Owner: CISO · Reviewed: Monthly and at every ISMS Management Review · Companion to: Compliance Calendar, SOC 2 System Description, and the in-repo
CHECKTHISOUT.md.How this document differs from the Compliance Calendar: the Compliance Calendar carries the policy-driven recurring cadences (annual, quarterly, monthly). This document is the operating-program view — what we are doing this week, this month, and this quarter to land Type I cleanly and to sustain Type II evidence through the full observation window.
Audit timeline anchors
| Milestone | Date | Status | Source |
|---|---|---|---|
| v1.0 policy effective date | May 8, 2026 | ✅ Done | Compliance Calendar |
| SOC 2 Type I observation date | June 22, 2026 | ⬜ Pending — opens in parallel with the Type II observation window | Compliance Frameworks |
| Type I fieldwork window | June 22, 2026 – late July 2026 | ⬜ Pending — opens 2026-06-22 | Compliance Frameworks |
| Type I report issuance | ~late August 2026 | Pending | Compliance Frameworks |
| Initial Type II observation window opens | June 22, 2026 (same day as Type I observation) | Pending | Compliance Frameworks |
| Initial Type II observation window closes | September 22, 2026 (3 months) | Pending | Compliance Frameworks |
| Initial Type II fieldwork | September 2026 | Pending | Compliance Frameworks |
| Initial Type II report issuance | ~October 2026 | Pending | Compliance Frameworks |
| Subsequent Type II observation window opens (first cycle) | September 22, 2026 | Pending | Compliance Frameworks |
| Subsequent Type II observation window closes (first cycle) | September 22, 2027 (12 months) | Pending | Compliance Frameworks |
| Subsequent Type II fieldwork (first cycle) | September 2027 | Pending | Compliance Frameworks |
| Subsequent Type II report issuance (first cycle) | ~October 2027 | Pending | Compliance Frameworks |
| Future annual cycles | Sep 22 → Sep 22 thereafter | Recurring | Compliance Frameworks |
How to read the tables
- Date column. Specific dates where they exist; otherwise the calendar week.
- Owner column. Tier-1 executive who is accountable. If a delegated owner exists, named in parentheses.
- Status. ⬜ Pending · 🟡 In progress · ✅ Done · ⏸ Held · 🔁 Recurring (cadenced — see the cadence column).
- Evidence destination. Where the audit-grade artifact lands. Almost always Vanta + the SharePoint SOC 2 / ISO 27001 evidence library (see SHAREPOINT.md).
Phase 1 — Type I readiness close-out (now → May 31, 2026)
Items needed to land the Type I report cleanly. Type I observation is June 22, 2026 — the same day the initial Type II observation window opens — so Phase 1 readiness items must close by end of May. Each CHECKTHISOUT row links back to the corresponding item in the readiness backlog.| # | Item | Date | Owner | Status | Evidence destination |
|---|---|---|---|---|---|
| 1.1 | VGC confirmation that engineering/ docs are auditor-acceptable as procedures* (CHECKTHISOUT #1) | By 2026-05-23 | Cameron Wolfe + VGC | ⬜ | SharePoint Evidence Library / Legal opinions |
| 1.2 | System Description v0 → v1.0 sign-off (this PR’s soc2-system-description.mdx) | By 2026-05-30 | CEO + CTO + CISO | ⬜ | SharePoint Evidence Library / System Description |
| 1.3 | Management Assertion letter signed | Before Type I report issuance | CEO + CTO | ⬜ | SharePoint Evidence Library / Management Assertion |
| 1.4 | Vanta dashboard reconciliation — every control in scope green | This week, then ongoing | CISO | 🟡 | Vanta directly |
| 1.5 | Auditor evidence requests responded to within Advantage Partners’ stated turnaround | Throughout fieldwork | CISO | 🟡 | Vanta + SharePoint share-out |
