Boards need a regular, structured view of cyber so it's tracked like any other operational risk. A page each quarter is plenty. Use this template — same shape every quarter, so trends become visible.
How to use this: The bracketed items like [Company Name] are placeholders — replace them with your own details. Edit the wording to suit your business. This is a starter, not legal advice.
Where we are
Status, in one sentence: [e.g. Cyber Essentials renewed. Two open risks. No incidents this quarter.]
Top three active risks (with owner):
- [risk] — owner: [name]
- [risk] — owner: [name]
- [risk] — owner: [name]
Key metrics this quarter
| Metric | This Q | Last Q |
|---|---|---|
| MFA coverage | [X%] | [Y%] |
| Phishing-test click rate | [X%] | [Y%] |
| Critical patches > 14 days | [N] | [M] |
| Backup restores tested | [Y/N] | [Y/N] |
| Open admin-rights count | [N] | [M] |
What happened
- Incidents (reportable): [none / detail]
- Near-misses: [brief summary]
- Changes to IT supplier: [none / detail]
- New customer security questionnaires: [N], all answered? [Y/N]
What's next
- Investments this quarter: [item, cost]
- Risks accepted by the Board: [item]
- Decision asked of the Board: [one-liner]
- Next big milestone: [e.g. ISO 27001 stage 1 in May]
Regulatory / insurance
- Cyber insurance renewal: [date]
- Cyber Essentials renewal: [date]
- ICO interactions this quarter: [none / detail]
Sign-off
Prepared by [name] on [date]. Reviewed by [board chair / SRO].
Tips for adoption
- Same shape every quarter. Pattern recognition is the value.
- Numbers > adjectives. ‘Most’ is meaningless; ‘94%’ is a number.
- If the same risk appears three quarters running, the board hasn't actioned it. Ask why.