COMPENSATING_CONTROL}}
   - Remediation plan and target close date: {{TOP_RISK_2_REMEDIATION_PLAN}}
3. {{TOP_RISK_3_HEADLINE}}
   - Business impact: {{TOP_RISK_3_BUSINESS_IMPACT}}
   - Owner: {{TOP_RISK_3_OWNER}}
   - Compensating control in place: {{TOP_RISK_3_COMPENSATING_CONTROL}}
   - Remediation plan and target close date: {{TOP_RISK_3_REMEDIATION_PLAN}}
4. {{TOP_RISK_4_HEADLINE}}
   - Business impact: {{TOP_RISK_4_BUSINESS_IMPACT}}
   - Owner: {{TOP_RISK_4_OWNER}}
   - Compensating control in place: {{TOP_RISK_4_COMPENSATING_CONTROL}}
   - Remediation plan and target close date: {{TOP_RISK_4_REMEDIATION_PLAN}}
5. {{TOP_RISK_5_HEADLINE}}
   - Business impact: {{TOP_RISK_5_BUSINESS_IMPACT}}
   - Owner: {{TOP_RISK_5_OWNER}}
   - Compensating control in place: {{TOP_RISK_5_COMPENSATING_CONTROL}}
   - Remediation plan and target close date: {{TOP_RISK_5_REMEDIATION_PLAN}}

Residual risk after compensating controls (open risks where a partial mitigation is in place; named exposure that the programme has not eliminated):
- {{RESIDUAL_RISK_LIST}}

Risk acceptance register changes in the period:
- New acceptances added (count, business reason summary, expiry windows): {{NEW_ACCEPTANCES_SUMMARY}}
- Acceptances renewed at expiry (count, renewal reason summary): {{RENEWED_ACCEPTANCES_SUMMARY}}
- Acceptances retired through remediation (count, closure evidence): {{RETIRED_ACCEPTANCES_SUMMARY}}
- Acceptances overdue for periodic review (count, structural reason): {{OVERDUE_ACCEPTANCES_SUMMARY}}

Risk decay observations (the structural pattern that as time passes from initial acceptance the compensating control may weaken, the business context may change, and the acceptance condition may no longer hold):
- {{RISK_DECAY_OBSERVATIONS}}

Observation paragraph (what the four views say together; two to four sentences):
{{RISK_POSTURE_OBSERVATION_PARAGRAPH}}

5. Threat and exposure posture

Threat and exposure posture is the external-environment reading: notable industry incidents that touched the firm or its sector, vulnerability advisories that landed in scope, scanner coverage changes, new attack surfaces, and threat intelligence input. This section is the bridge between the static internal posture and the moving environment the programme operates in.

Notable industry incidents in the period (publicly disclosed incidents in the sector, supply chain, or vendor ecosystem that the firm read against its own posture):
- {{INDUSTRY_INCIDENT_LIST}}

Vulnerability advisories that landed in scope in the period (CISA KEV additions, vendor advisories on platform components, CVE additions to the firm's software bill of materials):
- {{VULNERABILITY_ADVISORY_LIST}}

Scanner coverage changes in the period:
- New scan targets added: {{NEW_SCAN_TARGETS_COUNT}}
- Scan targets retired (decommissioned services or domains): {{RETIRED_SCAN_TARGETS_COUNT}}
- New repositories connected for code scanning: {{NEW_REPOS_COUNT}}
- New authenticated scan profiles configured: {{NEW_AUTH_SCAN_PROFILES_COUNT}}
- New scanner module enabled or rule pack updated: {{NEW_SCANNER_MODULES_LIST}}

New attack surfaces discovered in the period (subdomains, exposed services, third-party connected components, shadow IT):
- {{NEW_ATTACK_SURFACE_LIST}}

Threat intelligence input (named advisories, threat actor activity, sector-specific intelligence the programme read against the operating posture):
- {{THREAT_INTELLIGENCE_INPUT_LIST}}

Observation paragraph (what the operating environment says about the next quarter's emphasis; two to four sentences):
{{THREAT_EXPOSURE_OBSERVATION_PARAGRAPH}}

6. Audit and compliance posture

Audit and compliance posture is the reading the audit committee and the regulator-facing leaders consume in detail. Cover the active audit cycles, the evidence requests fulfilled, the control findings raised, the framework readiness for the next audit, and the regulatory engagement. The compliance tracking feature pairs this section to the live framework mapping so the headline numbers are derived rather than asserted.