| 1.6 | Q2 2026 access reviews — fill in the “Pending Q2 2026” stamps in Access Reviews (CHECKTHISOUT #9) | By 2026-06-30 | CISO | ⬜ | SharePoint Evidence Library / Access Reviews / 2026-Q2 |
| 1.7 | Update /engineering/vulnerability-management.mdx row 25 — replace (todo: vendor) with the named pen-test firm or the standing-engagement language | This week | CISO | ✅ | Horizon3 named 2026-06-12 (replacing Agency) |
| 1.8 | Cold-log retrieval SLA SRE confirmation — confirm S3 storage class supports the 4h Sev-1/2 SLA (CHECKTHISOUT #12) | By 2026-05-30 | CTO + CISO | ⬜ | SharePoint Evidence Library / Operations / Cold-log retrieval |
| 1.9 | IT provisioning runbook → bucket mapping (CHECKTHISOUT #8) | By 2026-06-06 | IT lead + CISO + CTO | ⬜ | SharePoint / IT Operations / Provisioning runbook |
| 1.10 | AI Review Log dates — verify or backfill the 2026-05-07 cross-references (CHECKTHISOUT #13) | By 2026-05-30 | GC + CTO | ⬜ | /registers/ai-review-log |
| 1.11 | Checkr CSM mapping confirmation (CHECKTHISOUT #14) | By 2026-06-29 | CISO + CHRO | ⬜ | SharePoint / Vendor evidence / Checkr |
Phase 2 — Pre-Type-I + pre-Type-II launch (now → May 31, 2026)
Roughly a one-week window. Both audits open June 22, 2026 in parallel — Type I observation is the same day the initial Type II observation window opens. Phase 1 (Type I readiness close-out) and Phase 2 (Type II evidence-collection mechanics) run in parallel through end of May. Everything must be in place by May 31 so day-1 evidence collection (June 22) is real, not retroactive, and so the Type I point-in-time picture is clean. The initial Type II window is only three months long (June 22 – September 22, 2026) — Advantage Partners has agreed to the abbreviated cycle to put an attested Type II report in customers’ hands within ~4 months of Type I observation, but the short window narrows the room for any cadenced control to slip even once. Some Phase 2 items (the heavy ones: pen-test vendor engagement, awareness-training rollout) will slip past June 22 on lead time — they continue into Phase 3.| # | Item | Date | Owner | Status | Evidence destination |
|---|---|---|---|---|---|
| 2.1 | Pen-test vendor shortlist + outreach (CHECKTHISOUT #3) — engagement letter won’t sign in 2 weeks, but vendor identified and scoped | By 2026-05-31 | CISO | ⬜ | SharePoint / Vendor evidence / Pen-test firm |
| 2.2 | Pen-test scope letter signed — completion target slips into Phase 3 | By 2026-06-15 | CISO | ⬜ | SharePoint / Vendor evidence / Pen-test firm |
| 2.3 | First ISMS Management Review session scheduled in the Compliance Calendar — propose mid-July to land inside the initial window (CHECKTHISOUT #2) | By 2026-05-31 | CISO | ⬜ | Compliance Calendar + SharePoint / Management Review Minutes |
| 2.4 | Security Awareness Training baseline live in Vanta — baseline + at least the engineering / production-access role module wired (CHECKTHISOUT #5) | By 2026-05-31 | CISO + CHRO | ⬜ | Vanta directly |
| 2.5 | Security Awareness Training role-specific modules + Rippling event-driven assignment + existing-workforce re-attest complete | By 2026-06-29 | CISO + CHRO | ⬜ | Vanta directly |
| 2.6 | Baseline Annual Risk Assessment kicked off (CHECKTHISOUT #6) | By 2026-05-31 | CISO | ⬜ | /registers/annual-risk-assessment/2026.mdx (create on first run) |
| 2.7 | Evidence-repository structure ready in SharePoint — folders named to match Vanta control IDs | By 2026-05-31 | CISO | ⬜ | SharePoint Evidence Library / index |
| 2.8 | First weekly Log Review note committed (per Log Review procedure) | Week of 2026-06-22 | CISO | ⬜ | /sharepoint/evidence-library/log-reviews/2026/ or per repo location agreed with auditor |
