Skip to content

Audit Schedule & Review Calendar

Document ID: ISO-003 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Last updated: March 2026 Framework: ISO 27001 (9.2) | SOC 2 (CC4.1)

2026 Audit & Review Calendar

Activity Frequency Next Date Owner Status
IRP tabletop exercise One-time 21 March 2026, 09:00 Sebastian Windeck (CTO) 🟢 Scheduled
Initial management review One-time 21 March 2026, 10:00 Jan Marc Castlunger (ISO) 🟢 Scheduled
First internal audit One-time 30 March 2026 Sebastian Windeck (CTO) 🟢 Scheduled
Full ISMS management review Annual March 2027 Jan Marc Castlunger (ISO) 📋 Scheduled
Access rights review (RBAC) Quarterly June 2026 Jan Marc Castlunger (ISO) 📋 Scheduled
Supplier compliance review Annual March 2027 Sebastian Windeck (DPO) 📋 Scheduled
Vulnerability scan review Monthly April 2026 Sebastian Windeck (CTO) 📋 Scheduled
Security training completion check Annual December 2026 Jan Marc Castlunger (ISO) 📋 Scheduled
Incident register review Quarterly June 2026 Jan Marc Castlunger (ISO) 📋 Scheduled
Backup restore test Semi-annual September 2026 Jan Marc Castlunger (ISO) 📋 Scheduled
GitHub access & token audit Quarterly June 2026 Sebastian Windeck (CTO) 📋 Scheduled
Azure cost & capacity review Monthly April 2026 Jan Marc Castlunger (ISO) 📋 Scheduled
Risk register review Annual March 2027 Jan Marc Castlunger (ISO) 📋 Scheduled
SOC 2 readiness review Quarterly June 2026 Jan Marc Castlunger (ISO) 📋 Scheduled

ISO 27001 Certification Audits

Audit Body Date Status
Stage 1 — Document Review TBD (TUV / DQS / BSI) May 2026 📋 Planned
Stage 2 — Evidence Audit TBD July-Aug 2026 📋 Planned
Certification Issued September 2026 🎯 Target
Surveillance Audit 1 TBD September 2027 📋 Planned
Surveillance Audit 2 TBD September 2028 📋 Planned
Recertification TBD September 2029 📋 Planned

SOC 2 Audit Timeline

Milestone Date Status
SOC 2 readiness assessment Q3 2026 📋 Planned
Engage SOC 2 auditor (CPA firm) Q3 2026 📋 Planned
SOC 2 Type I audit Q4 2026 📋 Planned
SOC 2 observation period begins Q4 2026 📋 Planned
SOC 2 Type II audit Q2-Q3 2027 📋 Planned

Management Review Agenda Template

Use the following agenda for the annual management review:

  1. Status of actions from previous review
  2. Changes in external/internal context affecting the ISMS
  3. Information security performance (incidents, near-misses, audit results)
  4. Feedback from customers, auditors, and regulators
  5. Risk assessment and treatment results
  6. Opportunities for continual improvement
  7. Resource requirements
  8. SOC 2 compliance status update

Record the review using the Management Review Minutes Template and store in Google Drive > Security > Management Reviews.

See also: Management Review Procedure