Active audit cycles in the period:
- Audit name and scope: {{AUDIT_CYCLE_LIST}}
- Audit phase at period end (fieldwork, draft, response, closure): {{AUDIT_PHASE_LIST}}
- External auditor or assessor: {{EXTERNAL_AUDITOR_LIST}}

Evidence requests fulfilled in the period:
- Total evidence requests received: {{TOTAL_EVIDENCE_REQUESTS_COUNT}}
- Requests fulfilled within the requested window: {{ON_TIME_EVIDENCE_FULFILLMENT_COUNT}}
- Requests requiring follow-up clarification: {{FOLLOW_UP_EVIDENCE_REQUESTS_COUNT}}
- Average evidence request fulfillment latency: {{EVIDENCE_FULFILLMENT_LATENCY_DAYS}}

Control findings raised in the period (deficiencies identified by audit, internal control monitoring, or external assessment):
- Significant findings: {{SIGNIFICANT_CONTROL_FINDINGS_LIST}}
- Material findings: {{MATERIAL_CONTROL_FINDINGS_LIST}}
- Management responses lodged: {{MANAGEMENT_RESPONSE_SUMMARY}}
- Remediation target dates committed to: {{REMEDIATION_TARGET_DATES}}

Framework readiness for the next audit cycle:
- Framework: {{NEXT_FRAMEWORK_NAME}}
- Next audit window: {{NEXT_AUDIT_WINDOW}}
- Readiness assessment (on track, attention needed, blocked): {{NEXT_FRAMEWORK_READINESS_STATUS}}
- Open gaps to close before fieldwork: {{NEXT_FRAMEWORK_GAP_LIST}}

Regulatory engagement in the period (regulator inquiries, mandatory disclosures, sector-specific reporting):
- {{REGULATORY_ENGAGEMENT_LIST}}

Framework crosswalk read (where the quarterly review evidence reads against the framework mapping):
- ISO/IEC 27001 Clause 9.3 management review inputs and outputs.
- ISO/IEC 27001 Clause 9.1 monitoring and measurement evaluation.
- SOC 2 CC4.1 monitoring of internal control performance and CC4.2 communication of deficiencies.
- NIST SP 800-53 CA-7 continuous monitoring and PM-9 risk management strategy.
- PCI DSS Requirement 12.4 security policy and programme management.
- NIST CSF 2.0 GV.OV oversight and GV.RM risk management strategy.

Observation paragraph (what the audit and compliance posture says about the next quarter's emphasis; two to four sentences):
{{AUDIT_COMPLIANCE_OBSERVATION_PARAGRAPH}}

7. Incident posture

Incident posture covers the live-incident workstream over the prior ninety days. Read the activated incidents, the runbooks exercised, the post-incident review actions closed and open, the near-miss observations, and any regulatory notifications. The section pairs to the incident response runbook portfolio so the leadership cadence reads incidents alongside the rest of the operating posture.

Incidents activated in the period (with severity classification and runbook reference):
- Incident reference: {{INCIDENT_REFERENCE_LIST}}
- Severity classification at activation: {{INCIDENT_SEVERITY_LIST}}
- Runbook reference applied: {{INCIDENT_RUNBOOK_LIST}}
- Closure state at period end (active, contained, eradicated, recovered, closed): {{INCIDENT_CLOSURE_STATE_LIST}}

Runbook coverage exercised in the period:
- Runbooks exercised in real incidents: {{RUNBOOKS_EXERCISED_LIVE_COUNT}}
- Runbooks exercised in tabletop simulations: {{RUNBOOKS_EXERCISED_TABLETOP_COUNT}}
- Runbooks not exercised in the period (rolling twelve-month coverage): {{RUNBOOKS_UNEXERCISED_LIST}}

Post-incident review actions:
- Actions closed in the period: {{PIR_ACTIONS_CLOSED_COUNT}}
- Actions open at period end: {{PIR_ACTIONS_OPEN_COUNT}}
- Actions overdue at period end: {{PIR_ACTIONS_OVERDUE_COUNT}}
- Notable lessons captured that drove runbook or plan revisions: {{PIR_LESSONS_NOTABLE_LIST}}

Near-miss observations (incidents that did not activate the runbook but surfaced control or detection weaknesses):
- {{NEAR_MISS_LIST}}

Regulatory notifications lodged in the period (where applicable; GDPR, NIS2, DORA, sector-specific):
- {{REGULATORY_NOTIFICATION_LIST}}

Observation paragraph (what incident posture says about runbook coverage, response capability, and the next quarter's emphasis; two to four sentences):
{{INCIDENT_POSTURE_OBSERVATION_PARAGRAPH}}

8. Engagement and assessment posture

Engagement and assessment posture reports the security testing activity that ran over the prior ninety days: pentests delivered, vulnerability assessments completed, third-party assessments received, retests outstanding, and advisory and disclosure intake. This section pairs to the engagement record on the workspace so the leadership reads the testing pipeline rather than only the closure queue.

