Owner: CISO
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001 §9.3 (management review); SOC 2 CC1.5 / CC4.2. Implements the Information Security Policy.
Effective Date: May 15, 2026
Reviewed: Annually
Frameworks: ISO/IEC 27001 §9.3 (management review); SOC 2 CC1.5 / CC4.2. Implements the Information Security Policy.
Cadence
- Quarterly working session — ~90 minutes — led by the CISO.
- Annual review — one of the four quarterly sessions per calendar year is extended to ~3 hours and treated as the formal yearly management review. By convention this falls in Q1 so that the outputs feed annual policy reviews (May 8 effective date) and the annual risk assessment.
Participants
| Role | Quarterly | Annual |
|---|---|---|
| CEO | Optional | Required |
| CTO | Required | Required |
| CISO (chair) | Required | Required |
| General Counsel | Required | Required |
| CHRO | Required | Required |
| Privacy Officer | By topic | Required |
| Engineering leads (by area) | By topic | By topic |
| Independent reviewer — VGC LLP, in lieu of a board audit committee (Neuroscale is member-managed; see Audit Committee Deferral Memo 2026) | By topic | Required (VGC attends in this slot) |
| External counsel (VGC LLP) | By topic | By topic |
Trigger
The CISO opens a Linear epic at the start of each quarter:- Title:
ISMS Management Review — <Quarter> <Year> - Owner: CISO
- Linked artifacts: agenda issue, evidence-collection issues for each input, minutes issue.
Standing agenda
Every session walks the following nine sections. The CISO may add ad-hoc items at the start; participants may add items via the agenda issue up to 2 business days prior.1. Decisions and action items from the prior session
Status (closed / in progress / overdue / superseded) for every action item from the previous meeting.2. Risk register changes
New, modified, retired, and overdue risks since the prior session — drawn from the Risk Treatment Plan and any updates in the controls inventory. For each open risk past its target treatment date, the risk owner attends to walk through the slip and propose a remediation path.3. Open Critical / High vulnerabilities past SLA
A line-item walkthrough of every Critical and High finding past its SLA per Operations Security → Technical vulnerability management. Owner identifies blockers and target close date; CISO records the decision (accept residual risk, escalate, reprioritize).4. Incidents
Count by severity for the period; for each Severity 1–2 incident, a brief reminder of the conclusion, the root cause, and any control change the incident motivated. Sourced from the Incident Response records.5. Audit, pen-test, customer-security-review, and regulator findings
Open findings with owner, due date, and current status. Pen-test retest progress per Operations Security → Technical vulnerability management.6. Control-domain effectiveness (rotating)
One control domain is reviewed in depth per quarter, on the rotation below. The relevant policy owner walks key indicators (effectiveness, exceptions, drift). The annual session reviews all control domains in summary in addition to the rotating deep dive.| Quarter | Deep dive |
|---|---|
| Q1 (annual) | Access Control + Vendor / Third-Party Management |
| Q2 | Secure Development + Vulnerability Management |
| Q3 | Logging & Monitoring + Incident Response |
| Q4 | Business Continuity / DR + Physical Security |
7. Resource adequacy
Staffing, budget, and tooling: any gaps that materially affect the program. The CISO surfaces unmet needs; the CEO and CTO either commit resources, defer with rationale, or accept the residual risk on the record.8. Regulatory and customer-contract changes
GC walks any new regulatory exposure, customer contract clauses with new security/privacy obligations, or framework updates (SOC 2, ISO, GDPR, state privacy laws). Outputs are routed to the relevant policy owner as action items if any policy needs to change.9. New / revised decisions
Decisions made in the session — risk acceptance, policy changes, control roll-outs, exception approvals — are restated by the recorder and confirmed by the CISO before close. Each decision becomes an action item or a tracked change.Evidence collection
The CISO (or delegate) gathers the following before the session and attaches links to the agenda issue:- Risk register diff since prior session (Linear or the Risk Register entry).
- Vulnerability dashboard snapshot — open findings by severity and SLA status.
- Incident log for the period.
- Findings tracker (pen-test, audit, customer review, regulator).
- Control-effectiveness pack for the quarter’s deep-dive domain.
- Compliance Calendar status (overdue items).
Minutes
The recorder drafts minutes within 5 business days of the session, using the structure below. Minutes are reviewed and signed by the CISO and General Counsel, then filed as a controlled register entry (Management Review Minutes, one per quarter) and linked from the Controls Inventory. Minute template:Escalation
Action items not closed by their due date are listed in the next session’s §1 with the new due date and the owner’s justification on record. An action item that has slipped twice without progress is escalated to the CEO for direct ownership at the following session.First session
The first management-review session following this procedure’s effective date is held within 90 days. See the Compliance Calendar for the scheduled date.Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 15, 2026 | Initial version — implements Information Security Policy §“Management review”, ISO 27001 §9.3, SOC 2 CC1.5 / CC4.2 | Cameron Wolfe | Ishan Jadhwani |