| 2.9 | Audit Committee constitution decision (CHECKTHISOUT #10) — formally deferred 2026-05-16 per the Audit Committee Deferral Memo 2026 (compensating controls: VGC quarterly review of risk register + ISMS-MR minutes; conflict-routing of whistleblower reports). | 🟡 Memo CEO-approved 2026-05-17 (per Slack DM ack — URLs on the Memo sign-off block). VGC concurrence + engagement-letter scope amendment outstanding (target 2026-05-25 per /program/vgc-engagement-amendment-2026-05.md) | CEO ✅ + GC ⬜ | 🟡 | Memo at /registers/audit-committee-deferral-memo-2026.md (CEO line approved); VGC scope-amendment email to be filed at SharePoint > SOC 2 > Governance |
| 2.10 | Brazil + India operational specifics closed (CHECKTHISOUT #15) — TST Súmula 51 memo, Portuguese consent, India PCC sourcing, Aadhaar exclusion confirmation, DPIAs, ROPA entries, EOR vs. direct | By 2026-06-29 (slips into Phase 3) | CHRO + GC + CISO | ⬜ | SharePoint / Privacy / DPIAs, /registers/ropa, SharePoint / CHRO / international |
| 2.11 | Type I report received from Advantage Partners | ~late August 2026 (lands during Phase 3) | Advantage Partners | ⬜ | SharePoint Evidence Library / SOC 2 reports |
Phase 3 — Initial Type II observation window (June 22 – September 22, 2026 — 3 months)
The only window for the initial Type II report. Every cadenced control must operate cleanly at least once; continuous controls must remain green throughout. Anything missed in this window cannot be made up — the initial report literally tests this slice. Type I fieldwork runs in parallel through ~late July 2026. Type I observation is the same day Phase 3 opens (June 22), so the first ~6 weeks of Phase 3 also carry Type I fieldwork load: responding to Advantage Partners’ evidence requests against the as-of-June-22 control design while operating-effectiveness evidence is being collected for Type II. Plan CISO and CTO calendars accordingly.| # | Item | Cadence | Date | Owner | Status | Evidence destination |
|---|---|---|---|---|---|---|
| 3.1 | First quarterly DR & Backup-Restore Test (procedure) (CHECKTHISOUT #4) | Quarterly | By 2026-06-30 | CTO (SRE lead) | ⬜ | /registers/dr-tests/2026-Q2.mdx (create on first test) |
| 3.2 | First quarterly ISMS Management Review — deep dive on Logging & Monitoring + Incident Response | Quarterly | 2026-07-15 (Wed) — calendar invite to CEO, CTO, CISO, GC (VGC), CHRO | CISO (chairs) | ⬜ | /registers/management-review-minutes/2026-Q3.mdx |
| 3.3 | Pen-test fieldwork — must complete by end of July to leave time for retest before the initial window closes | Annual | June – July 2026 | CISO + named vendor | ⬜ | SharePoint / Vendor evidence / Pen-test |
| 3.4 | Pen-test retest of Critical / High findings — within 30 days of remediation per Operations Security | Per finding | July – August 2026 | CISO | ⬜ | SharePoint / Vendor evidence / Pen-test / Retest |
| 3.5 | Q2 2026 access reviews — covers period ending June 30, falls inside the initial window | Quarterly | By 2026-06-30 | CISO | ⬜ | SharePoint Evidence Library / Access Reviews / 2026-Q2 |
| 3.6 | First phishing simulation (per Security Awareness Training) | Twice per year (semi-annual) | June – July 2026 | CISO | ⬜ | Vanta + SharePoint / Evidence Library / Awareness Training |
| 3.7 | Baseline Annual Risk Assessment completed and signed | Annual | By 2026-07-31 | CISO | ⬜ | /registers/annual-risk-assessment/2026.mdx |