Penetration tests delivered in the period:
- Tests in flight at period start: {{PENTESTS_IN_FLIGHT_START}}
- Tests started in the period: {{PENTESTS_STARTED_COUNT}}
- Tests completed in the period: {{PENTESTS_COMPLETED_COUNT}}
- Tests in flight at period end: {{PENTESTS_IN_FLIGHT_END}}
- Notable findings from completed tests (severity-weighted summary): {{PENTEST_NOTABLE_FINDINGS_SUMMARY}}

Vulnerability assessments completed in the period:
- Assessments completed: {{VULNERABILITY_ASSESSMENTS_COUNT}}
- Coverage span (estate areas covered, named): {{ASSESSMENT_COVERAGE_LIST}}

Third-party assessments received in the period (vendor security assessments, supplier attestations, customer requests):
- Assessments received: {{THIRD_PARTY_ASSESSMENTS_COUNT}}
- Significant findings raised on the firm by third parties: {{THIRD_PARTY_SIGNIFICANT_FINDINGS_LIST}}
- Significant findings the firm raised on its third parties: {{FIRM_ON_THIRD_PARTY_FINDINGS_LIST}}

Retest activity:
- Retests requested in the period: {{RETESTS_REQUESTED_COUNT}}
- Retests delivered in the period: {{RETESTS_DELIVERED_COUNT}}
- Retests outstanding at period end: {{RETESTS_OUTSTANDING_END}}

Advisory and disclosure intake in the period:
- Inbound vulnerability disclosures received: {{INBOUND_DISCLOSURES_COUNT}}
- Disclosures acknowledged within the policy window: {{DISCLOSURES_ACKNOWLEDGED_ON_TIME_COUNT}}
- Disclosures still in triage at period end: {{DISCLOSURES_IN_TRIAGE_COUNT}}

Observation paragraph (what the assessment posture says about coverage, capacity, and the next quarter's emphasis; two to four sentences):
{{ASSESSMENT_POSTURE_OBSERVATION_PARAGRAPH}}

9. Programme operations

Programme operations covers the people, capacity, and operating context that supports the security work. Cover headcount changes, role coverage, training completed, on-call cadence, vendor changes, and tool changes. Without an operations section the leadership reading misses the structural reasons that drive much of the variance in programme posture.

Headcount changes in the period:
- Joiners (named role and start date): {{JOINER_LIST}}
- Leavers (named role and end date): {{LEAVER_LIST}}
- Open roles at period end: {{OPEN_ROLES_LIST}}
- Time to fill for open roles (average days open): {{TIME_TO_FILL_DAYS}}

Role coverage at period end (named role; named individual or stated as open):
- {{ROLE_COVERAGE_LIST}}

Training and capability development completed in the period:
- Named training completed by named people: {{TRAINING_COMPLETED_LIST}}
- Certifications earned in the period: {{CERTIFICATIONS_EARNED_LIST}}
- Capability gap observations carried into the next quarter: {{CAPABILITY_GAP_LIST}}

On-call cadence and rotation health:
- On-call rotation pattern in use: {{ON_CALL_PATTERN}}
- On-call participant pool size at period end: {{ON_CALL_POOL_SIZE}}
- Pager-load metrics over the period (escalations per shift, escalations per person): {{ON_CALL_PAGER_LOAD_METRICS}}
- Burnout signals observed and mitigations applied: {{ON_CALL_BURNOUT_SIGNALS}}

Vendor and tool changes in the period:
- Vendors added: {{VENDORS_ADDED_LIST}}
- Vendors retired: {{VENDORS_RETIRED_LIST}}
- Tool replacements completed or in flight: {{TOOL_REPLACEMENT_LIST}}
- Tool consolidation actions: {{TOOL_CONSOLIDATION_LIST}}

Observation paragraph (what programme operations says about capacity, capability, and the next quarter's emphasis; two to four sentences):
{{PROGRAMME_OPERATIONS_OBSERVATION_PARAGRAPH}}

10. Initiative progress

Initiative progress restates the small set of named priorities the programme committed to at the start of the quarter and reads the actual against the committed for each. Variance is named honestly with structural reason so commitments for the next quarter are grounded in what actually shipped rather than in what was hoped for.

