1. Purpose
Document [ORGANIZATION]'s prioritized cyber risk projects, programs, and budget allocations for the planning period, with explicit linkage to identified risks, compliance requirements, threat intelligence, and potential incident impacts.
2. Scope
This plan covers all funded and proposed cyber risk projects, programs, and operational activities for [CUSTOMIZE: FY2025 / the current planning period], across all business units and technology environments.
3. Plan Content
3.1 Planning Inputs
This program plan was developed using the following inputs:
Cyber Risk Strategy objectives and strategic priorities (approved [CUSTOMIZE: date])
Current Cyber Risk Register including [CUSTOMIZE: number] active risks rated High or above
Regulatory Compliance Register gap analysis findings from [CUSTOMIZE: date] review
Threat intelligence assessment for [CUSTOMIZE: current year] identifying [CUSTOMIZE: top threat trends]
Incident trend analysis covering the period [CUSTOMIZE: date range] identifying [CUSTOMIZE: key incident patterns/impacts]
Business impact analysis identifying [CUSTOMIZE: number] critical business processes and their associated technology dependencies
Prior year program performance report showing [CUSTOMIZE: completion rate and key outcomes]
3.2 Risk-Based Prioritization Methodology
Projects and programs are prioritized using a weighted scoring model incorporating the following criteria:
Risk Reduction Impact (Weight: [CUSTOMIZE: 30%]): Degree to which the initiative reduces exposure to identified High and Critical risks
Compliance Obligation (Weight: [CUSTOMIZE: 25%]): Whether the initiative addresses a binding regulatory requirement or examination finding
Threat Relevance (Weight: [CUSTOMIZE: 20%]): Alignment with current and emerging threat trends relevant to [ORGANIZATION]'s sector
Business Impact (Weight: [CUSTOMIZE: 15%]): Potential operational and financial impact if the risk materializes without the initiative
Implementation Feasibility (Weight: [CUSTOMIZE: 10%]): Resource availability, technical complexity, and organizational readiness
Projects scoring [CUSTOMIZE: 7.0] or above on the 10-point scale are classified as Priority 1. Projects scoring [CUSTOMIZE: 5.0-6.9] are Priority 2. Projects below [CUSTOMIZE: 5.0] are deferred unless mandated by regulatory requirements.
3.3 Funded Programs and Projects
The following table summarizes approved programs and projects for the current planning period:
[CUSTOMIZE: Insert program/project table with columns: Project Name | Priority | Risk(s) Addressed | Budget | Timeline | Owner | Status]
| Program/Project | Priority | Risk(s) Addressed | Budget | Timeline | Owner |
|---|---|---|---|---|---|
| [CUSTOMIZE: Project 1] | P1 | [CUSTOMIZE: Risk IDs] | [CUSTOMIZE: $] | [CUSTOMIZE: Q1-Q3] | [CUSTOMIZE: Owner] |
| [CUSTOMIZE: Project 2] | P1 | [CUSTOMIZE: Risk IDs] | [CUSTOMIZE: $] | [CUSTOMIZE: Q1-Q4] | [CUSTOMIZE: Owner] |
| [CUSTOMIZE: Project 3] | P2 | [CUSTOMIZE: Risk IDs] | [CUSTOMIZE: $] | [CUSTOMIZE: Q2-Q4] | [CUSTOMIZE: Owner] |
| [CUSTOMIZE: Project 4] | P2 | [CUSTOMIZE: Risk IDs] | [CUSTOMIZE: $] | [CUSTOMIZE: Q3-Q4] | [CUSTOMIZE: Owner] |
3.4 Budget Summary
Total approved cyber risk budget for [CUSTOMIZE: FY2025]: [CUSTOMIZE: $X,XXX,XXX]
Budget allocation by category: Personnel [CUSTOMIZE: XX%], Technology/Tools [CUSTOMIZE: XX%], Third-Party Services [CUSTOMIZE: XX%], Training [CUSTOMIZE: XX%], Contingency [CUSTOMIZE: XX%]
Budget allocation by strategic priority: [CUSTOMIZE: list priorities with allocated amounts]
Mid-year budget reallocation decisions will be made by [CUSTOMIZE: CISO/Executive Committee] based on changes to risk posture, emerging threats, or regulatory developments. Reallocations exceeding [CUSTOMIZE: $XX,XXX / 10%] require [CUSTOMIZE: CFO/Executive Committee] approval.
3.5 Performance Measurement
Program performance shall be measured quarterly against the following criteria:
Project milestone completion rate against planned timelines
Budget utilization versus planned allocation
Measurable risk reduction achieved (KRI improvement, risk ratings reduced)
Compliance gap closure rate
Program performance reports shall be provided to [CUSTOMIZE: Executive Risk Committee] quarterly and to [CUSTOMIZE: Board Risk Committee] semi-annually.
3.6 Reprioritization Process
The program plan may be reprioritized during the planning period in response to significant changes in risk posture, threat landscape, regulatory requirements, or incident impacts.
Reprioritization authority: Minor adjustments (within existing budget and timelines) may be approved by [CUSTOMIZE: CISO]. Material changes (budget reallocation, project addition/cancellation) require [CUSTOMIZE: Executive Committee] approval.
All reprioritization decisions shall be documented with rationale and communicated to affected stakeholders within [CUSTOMIZE: 5 business days].
4. Compliance
Compliance with this plan is mandatory for all personnel and functions within its scope. Compliance will be monitored through periodic audits, management review, and second line of defence oversight.
Exceptions to this plan must be documented with a business justification, approved by [CUSTOMIZE: CISO/Executive Risk Committee], and reviewed at least annually.
5. Review and Revision
This plan shall be reviewed at least annually by [CUSTOMIZE: CISO/Document Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, organizational structure, or risk appetite.
All revisions shall be documented with version number, date, author, and description of changes.
Document Approval
Approved By
Title
Date
Document Control