Owner: CISO  ·  Reviewed: Monthly and at every ISMS Management Review  ·  Companion to: Compliance Calendar, SOC 2 System Description, and the in-repo CHECKTHISOUT.md.
This document is the working calendar for SOC 2 Type I and Type II readiness — every CHECKTHISOUT item, every cadenced control, and every per-event control with a date and an owner. It is updated monthly (and at every ISMS Management Review) and serves as the single source of truth for “what is due when and who owns it.”
How this document differs from the Compliance Calendar: the Compliance Calendar carries the policy-driven recurring cadences (annual, quarterly, monthly). This document is the operating-program view — what we are doing this week, this month, and this quarter to land Type I cleanly and to sustain Type II evidence through the full observation window.

Audit timeline anchors

MilestoneDateStatusSource
v1.0 policy effective dateMay 8, 2026✅ DoneCompliance Calendar
SOC 2 Type I observation dateJune 22, 2026⬜ Pending — opens in parallel with the Type II observation windowCompliance Frameworks
Type I fieldwork windowJune 22, 2026 – late July 2026⬜ Pending — opens 2026-06-22Compliance Frameworks
Type I report issuance~late August 2026PendingCompliance Frameworks
Initial Type II observation window opensJune 22, 2026 (same day as Type I observation)PendingCompliance Frameworks
Initial Type II observation window closesSeptember 22, 2026 (3 months)PendingCompliance Frameworks
Initial Type II fieldworkSeptember 2026PendingCompliance Frameworks
Initial Type II report issuance~October 2026PendingCompliance Frameworks
Subsequent Type II observation window opens (first cycle)September 22, 2026PendingCompliance Frameworks
Subsequent Type II observation window closes (first cycle)September 22, 2027 (12 months)PendingCompliance Frameworks
Subsequent Type II fieldwork (first cycle)September 2027PendingCompliance Frameworks
Subsequent Type II report issuance (first cycle)~October 2027PendingCompliance Frameworks
Future annual cyclesSep 22 → Sep 22 thereafterRecurringCompliance Frameworks

How to read the tables

  • Date column. Specific dates where they exist; otherwise the calendar week.
  • Owner column. Tier-1 executive who is accountable. If a delegated owner exists, named in parentheses.
  • Status. ⬜ Pending · 🟡 In progress · ✅ Done · ⏸ Held · 🔁 Recurring (cadenced — see the cadence column).
  • Evidence destination. Where the audit-grade artifact lands. Almost always Vanta + the SharePoint SOC 2 / ISO 27001 evidence library (see SHAREPOINT.md).

Phase 1 — Type I readiness close-out (now → May 31, 2026)

Items needed to land the Type I report cleanly. Type I observation is June 22, 2026 — the same day the initial Type II observation window opens — so Phase 1 readiness items must close by end of May. Each CHECKTHISOUT row links back to the corresponding item in the readiness backlog.
#ItemDateOwnerStatusEvidence destination
1.1VGC confirmation that engineering/ docs are auditor-acceptable as procedures* (CHECKTHISOUT #1)By 2026-05-23Cameron Wolfe + VGCSharePoint Evidence Library / Legal opinions
1.2System Description v0 → v1.0 sign-off (this PR’s soc2-system-description.mdx)By 2026-05-30CEO + CTO + CISOSharePoint Evidence Library / System Description
1.3Management Assertion letter signedBefore Type I report issuanceCEO + CTOSharePoint Evidence Library / Management Assertion
1.4Vanta dashboard reconciliation — every control in scope greenThis week, then ongoingCISO🟡Vanta directly
1.5Auditor evidence requests responded to within Advantage Partners’ stated turnaroundThroughout fieldworkCISO🟡Vanta + SharePoint share-out
1.6Q2 2026 access reviews — fill in the “Pending Q2 2026” stamps in Access Reviews (CHECKTHISOUT #9)By 2026-06-30CISOSharePoint Evidence Library / Access Reviews / 2026-Q2
1.7Update /engineering/vulnerability-management.mdx row 25 — replace (todo: vendor) with the named pen-test firm or the standing-engagement languageThis weekCISOHorizon3 named 2026-06-12 (replacing Agency)
1.8Cold-log retrieval SLA SRE confirmation — confirm S3 storage class supports the 4h Sev-1/2 SLA (CHECKTHISOUT #12)By 2026-05-30CTO + CISOSharePoint Evidence Library / Operations / Cold-log retrieval
1.9IT provisioning runbook → bucket mapping (CHECKTHISOUT #8)By 2026-06-06IT lead + CISO + CTOSharePoint / IT Operations / Provisioning runbook
1.10AI Review Log dates — verify or backfill the 2026-05-07 cross-references (CHECKTHISOUT #13)By 2026-05-30GC + CTO/registers/ai-review-log
1.11Checkr CSM mapping confirmation (CHECKTHISOUT #14)By 2026-06-29CISO + CHROSharePoint / Vendor evidence / Checkr