Quarter commitments restated (the named priorities from the start-of-quarter commitment list in Section 13 of the prior review):
1. {{COMMITMENT_1_HEADLINE}}
   - Committed success criterion: {{COMMITMENT_1_CRITERION}}
   - Actual delivered: {{COMMITMENT_1_ACTUAL}}
   - Variance reason (if any): {{COMMITMENT_1_VARIANCE_REASON}}
2. {{COMMITMENT_2_HEADLINE}}
   - Committed success criterion: {{COMMITMENT_2_CRITERION}}
   - Actual delivered: {{COMMITMENT_2_ACTUAL}}
   - Variance reason (if any): {{COMMITMENT_2_VARIANCE_REASON}}
3. {{COMMITMENT_3_HEADLINE}}
   - Committed success criterion: {{COMMITMENT_3_CRITERION}}
   - Actual delivered: {{COMMITMENT_3_ACTUAL}}
   - Variance reason (if any): {{COMMITMENT_3_VARIANCE_REASON}}
4. {{COMMITMENT_4_HEADLINE}}
   - Committed success criterion: {{COMMITMENT_4_CRITERION}}
   - Actual delivered: {{COMMITMENT_4_ACTUAL}}
   - Variance reason (if any): {{COMMITMENT_4_VARIANCE_REASON}}
5. {{COMMITMENT_5_HEADLINE}}
   - Committed success criterion: {{COMMITMENT_5_CRITERION}}
   - Actual delivered: {{COMMITMENT_5_ACTUAL}}
   - Variance reason (if any): {{COMMITMENT_5_VARIANCE_REASON}}

Lessons captured from the quarter (the structural observations that the programme will carry into the next cycle):
- {{LESSONS_CAPTURED_LIST}}

Observation paragraph (what initiative progress says about delivery capacity, scoping discipline, and the next quarter's emphasis; two to four sentences):
{{INITIATIVE_PROGRESS_OBSERVATION_PARAGRAPH}}

11. Budget and capacity

Budget and capacity reads the financial and people-capacity dimension of the programme over the prior ninety days. The section is short but explicit so leadership can read whether the programme spent against plan, whether capacity is on the operational curve, and whether commitments for the next quarter are affordable.

Budget against plan for the period:
- Total budget for the period: {{TOTAL_BUDGET}}
- Spend against budget for the period: {{TOTAL_SPEND}}
- Variance: {{BUDGET_VARIANCE}}
- Notable spend lines that diverged from plan: {{NOTABLE_SPEND_VARIANCE_LIST}}

Capacity utilisation for the period (the share of named capacity consumed by named work):
- Operational queue capacity consumed: {{OPERATIONAL_CAPACITY_PERCENT}}
- Project initiative capacity consumed: {{INITIATIVE_CAPACITY_PERCENT}}
- Audit and evidence response capacity consumed: {{AUDIT_CAPACITY_PERCENT}}
- Incident response capacity consumed: {{INCIDENT_CAPACITY_PERCENT}}
- Unplanned and discretionary capacity consumed: {{UNPLANNED_CAPACITY_PERCENT}}

Anticipated next-quarter spend (the named programme commitments for the next quarter; pairs to Section 13):
- {{NEXT_QUARTER_SPEND_LIST}}

Capacity asks for the next quarter (the named capacity shortfalls the programme has identified):
- {{CAPACITY_ASKS_LIST}}

Observation paragraph (what budget and capacity says about the operating shape of the programme; two to four sentences):
{{BUDGET_CAPACITY_OBSERVATION_PARAGRAPH}}

12. Decisions sought

The decisions section is the highest-value output of the quarterly review. Name the decisions sought in the prior reading pack circulated twenty-four hours before the meeting so attendees come prepared to commit rather than to debate first principles. Each decision carries context, options, recommendation, and a named owner.

Decision 1:
- Decision title: {{DECISION_1_TITLE}}
- Context (what changed or what was learned that needs a decision now): {{DECISION_1_CONTEXT}}
- Options considered (each option carries a one-line consequence): {{DECISION_1_OPTIONS}}
- Recommendation (the chair or the originating discipline lead's recommended option): {{DECISION_1_RECOMMENDATION}}
- Decision required at the meeting (yes or no): {{DECISION_1_REQUIRED_AT_MEETING}}
- Named decision-maker: {{DECISION_1_DECISION_MAKER}}
- If decision authority sits outside the review attendees, named escalation path: {{DECISION_1_ESCALATION_PATH}}

Decision 2:
- Decision title: {{DECISION_2_TITLE}}
- Context: {{DECISION_2_CONTEXT}}
- Options considered: {{DECISION_2_OPTIONS}}
- Recommendation: {{DECISION_2_RECOMMENDATION}}
- Decision required at the meeting: {{DECISION_2_REQUIRED_AT_MEETING}}
- Named decision-maker: {{DECISION_2_DECISION_MAKER}}
- Named escalation path (if applicable): {{DECISION_2_ESCALATION_PATH}}

Decision 3:
- Decision title: {{DECISION_3_TITLE}}
- Context: {{DECISION_3_CONTEXT}}
- Options considered: {{DECISION_3_OPTIONS}}
- Recommendation: {{DECISION_3_RECOMMENDATION}}
- Decision required at the meeting: {{DECISION_3_REQUIRED_AT_MEETING}}
- Named decision-maker: {{DECISION_3_DECISION_MAKER}}
- Named escalation path: {{DECISION_3_ESCALATION_PATH}}

