What is as CISOs job, exactly?
As someone who has overseen a number of shared CISOs and sold organisations on the need for someone in this role, I can tell you that the problem is that each organisation has different needs and different expectations of a CISO. Some expect operational support, some require a dedicated risk expert, some just want a Board-level representative of the security function who acts as a translator.
The core goal for the organisation is to know the risks, manage and monitor the risks, and communicate the risks to the organisations and any stakeholders. The CISO needs to think about the risks that the organisation cannot.
As an addition, the CISO should be able to lead the security function, the risk function, and/or the regulatory function of the business. But the expectations here are up to the organisation.
Deloitte has it's "Four Faces of the CISO" which is a pretty good guide for what a CISO should be.
CISOs continue to serve the vital functions of managing security technologies (technologist) and protecting enterprise assets (guardian). At the same time, they are increasingly expected to focus more on setting security strategy (strategist) and advising business leaders on security’s importance (advisor).
So, there is no set list of "things to do" for a CISO. There is a long list of things that need to be done, but you do not need a CISO to do them. For that, grab a framework (ISO 27001, NIST CSF, Cyber Essentials, etc.) and start the work. Your list in your question is a small set of things to tackle, but a good list.
The ground level requirement of CISO would vary organization to organization but following would be a high level guidance on the scope.
The CISO’s scope is to provide vision and leadership for developing and supporting security initiatives. The CISO governs the planning and implementation of enterprise IT system, business operation, and mechanisms defense against security attacks, breaches and vulnerability issues. This CISO is also responsible for auditing existing systems, while directing the administration of security policies, activities, and standards. The CISO also responsible in implementation of required security standards, compliance systems, audits, etc.
CISO’s job scope can be defined to below major domains:
Security Strategy planning and management: Eg: Lead strategic security planning to achieve business goals by prioritizing defense initiatives and coordinating the evaluation, deployment, and management of current and future security technologies using a risk-based assessment methodology.
Security planning and deployment: Eg: Identify the security needs of the organization and plan for deployment of required security mechanisms, standards, operational practices, etc
Security Operations: Eg: Manage the administration of all computer security systems and their corresponding or associated software, including firewalls, intrusion detection systems, cryptography systems, and anti-virus software.
Management Reporting: Eg: Act as the origination point for management reporting in terms of security related reports, dashboards, risk registry, etc