| 3.8 | Six High-tier vendor reviews pulled into window per Vendor Annual Review Schedule — AWS (Jun 30), Vultr (Jul 15), Rippling (Jul 31), HashiCorp (Aug 15), Anthropic (Aug 30), OpenAI (Aug 30). Remaining 12 High-tier vendors on natural cadence in subsequent window. | Annual per vendor | Jun 30 – Aug 30, 2026 | CISO + CFO | ⬜ | SharePoint / Vendor evidence / <vendor> / Annual Review Note |
| 3.9 | Continuous controls — Vanta dashboard green throughout | Continuous | Jun 22 – Sep 22 | CISO | 🔁 | Vanta |
| 3.10 | Per-event controls — every onboard, offboard, vendor onboarding, change, incident, key rotation has evidence | Per event | Jun 22 – Sep 22 | Role-specific | 🔁 | SharePoint Evidence Library |
| 3.11 | Monthly admin-activity review (Log Review procedure) — 3 cycles | Monthly | Jun / Jul / Aug 2026 | CISO + CTO | 🔁 | /sharepoint/evidence-library/log-reviews/2026/admin/ |
| 3.12 | Weekly Log Reviews — ~13 cycles across the window | Weekly | Every week Jun – Sep | CISO | 🔁 | /sharepoint/evidence-library/log-reviews/2026/<isoweek>/ |
| 3.13 | Mid-window Advantage Partners check-in — calibration on evidence-collection cadence | Once in window | Late July 2026 | CISO + Advantage Partners | ⬜ | SharePoint / Evidence Library / Auditor correspondence |
Phase 4 — Initial Type II fieldwork + report (September 2026 – October 2026)
The initial Type II window closes September 22, 2026. Fieldwork starts immediately; the report follows about a month later.| # | Item | Date | Owner | Status |
|---|---|---|---|---|
| 4.1 | Initial Type II fieldwork | September 2026 | CISO + Advantage Partners | ⬜ |
| 4.2 | Auditor evidence requests answered within Advantage Partners’ stated turnaround | Throughout fieldwork | CISO | ⬜ |
| 4.3 | Management Representation Letter for the initial Type II signed | At fieldwork close | CEO + CTO + CISO | ⬜ |
| 4.4 | Initial Type II report received | ~October 2026 | Advantage Partners | ⬜ |
| 4.5 | Initial Type II report distributed to customers under NDA per Trust Center commitment | After receipt | CISO + CSM (where engaged) | ⬜ |
Phase 5 — Subsequent Type II Q1 (September 22 – November 30, 2026)
| # | Item | Cadence | Date | Owner | Status |
|---|---|---|---|---|---|
| 5.1 | Q3 2026 access reviews | Quarterly | By 2026-09-30 | CISO | ⬜ |
| 5.2 | Q3 2026 DR & Backup-Restore Test | Quarterly | By 2026-09-30 | CTO (SRE lead) | ⬜ |
| 5.3 | Q3 2026 ISMS Management Review — deep dive on Logging & Monitoring + Incident Response (already covered in Phase 3.2; second session may rotate domain) | Quarterly | September – October 2026 | CISO | ⬜ |
| 5.4 | Second phishing simulation | Twice per year (semi-annual) | October – November 2026 | CISO | ⬜ |
| 5.5 | All CHECKTHISOUT items closed | One-shot | By 2026-11-30 | CISO | ⬜ |
| 5.6 | Continuous + per-event controls continue with evidence | Continuous + per-event | Throughout | All | 🔁 |
Phase 6 — Subsequent Type II Q2 (December 1, 2026 – February 28, 2027)
| # | Item | Cadence | Date | Owner | Status |
|---|---|---|---|---|---|
| 6.1 | Q4 2026 access reviews | Quarterly | By 2026-12-31 | CISO | ⬜ |
| 6.2 | Q4 2026 DR & Backup-Restore Test | Quarterly | By 2026-12-31 | CTO | ⬜ |
| 6.3 | Q4 2026 ISMS Management Review — deep dive on Business Continuity / DR + Physical Security | Quarterly | December 2026 | CISO | ⬜ |
| 6.4 | Annual DR tabletop exercise (or live failover if alternating-years schedule calls for it) | Annual | November 2026 – February 2027 | CTO + CISO | ⬜ |
| 6.5 | Continuous + per-event controls | Continuous + per-event | Throughout | All | 🔁 |
Phase 7 — Subsequent Type II Q3 (March 1 – May 31, 2027)
| # | Item | Cadence | Date | Owner | Status |
|---|---|---|---|---|---|