Phase 2 — Pre-Type-I + pre-Type-II launch (now → May 31, 2026)

Roughly a one-week window. Both audits open June 22, 2026 in parallel — Type I observation is the same day the initial Type II observation window opens. Phase 1 (Type I readiness close-out) and Phase 2 (Type II evidence-collection mechanics) run in parallel through end of May. Everything must be in place by May 31 so day-1 evidence collection (June 22) is real, not retroactive, and so the Type I point-in-time picture is clean. The initial Type II window is only three months long (June 22 – September 22, 2026) — Advantage Partners has agreed to the abbreviated cycle to put an attested Type II report in customers’ hands within ~4 months of Type I observation, but the short window narrows the room for any cadenced control to slip even once. Some Phase 2 items (the heavy ones: pen-test vendor engagement, awareness-training rollout) will slip past June 22 on lead time — they continue into Phase 3.
#ItemDateOwnerStatusEvidence destination
2.1Pen-test vendor shortlist + outreach (CHECKTHISOUT #3) — engagement letter won’t sign in 2 weeks, but vendor identified and scopedBy 2026-05-31CISOSharePoint / Vendor evidence / Pen-test firm
2.2Pen-test scope letter signed — completion target slips into Phase 3By 2026-06-15CISOSharePoint / Vendor evidence / Pen-test firm
2.3First ISMS Management Review session scheduled in the Compliance Calendar — propose mid-July to land inside the initial window (CHECKTHISOUT #2)By 2026-05-31CISOCompliance Calendar + SharePoint / Management Review Minutes
2.4Security Awareness Training baseline live in Vanta — baseline + at least the engineering / production-access role module wired (CHECKTHISOUT #5)By 2026-05-31CISO + CHROVanta directly
2.5Security Awareness Training role-specific modules + Rippling event-driven assignment + existing-workforce re-attest completeBy 2026-06-29CISO + CHROVanta directly
2.6Baseline Annual Risk Assessment kicked off (CHECKTHISOUT #6)By 2026-05-31CISO/registers/annual-risk-assessment/2026.mdx (create on first run)
2.7Evidence-repository structure ready in SharePoint — folders named to match Vanta control IDsBy 2026-05-31CISOSharePoint Evidence Library / index
2.8First weekly Log Review note committed (per Log Review procedure)Week of 2026-06-22CISO/sharepoint/evidence-library/log-reviews/2026/ or per repo location agreed with auditor
2.9Audit Committee constitution decision (CHECKTHISOUT #10) — formally deferred 2026-05-16 per the Audit Committee Deferral Memo 2026 (compensating controls: VGC quarterly review of risk register + ISMS-MR minutes; conflict-routing of whistleblower reports).🟡 Memo CEO-approved 2026-05-17 (per Slack DM ack — URLs on the Memo sign-off block). VGC concurrence + engagement-letter scope amendment outstanding (target 2026-05-25 per /program/vgc-engagement-amendment-2026-05.md)CEO ✅ + GC ⬜🟡Memo at /registers/audit-committee-deferral-memo-2026.md (CEO line approved); VGC scope-amendment email to be filed at SharePoint > SOC 2 > Governance
2.10Brazil + India operational specifics closed (CHECKTHISOUT #15) — TST Súmula 51 memo, Portuguese consent, India PCC sourcing, Aadhaar exclusion confirmation, DPIAs, ROPA entries, EOR vs. directBy 2026-06-29 (slips into Phase 3)CHRO + GC + CISOSharePoint / Privacy / DPIAs, /registers/ropa, SharePoint / CHRO / international
2.11Type I report received from Advantage Partners~late August 2026 (lands during Phase 3)Advantage PartnersSharePoint Evidence Library / SOC 2 reports