Decision 4:
- Decision title: {{DECISION_4_TITLE}}
- Context: {{DECISION_4_CONTEXT}}
- Options considered: {{DECISION_4_OPTIONS}}
- Recommendation: {{DECISION_4_RECOMMENDATION}}
- Decision required at the meeting: {{DECISION_4_REQUIRED_AT_MEETING}}
- Named decision-maker: {{DECISION_4_DECISION_MAKER}}
- Named escalation path: {{DECISION_4_ESCALATION_PATH}}

Decision 5:
- Decision title: {{DECISION_5_TITLE}}
- Context: {{DECISION_5_CONTEXT}}
- Options considered: {{DECISION_5_OPTIONS}}
- Recommendation: {{DECISION_5_RECOMMENDATION}}
- Decision required at the meeting: {{DECISION_5_REQUIRED_AT_MEETING}}
- Named decision-maker: {{DECISION_5_DECISION_MAKER}}
- Named escalation path: {{DECISION_5_ESCALATION_PATH}}

13. Next quarter commitments

The next-quarter commitments section names the small set of priorities the programme will spend its capacity on over the next ninety days. Each commitment carries an observable success criterion, a named owner, a target completion date, and the supporting capacity. Three to five commitments is the durable shape; more than seven dilutes focus and the programme spreads thin.

Commitment 1:
- Headline: {{NEXT_COMMITMENT_1_HEADLINE}}
- Observable success criterion (not a theme; a measurable outcome): {{NEXT_COMMITMENT_1_CRITERION}}
- Named owner: {{NEXT_COMMITMENT_1_OWNER}}
- Target completion date: {{NEXT_COMMITMENT_1_TARGET_DATE}}
- Supporting capacity (people, budget, dependency on other teams): {{NEXT_COMMITMENT_1_SUPPORT}}
- Risk factors that could prevent delivery: {{NEXT_COMMITMENT_1_RISK_FACTORS}}

Commitment 2:
- Headline: {{NEXT_COMMITMENT_2_HEADLINE}}
- Observable success criterion: {{NEXT_COMMITMENT_2_CRITERION}}
- Named owner: {{NEXT_COMMITMENT_2_OWNER}}
- Target completion date: {{NEXT_COMMITMENT_2_TARGET_DATE}}
- Supporting capacity: {{NEXT_COMMITMENT_2_SUPPORT}}
- Risk factors: {{NEXT_COMMITMENT_2_RISK_FACTORS}}

Commitment 3:
- Headline: {{NEXT_COMMITMENT_3_HEADLINE}}
- Observable success criterion: {{NEXT_COMMITMENT_3_CRITERION}}
- Named owner: {{NEXT_COMMITMENT_3_OWNER}}
- Target completion date: {{NEXT_COMMITMENT_3_TARGET_DATE}}
- Supporting capacity: {{NEXT_COMMITMENT_3_SUPPORT}}
- Risk factors: {{NEXT_COMMITMENT_3_RISK_FACTORS}}

Commitment 4:
- Headline: {{NEXT_COMMITMENT_4_HEADLINE}}
- Observable success criterion: {{NEXT_COMMITMENT_4_CRITERION}}
- Named owner: {{NEXT_COMMITMENT_4_OWNER}}
- Target completion date: {{NEXT_COMMITMENT_4_TARGET_DATE}}
- Supporting capacity: {{NEXT_COMMITMENT_4_SUPPORT}}
- Risk factors: {{NEXT_COMMITMENT_4_RISK_FACTORS}}

Commitment 5:
- Headline: {{NEXT_COMMITMENT_5_HEADLINE}}
- Observable success criterion: {{NEXT_COMMITMENT_5_CRITERION}}
- Named owner: {{NEXT_COMMITMENT_5_OWNER}}
- Target completion date: {{NEXT_COMMITMENT_5_TARGET_DATE}}
- Supporting capacity: {{NEXT_COMMITMENT_5_SUPPORT}}
- Risk factors: {{NEXT_COMMITMENT_5_RISK_FACTORS}}

Cross-quarter themes carried forward (the longer-running programme initiatives that span more than one quarter):
- {{CARRY_FORWARD_THEME_LIST}}

14. Action log and closure

The action log is the durable output of the review that connects the leadership cadence to the operational record. Every action captured at the review is recorded with a named owner, an observable success criterion, and a target date, then paired to the workspace activity log so it lives in the operational queue rather than in a side document. The closure block names how the prior actions read at the next review.