| 7.1 | Annual Risk Assessment refresh — due by April 30 per procedure | Annual | By 2027-04-30 | CISO | ⬜ |
| 7.2 | Annual policy re-acknowledgement — every employee + contractor re-acks all 25 policies (one year after v1.0 effective date) | Annual | By 2027-05-08 | CISO + CHRO | ⬜ |
| 7.3 | Q1 2027 access reviews | Quarterly | By 2027-03-31 | CISO | ⬜ |
| 7.4 | Q1 2027 DR & Backup-Restore Test | Quarterly | By 2027-03-31 | CTO | ⬜ |
| 7.5 | Q1 2027 ISMS Management Review — annual extended session covering all control domains in summary; deep dive on Access Control + Vendor Management | Quarterly (annual session) | Q1 2027 | CISO | ⬜ |
| 7.6 | Continuous + per-event controls | Continuous + per-event | Throughout | All | 🔁 |
Phase 8 — Subsequent Type II Q4 + pre-fieldwork (June 22 – September 14, 2027)
| # | Item | Cadence | Date | Owner | Status |
|---|---|---|---|---|---|
| 8.1 | Q2 2027 access reviews | Quarterly | By 2027-06-30 | CISO | ⬜ |
| 8.2 | Q2 2027 DR & Backup-Restore Test | Quarterly | By 2027-06-30 | CTO | ⬜ |
| 8.3 | Q2 2027 ISMS Management Review — deep dive on Secure Development + Vulnerability Management | Quarterly | Q2 2027 | CISO | ⬜ |
| 8.4 | Year-2 annual pen test — fieldwork must close in time for retest before the subsequent window closes Sep 22 | Annual | May – July 2027 | CISO + vendor | ⬜ |
| 8.5 | Year-2 pen-test retest of Critical / High findings | Per finding | June – August 2027 | CISO | ⬜ |
| 8.6 | Year-2 phishing simulation cycle — two campaigns within the 12-month window | Twice per year (semi-annual) | One in Mar – May, one in Jun – Aug 2027 | CISO | ⬜ |
| 8.7 | Evidence-pack completeness review before fieldwork — sample every control class, confirm Vanta + SharePoint have the artifact | One-shot | August 2027 | CISO | ⬜ |
| 8.8 | Subsequent Type II fieldwork kickoff with Advantage Partners | One-shot | Mid-September 2027 | CISO + Advantage Partners | ⬜ |
Phase 9 — Subsequent Type II fieldwork + report (September 2027 – October 2027)
| # | Item | Date | Owner | Status |
|---|---|---|---|---|
| 9.1 | Subsequent Type II fieldwork | September 2027 | CISO + Advantage Partners | ⬜ |
| 9.2 | Auditor evidence requests answered within Advantage Partners’ stated turnaround | Throughout fieldwork | CISO | ⬜ |
| 9.3 | Management Representation Letter for the subsequent Type II signed | At fieldwork close | CEO + CTO + CISO | ⬜ |
| 9.4 | Subsequent Type II report received | ~October 2027 | Advantage Partners | ⬜ |
| 9.5 | Subsequent Type II report distributed to customers under NDA per Trust Center commitment | After receipt | CISO + CSM (where engaged) | ⬜ |
Standing recurring controls (operating throughout the window)
These run continuously; the table is the auditor’s-eye view of what evidence the report will sample.| Control class | Cadence | Owner | Where evidence lands |
|---|---|---|---|
| MFA enforcement on all workforce accounts | Continuous | CISO | Vanta IdP integration tests |
| Encryption at rest + in transit | Continuous | CTO + CISO | Vanta cloud-config tests + Vault audit-device logs |
| Logging and monitoring path | Continuous | CTO + CISO | Better Stack + CloudWatch + S3 Object Lock |
| Vulnerability scanning | Continuous | CISO | Semgrep / CodeQL / Snyk / Trivy / Gitleaks reports |
| Endpoint management | Continuous | CISO | Rippling MDM + EDR compliance reports |
| Secrets management | Continuous | CTO | Vault audit-device logs + GitHub secret-scanning |
| Branch protection + CI signals | Continuous | CTO | GitHub branch-protection settings + GHAS findings |
| Onboarding (per new hire) | Per event | CHRO + CISO | SharePoint / CHRO / Onboarding records |