Phase 3 — Initial Type II observation window (June 22 – September 22, 2026 — 3 months)

The only window for the initial Type II report. Every cadenced control must operate cleanly at least once; continuous controls must remain green throughout. Anything missed in this window cannot be made up — the initial report literally tests this slice. Type I fieldwork runs in parallel through ~late July 2026. Type I observation is the same day Phase 3 opens (June 22), so the first ~6 weeks of Phase 3 also carry Type I fieldwork load: responding to Advantage Partners’ evidence requests against the as-of-June-22 control design while operating-effectiveness evidence is being collected for Type II. Plan CISO and CTO calendars accordingly.
#ItemCadenceDateOwnerStatusEvidence destination
3.1First quarterly DR & Backup-Restore Test (procedure) (CHECKTHISOUT #4)QuarterlyBy 2026-06-30CTO (SRE lead)/registers/dr-tests/2026-Q2.mdx (create on first test)
3.2First quarterly ISMS Management Review — deep dive on Logging & Monitoring + Incident ResponseQuarterly2026-07-15 (Wed) — calendar invite to CEO, CTO, CISO, GC (VGC), CHROCISO (chairs)/registers/management-review-minutes/2026-Q3.mdx
3.3Pen-test fieldwork — must complete by end of July to leave time for retest before the initial window closesAnnualJune – July 2026CISO + named vendorSharePoint / Vendor evidence / Pen-test
3.4Pen-test retest of Critical / High findings — within 30 days of remediation per Operations SecurityPer findingJuly – August 2026CISOSharePoint / Vendor evidence / Pen-test / Retest
3.5Q2 2026 access reviews — covers period ending June 30, falls inside the initial windowQuarterlyBy 2026-06-30CISOSharePoint Evidence Library / Access Reviews / 2026-Q2
3.6First phishing simulation (per Security Awareness Training)Twice per year (semi-annual)June – July 2026CISOVanta + SharePoint / Evidence Library / Awareness Training
3.7Baseline Annual Risk Assessment completed and signedAnnualBy 2026-07-31CISO/registers/annual-risk-assessment/2026.mdx
3.8Six High-tier vendor reviews pulled into window per Vendor Annual Review Schedule — AWS (Jun 30), Vultr (Jul 15), Rippling (Jul 31), HashiCorp (Aug 15), Anthropic (Aug 30), OpenAI (Aug 30). Remaining 12 High-tier vendors on natural cadence in subsequent window.Annual per vendorJun 30 – Aug 30, 2026CISO + CFOSharePoint / Vendor evidence / <vendor> / Annual Review Note
3.9Continuous controls — Vanta dashboard green throughoutContinuousJun 22 – Sep 22CISO🔁Vanta
3.10Per-event controls — every onboard, offboard, vendor onboarding, change, incident, key rotation has evidencePer eventJun 22 – Sep 22Role-specific🔁SharePoint Evidence Library
3.11Monthly admin-activity review (Log Review procedure) — 3 cyclesMonthlyJun / Jul / Aug 2026CISO + CTO🔁/sharepoint/evidence-library/log-reviews/2026/admin/
3.12Weekly Log Reviews — ~13 cycles across the windowWeeklyEvery week Jun – SepCISO🔁/sharepoint/evidence-library/log-reviews/2026/<isoweek>/
3.13Mid-window Advantage Partners check-in — calibration on evidence-collection cadenceOnce in windowLate July 2026CISO + Advantage PartnersSharePoint / Evidence Library / Auditor correspondence

Phase 4 — Initial Type II fieldwork + report (September 2026 – October 2026)

The initial Type II window closes September 22, 2026. Fieldwork starts immediately; the report follows about a month later.
#ItemDateOwnerStatus
4.1Initial Type II fieldworkSeptember 2026CISO + Advantage Partners
4.2Auditor evidence requests answered within Advantage Partners’ stated turnaroundThroughout fieldworkCISO
4.3Management Representation Letter for the initial Type II signedAt fieldwork closeCEO + CTO + CISO
4.4Initial Type II report received~October 2026Advantage Partners
4.5Initial Type II report distributed to customers under NDA per Trust Center commitmentAfter receiptCISO + CSM (where engaged)
Phases 5 – 8 below cover the first subsequent Type II window — September 22, 2026 → September 22, 2027 — running in parallel with (and continuing past) the initial-Type-II fieldwork in Phase 4. Subsequent observation begins the moment the initial window closes, with no gap, so evidence collection never pauses.

