Quarterly ISMS Management Review Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure defines the controlled quarterly cadence under which leadership reviews the operation of Glassbreak's information security management system (ISMS). It produces signed minutes that an auditor can sample.

The review is the Glassbreak artefact that maps to ISO 27001 Clause 9.3 (Management review) and provides the monitoring and oversight evidence expected by the SOC 2 Common Criteria.

2. Scope

The review covers the full operation of the ISMS in the period under review, including every cadence procedure listed in section 11 below.

3. Ownership

• Accountable owner — the Security Officer convenes the review, drives the agenda, and signs the minutes.
• Counter-signer — at least one member of leadership attends and counter-signs the minutes.
• Contributing attendees — engineering, customer-facing, and compliance representatives attend as needed by the agenda items in the period.

4. Cadence

• One review per calendar quarter, scheduled in the second half of the closing month of the quarter and completed within a +/- 14-day window of the target date.
• A missed quarterly review is itself a finding and is recorded as such on the next run.
• An interim review is convened if a SEV-1 incident, a failed external audit, or a material change to the operating context warrants leadership attention before the next quarterly window.

5. Standing agenda

Every review covers the following standing items in order. Items with no material change in the period are recorded as "no change" rather than omitted.

• 5.1 Status of actions from previous review — the close-out status of every action raised at the prior review.
• 5.2 Changes in external and internal issues — relevant changes in the regulatory environment, the threat landscape, the sub-processor ecosystem, the customer base, the platform architecture, and the workforce.
• 5.3 Performance feedback — feedback received from customers, sub-processors, researchers, and workforce members in the period.
• 5.4 Audit results — the outputs of internal audits run under the Internal Audit Programme, external audits, and coordinated-disclosure reports received in the period.
• 5.5 Fulfilment of objectives — measured progress against the information-security objectives set at the most recent annual board-level review.
• 5.6 Risks and opportunities — additions, changes, and closures in the risk register; status of open acceptance decisions and their expiries.
• 5.7 Opportunities for improvement — structural improvements proposed in the period, with the decision and the owner.
• 5.8 Actions — every action arising from the review, with owner and closure deadline.

6. Procedure

• The Security Officer prepares the read-ahead pack from the cadence procedures' outputs in the period, the daily security-posture snapshot history, the risk register, and the customer-feedback log.
• The read-ahead pack is circulated to attendees at least 3 business days before the meeting.
• The meeting proceeds in agenda order with a scribe capturing decisions and actions in real time.
• Draft minutes are circulated within 5 business days of the meeting for correction.
• The Security Officer signs the corrected minutes; the counter-signer reviews and signs.
• The signed minutes are filed in the compliance evidence store and indexed by review date.
• Actions are tracked in the standard issue tracker until closure.

7. Template

Each quarterly review produces a single minutes document with the following structure. This template is the artefact that an auditor may sample.

• Header — review identifier, quarter covered, target date, actual date, attendees, Security Officer, counter-signer(s).
• Read-ahead pack — list of attached inputs with their references.
• Agenda — each standing item from §5 in order, with: discussion summary, decisions taken, actions raised (with owner and deadline), references to underlying evidence.
• Open action register — table of all open actions from this and prior reviews, with status.
• Sign-off — Security Officer signature and date, counter-signer signature and date.

8. First instance

The inaugural quarterly ISMS management review was completed on the effective date of this procedure (27 May 2026). It walked the standing agenda end-to-end and captured the baseline operating state of the ISMS. The signed minutes are held in the compliance evidence store and available under NDA.

9. Records

• Signed minutes and their read-ahead packs are retained for at least 5 years.
• Action items are tracked in the standard issue tracker until closure and remain in its history thereafter.

10. Review of this procedure

This procedure is reviewed at least annually and after any material change to the standing agenda required by the framework set (for example, a change to the ISO 27001 management-review clause). The next scheduled review is 27 May 2027.

11. Related documents

• Policies index
• Information Security Policy
• Annual Board-level ISMS Review
• Internal Audit Programme
• Quarterly Access Review
• Monthly Vulnerability Review
• Annual Technical Evaluation
• Quarterly Capacity Planning
• Remediation SLAs

Counter-signed PDF copy available on request to compliance@glassbreak.io.