| Offboarding (per departure) | Per event | CHRO + CISO | Rippling deprovisioning logs + SharePoint / CHRO / Offboarding records |
| Vendor onboarding (per new vendor) | Per event | CISO + CFO | SharePoint / Vendor evidence + Vendor Inventory |
| Vendor annual review (per High-tier vendor) | Annual per vendor | CISO | SharePoint / Vendor evidence / <vendor> / Annual Review Note |
| Change management (per prod change) | Per event | CTO | GitHub PR + Linear ticket trail + release-pipeline logs |
| Incident response (per incident) | Per event | CISO (IR commander) | Linear “Security Incidents” + SharePoint / Incident Records |
| Key rotation (per procedure) | Routine + emergency | CTO + CISO | SharePoint / Evidence Library / Key Rotation Evidence Notes |
| Weekly log review | Weekly | CISO | /sharepoint/evidence-library/log-reviews/<year>/<isoweek>/ |
| Monthly admin-activity review | Monthly | CISO + CTO | /sharepoint/evidence-library/log-reviews/<year>/admin/ |
Risk register — top near-term risks to the Type I and Type II timelines
The 3-month initial Type II window materially raises the impact of every slippage risk below. A control that runs quarterly can only operate once inside a 3-month window — there is no second chance.| Risk | Likelihood | Impact | Treatment |
|---|---|---|---|
| Pen-test slips past August 2026, leaving no pen-test evidence in the initial Type II report | High (raised) | High (raised) | Vendor shortlist + outreach by May 31; engagement letter signed by June 15; fieldwork in June–July; retest in July–August. Phases 2.1, 2.2, 3.3, 3.4. With Type I and Type II both opening June 22, the ~three-week pre-launch window makes this the single most schedule-sensitive item. |
| Quarterly cadenced control misses its single in-window cycle (DR test, ISMS Management Review, access review) | Medium | High (raised) | Phase 3 dates are non-negotiable; each control has a named owner and a deadline at least 2 weeks before the window-close on Sep 22. |
| Vanta dashboard goes red during the observation window | Medium | High | Continuous Vanta hygiene; weekly walk by the CISO; remediation SLA per Operations Security |
| First DR test or first ISMS Management Review slips | Medium | Medium | Calendared explicitly in Phases 2 and 3; backed by the Compliance Calendar |
| No incident in window — auditor expects to see IR machinery exercised | Low | Low | If no real incident, run a deliberate IR tabletop and document the after-action per Information Security → Management Review |
| Customer-facing System Description ambiguity triggers fieldwork delays | Medium | Medium | v1.0 sign-off in Phase 1.2; review with Advantage Partners before fieldwork; periodic refresh on material change |
| Brazil / India workforce-screening operational specifics lag the documented BR + IN workforce | Medium | High (raised) — these workers exist today, not future | Phase 2.10 deadline of 2026-06-29; deliverables in Non-US Workforce SOC 2 Brief |
| CHECKTHISOUT item slippage | Medium | Medium | Reviewed at every ISMS Management Review; any item slipping twice escalates to the CEO |
Cross-references
- Compliance Frameworks — framework commitments and dates
- Compliance Calendar — policy-driven recurring cadences
- SOC 2 System Description — Section III narrative
- Controls Inventory — control-list of record
CHECKTHISOUT.md(repo root) — the source list of human-action items this timeline schedules
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | 2026-05-16 | Initial — companion to the System Description and CHECKTHISOUT.md | Cameron Wolfe | Ishan Jadhwani |