Phase 5 — Subsequent Type II Q1 (September 22 – November 30, 2026)

#ItemCadenceDateOwnerStatus
5.1Q3 2026 access reviewsQuarterlyBy 2026-09-30CISO
5.2Q3 2026 DR & Backup-Restore TestQuarterlyBy 2026-09-30CTO (SRE lead)
5.3Q3 2026 ISMS Management Review — deep dive on Logging & Monitoring + Incident Response (already covered in Phase 3.2; second session may rotate domain)QuarterlySeptember – October 2026CISO
5.4Second phishing simulationTwice per year (semi-annual)October – November 2026CISO
5.5All CHECKTHISOUT items closedOne-shotBy 2026-11-30CISO
5.6Continuous + per-event controls continue with evidenceContinuous + per-eventThroughoutAll🔁

Phase 6 — Subsequent Type II Q2 (December 1, 2026 – February 28, 2027)

#ItemCadenceDateOwnerStatus
6.1Q4 2026 access reviewsQuarterlyBy 2026-12-31CISO
6.2Q4 2026 DR & Backup-Restore TestQuarterlyBy 2026-12-31CTO
6.3Q4 2026 ISMS Management Review — deep dive on Business Continuity / DR + Physical SecurityQuarterlyDecember 2026CISO
6.4Annual DR tabletop exercise (or live failover if alternating-years schedule calls for it)AnnualNovember 2026 – February 2027CTO + CISO
6.5Continuous + per-event controlsContinuous + per-eventThroughoutAll🔁

Phase 7 — Subsequent Type II Q3 (March 1 – May 31, 2027)

#ItemCadenceDateOwnerStatus
7.1Annual Risk Assessment refresh — due by April 30 per procedureAnnualBy 2027-04-30CISO
7.2Annual policy re-acknowledgement — every employee + contractor re-acks all 25 policies (one year after v1.0 effective date)AnnualBy 2027-05-08CISO + CHRO
7.3Q1 2027 access reviewsQuarterlyBy 2027-03-31CISO
7.4Q1 2027 DR & Backup-Restore TestQuarterlyBy 2027-03-31CTO
7.5Q1 2027 ISMS Management Review — annual extended session covering all control domains in summary; deep dive on Access Control + Vendor ManagementQuarterly (annual session)Q1 2027CISO
7.6Continuous + per-event controlsContinuous + per-eventThroughoutAll🔁

Phase 8 — Subsequent Type II Q4 + pre-fieldwork (June 22 – September 14, 2027)

#ItemCadenceDateOwnerStatus
8.1Q2 2027 access reviewsQuarterlyBy 2027-06-30CISO
8.2Q2 2027 DR & Backup-Restore TestQuarterlyBy 2027-06-30CTO
8.3Q2 2027 ISMS Management Review — deep dive on Secure Development + Vulnerability ManagementQuarterlyQ2 2027CISO
8.4Year-2 annual pen test — fieldwork must close in time for retest before the subsequent window closes Sep 22AnnualMay – July 2027CISO + vendor
8.5Year-2 pen-test retest of Critical / High findingsPer findingJune – August 2027CISO
8.6Year-2 phishing simulation cycle — two campaigns within the 12-month windowTwice per year (semi-annual)One in Mar – May, one in Jun – Aug 2027CISO
8.7Evidence-pack completeness review before fieldwork — sample every control class, confirm Vanta + SharePoint have the artifactOne-shotAugust 2027CISO
8.8Subsequent Type II fieldwork kickoff with Advantage PartnersOne-shotMid-September 2027CISO + Advantage Partners

Phase 9 — Subsequent Type II fieldwork + report (September 2027 – October 2027)

#ItemDateOwnerStatus
9.1Subsequent Type II fieldworkSeptember 2027CISO + Advantage Partners
9.2Auditor evidence requests answered within Advantage Partners’ stated turnaroundThroughout fieldworkCISO
9.3Management Representation Letter for the subsequent Type II signedAt fieldwork closeCEO + CTO + CISO
9.4Subsequent Type II report received~October 2027Advantage Partners
9.5Subsequent Type II report distributed to customers under NDA per Trust Center commitmentAfter receiptCISO + CSM (where engaged)
Subsequent annual cycles repeat the Phase 5 – 9 pattern, with each window running Sep 22 → Sep 22.

