Skip to content

Management Review — March 2026 (Initial)

Meeting type: Tabletop Exercise + Full ISMS Management Review (Initial) Date: 21 March 2026 Time: 09:00 — 12:00 CET Location: Remote (Video call) Chair: Jan Marc Castlunger (ISO) Minutes by: Sebastian Windeck (CTO)

Schedule

09:00 — 09:45: IRP Tabletop Exercise (see Tabletop Exercise Plan) 09:45 — 10:00: Break 10:00 — 12:00: Management Review (agenda below)

Attendees

Name Role Required
Jan Marc Castlunger CEO / ISO ✅ Required
Sebastian Windeck CTO / DPO ✅ Required
Malte Toetzke Chief of AI ✅ Required

Agenda

1. Opening & Context (10 min)

  • Welcome and purpose of the initial management review
  • ISMS implementation status overview (v2.1 documentation complete)
  • Confirm ISMS scope and applicability (ISMS Scope)

2. Information Security Policy Approval (10 min)

  • Review and formally approve the Information Security Policy (POL-001)
  • Confirm security roles and responsibilities:
    • ISO: Jan Marc Castlunger
    • DPO: Sebastian Windeck
    • Chief of AI: Malte Toetzke

3. Risk Assessment Results (15 min)

  • Present the Risk Register (14 risks identified)
  • Review risk methodology (3x3 matrix)
  • Discuss residual risks requiring acceptance:
    • R03 — Azure misconfiguration (Residual: Medium)
    • R07 — Phishing (Residual: Medium)
    • R10 — Key person dependency (Residual: Medium)
    • R12 — Log retention insufficient (Residual: Medium)
    • R13 — Error images via email (Residual: Medium)
    • R14 — NDAs not formalised (Residual: Medium)
  • Decision required: Formal acceptance of residual risks by ISO

4. ISMS Objectives Review (10 min)

  • Present the ISMS Objectives (8 objectives)
  • Confirm targets:
    • Incident response: ≤ 12 hours
    • MFA compliance: 100%
    • Uptime: ≥ 99.9%
    • Training completion: 100%
  • Decision required: Approve objectives for 2026/2027

5. Statement of Applicability (10 min)

  • Review Statement of Applicability (40 controls)
  • Current status: 32 Implemented, 6 In Progress, 2 N/A
  • Key "In Progress" items:
    • 5.7 — Threat intelligence (formal process Q2 2026)
    • 5.27 — Learning from incidents (formalisation in progress)
    • 6.1 — Background checks (formalising Q2 2026)
    • 8.12 — DLP expansion (Q2 2026)
    • 8.15 — Log retention (30-day → 90+ days, Q2 2026)
    • 8.29 — Penetration test (planned Q2 2026)

6. Incident Summary & Tabletop Debrief (5 min)

  • Incidents to date: 0 (none)
  • Tabletop exercise completed earlier today (09:00) — debrief findings
  • Decision required: Approve IRP upgrade from v0.9 to v1.0 (incorporating tabletop findings)

7. Audit & Certification Status (10 min)

  • Internal audit: Scheduled 30 March 2026
  • ISO 27001 Stage 1 (document review): Target May 2026
  • ISO 27001 Stage 2 (evidence audit): Target July-August 2026
  • Certification body: Not yet selected — decision needed Q2 2026
  • SOC 2 readiness: ~80% (6 gaps identified in Readiness Roadmap)

8. Supplier Review (5 min)

  • 3 critical suppliers: Microsoft Azure, GitHub, Google Workspace
  • All DPAs in place (standard online agreements)
  • No supplier incidents reported

9. Open Risk Treatment Actions (10 min)

Review target dates and owners for all open actions:

Risk Action Owner Target
R03 Formalise Terraform IaC baseline Sebastian Windeck (CTO) May 2026
R07 Implement phishing simulation tests Jan Marc Castlunger (ISO) Q2 2026
R10 Complete runbook documentation Jan Marc Castlunger (ISO) June 2026
R12 Extend log retention to 90+ days Sebastian Windeck (CTO) Q2 2026
R13 Formalise customer consent workflow Sebastian Windeck (DPO) Q2 2026
R14 Implement NDA process Jan Marc Castlunger (ISO) Q2 2026

10. Resource Requirements (5 min)

  • Certification body engagement (budget: TBD)
  • Penetration test (external provider, budget: approx. EUR 3,000-8,000)
  • SOC 2 auditor engagement (Q3 2026, budget: EUR 15,000-30,000)
  • Compliance tooling evaluation (optional: Vanta/Drata)

11. Opportunities for Improvement (10 min)

  • Open floor: all attendees
  • Topics to consider:
    • Azure PIM implementation (Q3 2026)
    • Cyber insurance evaluation
    • Automated compliance monitoring tooling
    • Customer-facing security trust page

12. Actions & Close (10 min)

  • Summarise all decisions made
  • Assign action items with owners and deadlines
  • Confirm next management review date: March 2027 (or earlier if triggered)
  • Sign-off on meeting minutes

Pre-Meeting Preparation

Each attendee should review the following before the meeting:

Document Link
ISMS Scope ISO-001
Information Security Policy POL-001
Risk Register REG-002
Statement of Applicability ISO-002
ISMS Objectives ISO-005
SOC 2 Readiness Roadmap SOC-004
Asset Register REG-001

Decisions Required

  • [ ] Approve Information Security Policy (POL-001)
  • [ ] Accept residual risks (R03, R07, R10, R12, R13, R14)
  • [ ] Approve ISMS Objectives for 2026/2027
  • [ ] Approve Statement of Applicability
  • [ ] Confirm certification body selection timeline
  • [ ] Approve penetration test budget
  • [ ] Confirm next review date

Record this review using the Management Review Minutes Template. Store completed minutes in Google Drive > Security > Management Reviews.

Reference: Management Review Procedure (PROC-005)