vCISO Monthly Activities SOP¶
Sub-procedure of vcto-vciso-engagement-sop.md
Overview¶
Standardized monthly activities and deliverables for ongoing vCISO engagements, ensuring consistent security program oversight, continuous improvement, and executive-level security leadership.
Scope¶
Parent SOP: vCTO/vCISO Engagement Pillar: Plan (Strategic Advisory) & Protect (Security) Service Area: vCISO Services
Prerequisites¶
- Parent SOP requirements met (active vCISO engagement)
- vCISO Engagement onboarding completed (see vciso-engagement-sop.md)
- Monthly meeting cadence established
- Access to security tools and dashboards configured
- Communication channels active
Procedure¶
Step 1: Monthly Security Review (Week 1)¶
- Review security incident reports from previous month
- Analyze security tool dashboards and metrics
- Assess vulnerability scan results and remediation status
- Review security awareness training completion
- Check compliance calendar for upcoming deadlines
Step 2: Risk Register Update (Week 1-2)¶
- Review and update risk register entries
- Assess new risks identified during the month
- Update risk scores based on mitigation progress
- Document risk treatment decisions
- Escalate critical risks as appropriate
Step 3: Roadmap Progress Review (Week 2)¶
- Assess progress against security roadmap milestones
- Identify blockers and resource constraints
- Adjust priorities based on changing threats or business needs
- Update roadmap with new initiatives or timeline changes
- Document completed initiatives and outcomes
Step 4: Vendor and Third-Party Review (Week 2)¶
- Review third-party risk assessments due or expiring
- Assess new vendor security questionnaires
- Monitor critical vendor security posture
- Update vendor risk inventory
- Address vendor security concerns
Step 5: Policy and Procedure Review (Week 3)¶
- Identify policies due for annual review
- Address policy exceptions or violations
- Update procedures based on operational feedback
- Track policy acknowledgment compliance
- Document policy changes needed
Step 6: Strategic Advisory Activities (Week 3)¶
- Prepare for or attend leadership meetings
- Provide guidance on security-related decisions
- Review proposed technology changes for security impact
- Advise on security implications of business initiatives
- Support vendor security evaluations
Step 7: Monthly Report Development (Week 4)¶
- Compile monthly security metrics and KPIs
- Summarize incidents and remediation status
- Document roadmap progress and adjustments
- Highlight key risks and recommendations
- Prepare executive summary for leadership
Step 8: Monthly Stakeholder Meeting (Week 4)¶
- Present monthly security report
- Review action items and decisions needed
- Discuss upcoming priorities and initiatives
- Address stakeholder questions and concerns
- Document meeting outcomes and action items
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| Monthly Security Report | Document (3-5 pages) | vCISO |
| Updated Risk Register | Spreadsheet | vCISO |
| Roadmap Status Update | Visual/Document | vCISO |
| Meeting Minutes | Document | vCISO |
| Action Item Tracker | Spreadsheet | vCISO |
Quality Gates¶
- All security incidents reviewed and documented
- Risk register current and accurate
- Roadmap progress tracked against milestones
- Monthly report delivered on schedule
- Stakeholder meeting conducted and documented
- Action items from previous month addressed
- Compliance calendar reviewed and current
Related Documents¶
- Parent SOP: vCTO/vCISO Engagement
- vCISO Engagement SOP
- vCISO Board Reporting SOP
- Status Reporting SOP
- Cross-Pillar SOPs
- Templates
Last Updated: February 2026 Parent SOP: vcto-vciso-engagement-sop.md