Register Owner: CISO
Effective Date: May 16, 2026
Reviewed: At each ISMS Management Review
Audience: Auditor (Advantage Partners) — Section IV evidence aide
Effective Date: May 16, 2026
Reviewed: At each ISMS Management Review
Audience: Auditor (Advantage Partners) — Section IV evidence aide
Purpose
Neuroscale’s policy set was effective 2026-05-08. The initial Type II observation window is June 22 – September 22, 2026 (3 months). Most annual controls cannot complete a 12-month cycle inside a 3-month window. AICPA SSAE 18 lets the auditor accept a “design-only” finding for an annual control whose first cycle naturally falls in the subsequent window, provided management has documented the first-cycle treatment rather than left it implicit. This register is that documentation. For each annual control referenced in the policy set, it states whether the first cycle is operated inside the initial window (with date) or deferred to the first subsequent 12-month window (Sep 22, 2026 – Sep 22, 2027) with a documented rationale.First-cycle treatment matrix
Operated inside the initial window (Jun 22 – Sep 22, 2026)
These annual controls are intentionally pulled into the initial window so the auditor sees ≥1 operating cycle. Evidence locations are documented in the Compliance Calendar.| Control | First-cycle date | Owner | Why inside window |
|---|---|---|---|
| Annual penetration test (apps + production network) | Fieldwork 2026-06-15 → 2026-07-31; retest closed by 2026-08-31 | CISO + Engineering (vendor: Horizon3) | Most consequential preventive control. Auditor cannot test CC4.1 / CC7.1 without pen-test evidence in window. |
| Annual formal risk assessment | Kickoff 2026-05-31; final report by 2026-07-31 | CISO | CC3.1 / CC3.2 — risk-assessment evidence is foundational; Phase 3.7 in SOC 2 Readiness Timeline. |
| Annual data-retention requirements review | 2026-07-15 | CISO + data owners | Refresh Data Retention Matrix; records-disposal hygiene supporting the CC-series in the Security-only initial window (the Confidentiality/Privacy disposal commitments it also underpins are attested from the first subsequent window). |
| Annual legal-hold review with counsel | 2026-07-15 (coincides with retention review) | GC (VGC) | Confirms no active legal holds are overdue for review; CC1.5 / CC9.1 evidence. |
| Annual cloud-service-agreement review (high-risk providers) | 2026-08-15 | CISO + CFO | Pairs naturally with the early High-tier vendor reviews in Vendor Annual Review Schedule. |
| Annual supplier service-delivery / performance review | 2026-08-30 (combined with vendor reviews) | CISO + CFO | Operating evidence for Third-Party Management → Monitoring & review. |
| Annual AWS shared-responsibility / controls-inventory review | 2026-08-30 | CISO + Engineering | Confirms Section IV mapping against AWS’s published shared-responsibility model; CC2.3 / CC9.2 evidence. |
| Six High-tier vendor annual reviews | 2026-06-30 → 2026-08-30 (per Vendor Annual Review Schedule) | CISO + CFO | CC9.2 operating evidence. |
| Triggered rotation per key cadence class | 2026-06-30 → 2026-08-30 (per Key Rotation Plan — 2026) | CISO + CTO | CC6.7 operating evidence across cadence classes. |
Deferred to the first subsequent 12-month window (Sep 22, 2026 – Sep 22, 2027)
These annual controls operate naturally on the subsequent 12-month window. They are design-only for the initial Type II report; the first operating cycle is documented inside the first subsequent window.| Control | First-cycle target | Owner | Why deferred |
|---|---|---|---|
| Annual full DR exercise (tabletop or live) | by 2027-05-08 | CTO + CISO | The quarterly backup-restore test (per the DR & Backup-Restore Test procedure) operates the recovery surface inside the initial window; the full-program exercise is annual and falls naturally in the subsequent window. |
| Annual incident-response tabletop / IR plan test | Nov 2026 – Feb 2027 (per Readiness Timeline → Phase 6.4) | CISO | Tabletop preparation is heavy (scenario design, executive participation); first cycle is timed for the subsequent window. CC7.5 design evidence is the IR procedure itself. |
| Annual policy re-acknowledgement (all 25 policies) | by 2027-05-08 | CISO + CHRO | Policies took effect 2026-05-08; first annual re-ack lands at the natural anniversary. The at-hire ack is operating evidence inside the initial window (per HR Security Policy). |
| Annual security-awareness training (all workforce) | by 2027-05-08 | CHRO + CISO | At-hire training and the new-baseline training inside the initial window cover CC1.4 operating evidence; the annual re-cycle falls in the subsequent window. |
| Annual secure-development / OWASP training (engineers) | by 2027-05-08 | CISO + Engineering | Same rationale as above. |
| Annual network-security assessment (incl. major-change review) | by 2027-05-08 | CISO + Engineering | Pen-test (above) covers the dominant CC7.1 evidence in window. Network-assessment is a separate annual artifact deferred to subsequent window. |
| Annual production network-config / firewall rule review | by 2027-05-08 | Engineering | Reviewed continuously via PR / IaC; the annual consolidated review is a separate artifact deferred to subsequent window. |
| Annual long-lived API-key rotation (whole-class) | by 2027-05-08 | Engineering | Per-class rotation evidence in window via Key Rotation Plan — 2026. The whole-class annual sweep is deferred. |
| Twelve remaining High-tier vendor annual reviews | Sep 2026 – Sep 2027 (per Vendor Annual Review Schedule) | CISO + CFO | Six pulled into window; twelve on natural cadence in subsequent window. |
| Risk reporting to executive leadership (formal annual) | by 2027-05-08 | CISO | Quarterly risk-register reviews inside the initial window cover CC4.1; the formal annual report is deferred. |
| Annual ISMS Management Review (Q1-style annual) | First Q3 2026 session holds in window (per Readiness Timeline → Phase 3.2); the formal Q1-style annual review falls in Q1 2027 | CISO + CEO + CTO + GC + CHRO | The first ISMS-MR session operates inside the initial window per the procedure; the annual-cycle Q1 review is separately deferred. |
Methodology — how to read this matrix at audit time
- Section IV in the SOC 2 report lists each control with a TSC mapping, description, test, and result. For any annual control where the result row reads “Design only — first cycle [date] in subsequent window,” this register is the supporting documentation.
- Auditor sample. The auditor samples ~5 annual controls and asks for operating evidence. For each sampled control that’s listed in the Deferred table above, the response is this register + the procedure + the policy effective date (2026-05-08).
- Maintenance. This register is updated at each ISMS Management Review. When a deferred control completes its first cycle, the row moves to the Operated table with the actual date and evidence link.
Cross-references
- Compliance Calendar → Annual — cadence-level commitment
- SOC 2 Readiness Timeline — phase-level execution
- Vendor Annual Review Schedule — vendor-side per-vendor detail
- Key Rotation Plan — 2026 — key-class per-rotation detail
- Controls Inventory — control-level evidence sources
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | May 16, 2026 | Initial first-cycle treatment matrix for the initial Type II window (Jun 22 – Sep 22, 2026). Seven independent annual-cycle controls + 2 batch controls (the six-vendor High-tier review batch and the per-class key-rotation batch) operated inside the window — nine entries in the table. Eleven annual controls deferred to the first subsequent window with documented rationale. | Cameron Wolfe | Ishan Jadhwani |