Actions raised at the review meeting (named action; named owner; observable success criterion; target close date):
1. {{ACTION_1_HEADLINE}}
   - Named owner: {{ACTION_1_OWNER}}
   - Success criterion: {{ACTION_1_CRITERION}}
   - Target close date: {{ACTION_1_TARGET_DATE}}
   - Workspace activity log entry reference: {{ACTION_1_ACTIVITY_LOG_REF}}
2. {{ACTION_2_HEADLINE}}
   - Named owner: {{ACTION_2_OWNER}}
   - Success criterion: {{ACTION_2_CRITERION}}
   - Target close date: {{ACTION_2_TARGET_DATE}}
   - Workspace activity log entry reference: {{ACTION_2_ACTIVITY_LOG_REF}}
3. {{ACTION_3_HEADLINE}}
   - Named owner: {{ACTION_3_OWNER}}
   - Success criterion: {{ACTION_3_CRITERION}}
   - Target close date: {{ACTION_3_TARGET_DATE}}
   - Workspace activity log entry reference: {{ACTION_3_ACTIVITY_LOG_REF}}
4. {{ACTION_4_HEADLINE}}
   - Named owner: {{ACTION_4_OWNER}}
   - Success criterion: {{ACTION_4_CRITERION}}
   - Target close date: {{ACTION_4_TARGET_DATE}}
   - Workspace activity log entry reference: {{ACTION_4_ACTIVITY_LOG_REF}}
5. {{ACTION_5_HEADLINE}}
   - Named owner: {{ACTION_5_OWNER}}
   - Success criterion: {{ACTION_5_CRITERION}}
   - Target close date: {{ACTION_5_TARGET_DATE}}
   - Workspace activity log entry reference: {{ACTION_5_ACTIVITY_LOG_REF}}

Prior-period action closure read (the read against the prior review's action log; captured here so the next review reads the trajectory rather than the snapshot):
- Prior-period actions closed in this period: {{PRIOR_ACTIONS_CLOSED_COUNT}}
- Prior-period actions still open at this period end: {{PRIOR_ACTIONS_OPEN_COUNT}}
- Prior-period actions overdue: {{PRIOR_ACTIONS_OVERDUE_COUNT}}
- Structural reasons for overdue actions: {{PRIOR_ACTIONS_OVERDUE_REASONS}}

Programme-level action-log metrics (cadence-quality indicators read over the trailing four quarters):
- Average actions raised per review: {{AVG_ACTIONS_PER_REVIEW}}
- Average closure latency (days from action raised to closure): {{AVG_CLOSURE_LATENCY_DAYS}}
- Closure rate within the following quarter: {{NEXT_QUARTER_CLOSURE_RATE_PERCENT}}
- Actions closed with evidence (closure produces an artefact on the workspace) versus closed by claim: {{ACTIONS_CLOSED_WITH_EVIDENCE_RATE_PERCENT}}

Sign-off and circulation:
- Chair sign-off: {{CHAIR_SIGN_OFF}}
- Sign-off date: {{SIGN_OFF_DATE}}
- Circulation list (named roles receiving the finalised review pack): {{CIRCULATION_LIST}}
- Document retention rule (paired to the audit evidence retention policy): {{RETENTION_RULE_REFERENCE}}
- Next review meeting date (calendar-anchored): {{NEXT_REVIEW_MEETING_DATE}}

Programme acknowledgement:
- The quarterly review pack is the cadence vehicle that bridges the weekly operational queue and the annual board briefing.
- The pack is generated from the live workspace record rather than authored from a parallel deck so the audit committee read and the operational read are the same record.
- The cadence is calendar-anchored, the prior reading is circulated twenty-four hours ahead, and the action log closes within five business days of the meeting.

Seven failure modes the quarterly review has to design against

The quarterly review fails the audit read and the leadership read in recognisable patterns. Each failure has a structural fix that the template above is designed to enforce. Read this list before you customise the pack so the customisation does not weaken the discipline that makes the cadence credible.

The review becomes a status report rather than a decision cadence

The chair narrates the slides and the attendees consume the information for the first time at the meeting. Few decisions are made and the action log is thin. The fix is the prior-reading discipline: the pack is circulated twenty-four hours before the meeting and the discussion targets the named decisions in Section 12 rather than narrating the first eleven sections.

The leadership view drifts from the operational record

The pack is authored from spreadsheets the week before the meeting and the numbers do not reconcile to the live workspace findings view. The audit asks for the underlying record behind a headline closure rate and the firm cannot produce it. The fix is reading the cohort views (open critical, breached SLA, aging buckets, exception register, retest queue) directly from the workspace findings view, exporting them as CSV or PDF, and pasting the export into the pack.

The decisions sought are not named in advance

The meeting debates first principles rather than committing to the named options. Time runs out before the decisions are made and the next quarter starts without the commitments the programme needs. The fix is the named decision section in the prior reading: each decision carries context, options, recommendation, and named decision-maker before the meeting opens.

The action log is captured in chat and decays

Actions raised at the meeting land in chat messages, hallway conversations, or a side document that nobody refreshes. By the next review the actions have evaporated and the cadence cannot read its own trajectory. The fix is the workspace activity log as the system of record for action capture, paired to the engagement or finding record where the work will land.