Standing recurring controls (operating throughout the window)

These run continuously; the table is the auditor’s-eye view of what evidence the report will sample.
Control classCadenceOwnerWhere evidence lands
MFA enforcement on all workforce accountsContinuousCISOVanta IdP integration tests
Encryption at rest + in transitContinuousCTO + CISOVanta cloud-config tests + Vault audit-device logs
Logging and monitoring pathContinuousCTO + CISOBetter Stack + CloudWatch + S3 Object Lock
Vulnerability scanningContinuousCISOSemgrep / CodeQL / Snyk / Trivy / Gitleaks reports
Endpoint managementContinuousCISORippling MDM + EDR compliance reports
Secrets managementContinuousCTOVault audit-device logs + GitHub secret-scanning
Branch protection + CI signalsContinuousCTOGitHub branch-protection settings + GHAS findings
Onboarding (per new hire)Per eventCHRO + CISOSharePoint / CHRO / Onboarding records
Offboarding (per departure)Per eventCHRO + CISORippling deprovisioning logs + SharePoint / CHRO / Offboarding records
Vendor onboarding (per new vendor)Per eventCISO + CFOSharePoint / Vendor evidence + Vendor Inventory
Vendor annual review (per High-tier vendor)Annual per vendorCISOSharePoint / Vendor evidence / <vendor> / Annual Review Note
Change management (per prod change)Per eventCTOGitHub PR + Linear ticket trail + release-pipeline logs
Incident response (per incident)Per eventCISO (IR commander)Linear “Security Incidents” + SharePoint / Incident Records
Key rotation (per procedure)Routine + emergencyCTO + CISOSharePoint / Evidence Library / Key Rotation Evidence Notes
Weekly log reviewWeeklyCISO/sharepoint/evidence-library/log-reviews/<year>/<isoweek>/
Monthly admin-activity reviewMonthlyCISO + CTO/sharepoint/evidence-library/log-reviews/<year>/admin/

Risk register — top near-term risks to the Type I and Type II timelines

The 3-month initial Type II window materially raises the impact of every slippage risk below. A control that runs quarterly can only operate once inside a 3-month window — there is no second chance.
RiskLikelihoodImpactTreatment
Pen-test slips past August 2026, leaving no pen-test evidence in the initial Type II reportHigh (raised)High (raised)Vendor shortlist + outreach by May 31; engagement letter signed by June 15; fieldwork in June–July; retest in July–August. Phases 2.1, 2.2, 3.3, 3.4. With Type I and Type II both opening June 22, the ~three-week pre-launch window makes this the single most schedule-sensitive item.
Quarterly cadenced control misses its single in-window cycle (DR test, ISMS Management Review, access review)MediumHigh (raised)Phase 3 dates are non-negotiable; each control has a named owner and a deadline at least 2 weeks before the window-close on Sep 22.
Vanta dashboard goes red during the observation windowMediumHighContinuous Vanta hygiene; weekly walk by the CISO; remediation SLA per Operations Security
First DR test or first ISMS Management Review slipsMediumMediumCalendared explicitly in Phases 2 and 3; backed by the Compliance Calendar
No incident in window — auditor expects to see IR machinery exercisedLowLowIf no real incident, run a deliberate IR tabletop and document the after-action per Information Security → Management Review
Customer-facing System Description ambiguity triggers fieldwork delaysMediumMediumv1.0 sign-off in Phase 1.2; review with Advantage Partners before fieldwork; periodic refresh on material change
Brazil / India workforce-screening operational specifics lag the documented BR + IN workforceMediumHigh (raised) — these workers exist today, not futurePhase 2.10 deadline of 2026-06-29; deliverables in Non-US Workforce SOC 2 Brief
CHECKTHISOUT item slippageMediumMediumReviewed at every ISMS Management Review; any item slipping twice escalates to the CEO

Cross-references

Version history

VersionDateDescriptionAuthorApproved by
1.02026-05-16Initial — companion to the System Description and CHECKTHISOUT.mdCameron WolfeIshan Jadhwani