Owner: CISO
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001 §9.3 (management review); SOC 2 CC1.5 / CC4.2. Implements the Information Security Policy.
This procedure operationalizes the Information Security Policy → Management review clause. It is the canonical management-review record relied on for ISO/IEC 27001 §9.3 and SOC 2 CC1.5 / CC4.2.

Cadence

  • Quarterly working session — ~90 minutes — led by the CISO.
  • Annual review — one of the four quarterly sessions per calendar year is extended to ~3 hours and treated as the formal yearly management review. By convention this falls in Q1 so that the outputs feed annual policy reviews (May 8 effective date) and the annual risk assessment.
Sessions are scheduled in the Compliance Calendar. A session may be deferred by up to 30 days for scheduling reasons; longer deferrals require CEO sign-off and a written justification kept with the minutes for that quarter.

Participants

RoleQuarterlyAnnual
CEOOptionalRequired
CTORequiredRequired
CISO (chair)RequiredRequired
General CounselRequiredRequired
CHRORequiredRequired
Privacy OfficerBy topicRequired
Engineering leads (by area)By topicBy topic
Independent reviewer — VGC LLP, in lieu of a board audit committee (Neuroscale is member-managed; see Audit Committee Deferral Memo 2026)By topicRequired (VGC attends in this slot)
External counsel (VGC LLP)By topicBy topic
A quorum is the CTO/CISO (combined role at current scale; one individual per Roles & Personnel) and the General Counsel (VGC LLP, which also fills the independent-reviewer slot in lieu of a board audit committee per the Audit Committee Deferral Memo 2026). Because the CTO and CISO functions are held by one individual, the CEO joins each quarterly session in an independent-oversight capacity per the role-concentration compensating controls; ratification of management-review decisions requires CEO acknowledgement on the minute file in addition to CTO/CISO + GC signatures. If any of the three required attendees (CTO/CISO, GC, CEO) cannot attend, the session is rescheduled rather than held without quorum.

Trigger

The CISO opens a Linear epic at the start of each quarter:
  • Title: ISMS Management Review — <Quarter> <Year>
  • Owner: CISO
  • Linked artifacts: agenda issue, evidence-collection issues for each input, minutes issue.
The agenda is circulated at least 5 business days before the meeting; participants are expected to review and add agenda items by 2 business days before.

Standing agenda

Every session walks the following nine sections. The CISO may add ad-hoc items at the start; participants may add items via the agenda issue up to 2 business days prior.

1. Decisions and action items from the prior session

Status (closed / in progress / overdue / superseded) for every action item from the previous meeting.

2. Risk register changes

New, modified, retired, and overdue risks since the prior session — drawn from the Risk Treatment Plan and any updates in the controls inventory. For each open risk past its target treatment date, the risk owner attends to walk through the slip and propose a remediation path.

3. Open Critical / High vulnerabilities past SLA

A line-item walkthrough of every Critical and High finding past its SLA per Operations Security → Technical vulnerability management. Owner identifies blockers and target close date; CISO records the decision (accept residual risk, escalate, reprioritize).

4. Incidents

Count by severity for the period; for each Severity 1–2 incident, a brief reminder of the conclusion, the root cause, and any control change the incident motivated. Sourced from the Incident Response records.

5. Audit, pen-test, customer-security-review, and regulator findings

Open findings with owner, due date, and current status. Pen-test retest progress per Operations Security → Technical vulnerability management.

6. Control-domain effectiveness (rotating)

One control domain is reviewed in depth per quarter, on the rotation below. The relevant policy owner walks key indicators (effectiveness, exceptions, drift). The annual session reviews all control domains in summary in addition to the rotating deep dive.
QuarterDeep dive
Q1 (annual)Access Control + Vendor / Third-Party Management
Q2Secure Development + Vulnerability Management
Q3Logging & Monitoring + Incident Response
Q4Business Continuity / DR + Physical Security

7. Resource adequacy

Staffing, budget, and tooling: any gaps that materially affect the program. The CISO surfaces unmet needs; the CEO and CTO either commit resources, defer with rationale, or accept the residual risk on the record.

8. Regulatory and customer-contract changes

GC walks any new regulatory exposure, customer contract clauses with new security/privacy obligations, or framework updates (SOC 2, ISO, GDPR, state privacy laws). Outputs are routed to the relevant policy owner as action items if any policy needs to change.

9. New / revised decisions

Decisions made in the session — risk acceptance, policy changes, control roll-outs, exception approvals — are restated by the recorder and confirmed by the CISO before close. Each decision becomes an action item or a tracked change.

Evidence collection

The CISO (or delegate) gathers the following before the session and attaches links to the agenda issue:
  • Risk register diff since prior session (Linear or the Risk Register entry).
  • Vulnerability dashboard snapshot — open findings by severity and SLA status.
  • Incident log for the period.
  • Findings tracker (pen-test, audit, customer review, regulator).
  • Control-effectiveness pack for the quarter’s deep-dive domain.
  • Compliance Calendar status (overdue items).

Minutes

The recorder drafts minutes within 5 business days of the session, using the structure below. Minutes are reviewed and signed by the CISO and General Counsel, then filed as a controlled register entry (Management Review Minutes, one per quarter) and linked from the Controls Inventory. Minute template:
# ISMS Management Review — <Quarter> <Year>

**Date:** <YYYY-MM-DD>
**Attendees:** <names, roles>
**Quorum:** <yes/no — names of CTO / CISO / GC>
**Recorder:** <name>

## 1. Prior-session action items
| ID | Owner | Status | Notes |
|---|---|---|---|

## 2. Risk register
- New risks: <…>
- Retired risks: <…>
- Overdue treatments (walked): <…>

## 3. Open Critical / High vulnerabilities past SLA
| Finding ID | Severity | Owner | Days past SLA | Decision |
|---|---|---|---|---|

## 4. Incidents
- Sev 1: <count>
- Sev 2: <count>
- Sev 3: <count>
- Notable incident summaries: <…>

## 5. Audit / pen-test / customer / regulator findings
| Source | Finding | Owner | Due | Status |
|---|---|---|---|---|

## 6. Control-domain deep dive — <domain>
<summary, KPI, decisions>

## 7. Resource adequacy
<gaps surfaced, commitments, deferrals>

## 8. Regulatory / contract changes
<items walked, action items>

## 9. Decisions
| Decision ID | Decision | Rationale | Effective date | Owner |
|---|---|---|---|---|

## 10. New action items
| AI ID | Description | Owner | Due | Linear link |
|---|---|---|---|---|

## Sign-off
| Name | Role | Date | Approval |
|---|---|---|---|
| <CISO> | CISO | <YYYY-MM-DD> | Approved |
| <General Counsel> | General Counsel | <YYYY-MM-DD> | Approved |
Minutes are retained for at least 7 years per the Records Retention Schedule.

Escalation

Action items not closed by their due date are listed in the next session’s §1 with the new due date and the owner’s justification on record. An action item that has slipped twice without progress is escalated to the CEO for direct ownership at the following session.

First session

The first management-review session following this procedure’s effective date is held within 90 days. See the Compliance Calendar for the scheduled date.

Version history

VersionDateDescriptionAuthorApproved by
1.0May 15, 2026Initial version — implements Information Security Policy §“Management review”, ISO 27001 §9.3, SOC 2 CC1.5 / CC4.2Cameron WolfeIshan Jadhwani