The cadence slips and reviews happen on a six- or eight-month rhythm

A quarterly review that runs four times in eighteen months is not a quarterly review. The trajectory reading becomes unreliable and the audit asks why the management review cadence is not consistent. The fix is calendar-anchored review dates set at the start of the year and treated as fixed appointments by the chair and the standing attendees.

The review covers operations but ignores risk, audit, and incident posture

The pack reads programme posture in detail but leaves risk, audit, and incident posture as sidebars. The strategic-tier reading is missing and the leadership cadence misses the dimensions the audit committee and the executive risk forum need. The fix is the four-quadrant reading (programme, risk, threat and exposure, audit and compliance, incident) on every review pack.

The next-quarter commitments are aspirational rather than observable

The commitments read as themes ("improve cloud security posture", "mature the vulnerability programme") rather than as observable outcomes. There is no honest read at the next review of whether the commitment was delivered. The fix is naming success criteria observably (close SLA breach root cause X by Y date, deliver the audit evidence pack for Z framework, complete the operationalisation of the new product security guardrail in N services).

Ten questions the quarterly review has to answer

A defensible quarterly review answers each of these ten questions every period. Capture the answers in the pack rather than relying on the chair to recall them at the meeting. The ten questions are the operational floor of the cadence; richer programmes answer more, but the ten below are the durable minimum.

1.How many of the prior review s named actions closed within this period, and what is the structural reason for any that drifted past their target date.
2.How did open findings by severity and aging band move quarter on quarter, and where in the queue did the movement concentrate.
3.What is the on-time closure rate against documented SLA targets by severity over the period, and how does it compare to the trailing four quarters.
4.How many SLA breaches occurred in the period, and what are the structural reason categories that account for them.
5.What changed in the exception register over the period (new, renewed, expired, overdue), and is deferred risk growing or shrinking.
6.Which of the prior quarter s named commitments delivered against their observable success criterion, and which did not.
7.Which audit cycles ran in the period, and what control findings did they raise that require management response or remediation.
8.Which incidents activated in the period, which runbooks did they exercise, and what lessons drove runbook or plan revisions.
9.What did the operating environment surface that the next quarter has to respond to (industry incidents, advisories, new attack surfaces, threat intelligence).
10.What are the three to five named commitments for the next quarter, each with an observable success criterion, a named owner, and a target completion date.

How the package pairs with SecPortal

The template above is copy-ready as a standalone artefact. If your team already runs security testing, vulnerability remediation, evidence collection, and finding tracking on a workspace, the quarterly review pack becomes a derived view of the live record rather than a separate authoring project. SecPortal pairs every review period to a versioned engagement record through engagement management, so the period boundary, the attendee list, the prior review reference, the decisions captured, and the action log live alongside the rest of the security record rather than in a side folder.

The programme-posture and risk-posture sections read the cross-engagement cohort views (open critical, breached SLA, aging buckets, exception register, retest queue) directly from the workspace findings view through findings management with the four-bucket status group filter, the five-band severity filter, the category filter, and the title and engagement-title search. The cohort exports as CSV or PDF up to two thousand rows per request through the same dashboard, so the pack numbers reconcile to a live query rather than to a screenshot. The cross-engagement finding search workflow carries the cohort-assembly discipline that the programme-posture section reads against.

The exception register read in the risk-posture section pairs to the finding overrides feature for the structured override record (false positive, accepted risk, severity override) and to the vulnerability acceptance and exception management workflow for the operating discipline. The audit-and-compliance-posture section pairs to compliance tracking where ISO 27001, SOC 2, Cyber Essentials, PCI DSS, and NIST framework mapping reads against the live findings record with CSV export.

The document management feature holds each quarterly review pack as a versioned artefact paired to the engagement record so the prior review is one click away during the meeting and the audit reads four quarterly reviews in a year as one consistent operating discipline. Access to each pack is gated by team management role-based access control and protected by multi-factor authentication. The activity log captures the action capture, the decision capture, the export events, and the circulation of the pack with 30, 90, or 365-day retention windows depending on plan, so the cadence quality (actions raised per review, average closure latency, prior-period closure rate) is observable rather than asserted.

The incident-posture section reads against the incident response runbook portfolio and the incident response workflow so the runbook coverage, the activation history, the post-incident review actions, and the regulatory notifications are paired to the same record. The engagement-and-assessment-posture section reads against the security testing programme management workflow and the retesting workflow.

The AI report generation workflow drafts the executive summary, the trajectory narrative, and the observation paragraphs from the underlying workspace record so the chair edits rather than writes from a blank page. The notifications and alerts feature dispatches the prior-reading discipline (the pack circulated twenty-four hours ahead of the meeting) to the attendee list with the same audit trail.

For the cadence narrative across weekly, monthly, quarterly, and board views, see the security leadership reporting workflow. For the indicator selection underneath the pack, see the CISO security metrics dashboard guide and the security programme KPIs and metrics framework. For the maturity model the quarterly review reads itself against, see the enterprise security programme maturity guide and the vulnerability management programme maturity model research. For the framework anchors, see the framework pages for ISO 27001, SOC 2, NIST CSF 2.0, PCI DSS, and NIST SP 800-53. SecPortal does not replace the chair, automate the strategic-tier decisions, or synchronise the action log to external project-management or ticketing systems. The chair runs the cadence; the template codifies the structure; SecPortal carries the durable workspace record the review reads against and the audit reads after.

Buyer and operator pairing

The quarterly review pack is the cadence vehicle CISOs and security leaders, internal security teams, security operations leaders, vulnerability management teams, AppSec teams, GRC and compliance teams, security engineering teams, security programme managers, and application security programme leads run when the leadership cadence has to read against the live operational record rather than against a deck authored from spreadsheets. External providers (virtual CISOs, managed security service providers, compliance consultants) use the same package to give clients a quarterly review cadence that meets framework expectations rather than a status update that misses the strategic-tier reading the audit committee will ask for.

Loading tool...

Related features

Orchestrate every security engagement from start to finish

Vulnerability management software that tracks every finding

Finding overrides that survive every scan cycle

Compliance tracking without a full GRC platform

Document management for every security engagement

Every action recorded across the workspace

Collaborate across your entire team

Multi-factor authentication on every workspace

AI-powered reports in seconds, not days

Notifications and alerts for the people who carry the work

Security leadership reporting

Cross-engagement finding search

Vulnerability acceptance and exception management

Vulnerability backlog management

Security debt portfolio management

Security testing program management

Compliance audits

Audit fieldwork evidence request fulfillment

Run the quarterly review against the live record, not against a side deck

SecPortal carries the findings, the overrides, the activity log, and the compliance mapping on one workspace so the cohort views, the decisions, and the action log read from the same record the operators run on. Free plan available.

Get Started Free

No credit card required. Free plan available forever.

Security Program Quarterly Review Templatefourteen sections for programme posture, risk posture, audit posture, incident posture, decisions, and next-quarter commitments

Fourteen sections that turn a quarterly review into a decision cadence

1. Cover and attendance

2. Executive summary

3. Programme posture

4. Risk posture

5. Threat and exposure posture

6. Audit and compliance posture

7. Incident posture

8. Engagement and assessment posture

9. Programme operations

10. Initiative progress

11. Budget and capacity

12. Decisions sought

13. Next quarter commitments

14. Action log and closure

Seven failure modes the quarterly review has to design against

The review becomes a status report rather than a decision cadence

The leadership view drifts from the operational record

The decisions sought are not named in advance

The action log is captured in chat and decays

The cadence slips and reviews happen on a six- or eight-month rhythm

The review covers operations but ignores risk, audit, and incident posture

The next-quarter commitments are aspirational rather than observable

Ten questions the quarterly review has to answer

How the package pairs with SecPortal

Buyer and operator pairing

Related features

Orchestrate every security engagement from start to finish

Vulnerability management software that tracks every finding

Finding overrides that survive every scan cycle

Compliance tracking without a full GRC platform

Document management for every security engagement

Every action recorded across the workspace

Collaborate across your entire team

Multi-factor authentication on every workspace

AI-powered reports in seconds, not days

Notifications and alerts for the people who carry the work

Security leadership reporting

Cross-engagement finding search

Vulnerability acceptance and exception management

Vulnerability backlog management

Security debt portfolio management

Security testing program management

Compliance audits

Audit fieldwork evidence request fulfillment

Run the quarterly review against the live record, not against a side deck

Fourteen sections that turn a quarterly review into a decision cadence

1. Cover and attendance

2. Executive summary

3. Programme posture

4. Risk posture

5. Threat and exposure posture

6. Audit and compliance posture

7. Incident posture

8. Engagement and assessment posture

9. Programme operations

10. Initiative progress

11. Budget and capacity

12. Decisions sought

13. Next quarter commitments

14. Action log and closure

Seven failure modes the quarterly review has to design against

The review becomes a status report rather than a decision cadence

The leadership view drifts from the operational record

The decisions sought are not named in advance

The action log is captured in chat and decays

The cadence slips and reviews happen on a six- or eight-month rhythm

The review covers operations but ignores risk, audit, and incident posture

The next-quarter commitments are aspirational rather than observable

Ten questions the quarterly review has to answer

How the package pairs with SecPortal

Buyer and operator pairing

Security Program Quarterly Review Template
fourteen sections for programme posture, risk posture, audit posture, incident posture, decisions, and next-quarter commitments