Scrydon
Authoring: Process FlowsExamples

ISO Quarterly Review — end-to-end tutorial

Import the ISO Quarterly Review pack and walk a fictional Lumen.health Q1 2026 ISMS+AIMS review through all eight stages, producing a signed quarterly review report.

Goal

By the end of this tutorial you will have imported the ISO Quarterly Review Scrydon Pack, instantiated it for the fictional Lumen.health Q1 2026 ISMS+AIMS review, pulled current compliance state from Vanta, reviewed AI Governance and Operational metrics, captured decisions and action items, and produced a signed quarterly review report ready for the September 2026 BELAC stage-1 audit pack.

Priya Ramaswamy (Compliance Lead at Lumen.health, a fictional mental-health SaaS), CEO Daniel Foley, CTO Marco Esposito, CISO Aisha Khan, AI Governance Owner Lukas Berg, and DPO Anne Verwoerd walk this through together. Lumen.health is Series B, ~50 staff, ISO 27001 certified since 2024, pursuing ISO 42001 joint-certification at September 2026 BELAC stage-1. All entities, numbers, and findings in the demo documents are fictional.

The ISO Quarterly Review pack ships an empty ontology subdir today. A future iteration could declare ComplianceFinding, ActionItem, Decision, VantaTest Object Types so each quarterly review emits typed instances queryable across quarters ("show me every action item that's been open more than 90 days"). The walkthrough calls out where those would slot in.

Prerequisites

You have a Scrydon deployment with the agentic and ontology surfaces enabled. Set the following env vars in your shell for the import step:

export SCRYDON_URL="https://<your-scrydon-url>"
export ORG_ID="<your-org-id>"
export SESSION_COOKIE="$(cat ~/.scrydon/session-cookie)"

The template references two system workflows: compliance-quarterly-prefetch (pulls the Vanta status snapshot) and compliance-evidence-sync (pushes evidence back to Vanta at the end). Until they ship, those workflow-typed actions degrade to manual checklists in the runtime UI.

Step 1 — Download the pack

Download iso-quarterly-review-1.0.0.scrydon-pack.tar.gz

mkdir -p iso-quarterly-tutorial && cd iso-quarterly-tutorial
curl -O https://docs.scrydon.com/static/process-pack-examples/iso-quarterly-review-1.0.0.scrydon-pack.tar.gz

The pack is ≈ 4 KiB.

Step 2 — Inspect the pack

bunx @scrydon/sdk-authoring pack inspect iso-quarterly-review-1.0.0.scrydon-pack.tar.gz
Pack:
  Package:  iso-quarterly-review@1.0.0
  Contents: ontology@1.0.0, process-flow@1.0.0
  Install order: ontology → process-flow
  ontology: iso-quarterly-review@1.0.0
  process-flow: iso-quarterly-review (8 stages)

Step 3 — Upload the pack

curl -X POST "$SCRYDON_URL/api/packs/import?organizationId=$ORG_ID" \
  -H "Cookie: $SESSION_COOKIE" \
  -F "file=@iso-quarterly-review-1.0.0.scrydon-pack.tar.gz"

A 200 response carries the new processTemplateId.

Step 4 — Create a new review instance

Browse to $SCRYDON_URL/process-templates. The ISO Quarterly Review card appears under the Compliance tag. Click New from template and name the instance Lumen.health Q1 2026 ISMS+AIMS Review.

The instance opens on the tracker view. Eight stage lanes appear:

  • Plan & Schedule — kick off the review window.
  • Vanta Status Pull — automated compliance-quarterly-prefetch workflow ingests current state.
  • AI Governance Metrics Review — Lukas walks the AIMS metrics.
  • Operational & Security Metrics Review — Marco + Aisha walk the ISMS metrics.
  • Engineering Gaps Status — Marco rolls up EG-### closures since Q4.
  • Findings & Decisions — full review meeting; decisions captured.
  • Sign-off — six personas sign the quarterly report.
  • Evidence Sync to Vanta — automated compliance-evidence-sync workflow pushes everything back.

Stages are sequential (stageFlow: "sequential"). The first task in Plan & Schedule is unlocked.

Step 5 — Plan & Schedule

Priya kicks off the review window. The Plan & Schedule tasks include:

  • Confirm review window (covers prior 90 days)
  • Confirm scope (ISO 27001 + ISO 42001 + tracked SOC 2 controls)
  • Confirm reviewer roster (compliance lead + CISO + AI gov owner + DPO + eng lead + exec sponsor)
  • Schedule review meeting (target 03 Apr 2026)
  • Open evidence locker in Vanta + share-drive

Mark complete to advance.

Step 6 — Vanta Status Pull

The compliance-quarterly-prefetch workflow runs automatically (or as a manual checklist if the workflow isn't yet deployed). It pulls the current Vanta status snapshot into the instance's knowledge base.

Download 01-vanta-status-snapshot.md — Lumen.health Q1 2026 snapshot: 412 tests across ISO 27001:2022, ISO 42001, GDPR custom, and SOC 2 frameworks. Headline: 387 green (94 %), 17 needs-attention, 8 failing. Net +7 improvement vs. Q4 2025.

Priya reviews the snapshot and flags items for the meeting agenda. Mark the task complete; this unblocks the AI Governance, Operational, and EG-### review stages in parallel.

Step 7 — AI Governance Metrics Review

Lukas walks the AI Governance metrics:

MetricQ4 → Q1
AI systems inventoried6/7 → 7/7 ✓
AI systems with current impact assessment5/7 → 4/7 ↓
AI systems with peer-review record5/7 → 5/7 —
AI systems with documented safety-resilience6/7 → 7/7 ✓
AI agent guardrail test coverage71% → 78% ✓
HITL intervention rate12% → 9% ✓

The regressed impact-assessment coverage is the lead concern: the new RAG retrieval feature shipped on 11 Mar without its impact assessment, dropping coverage from 5/7 to 4/7. Lukas flags this as material for the audit pack.

Step 8 — Operational & Security Metrics Review

Marco and Aisha walk the operational and security metrics. Headlines:

  • MTTD improving (14 → 11 min).
  • Critical CVE remediation P95 improving (6 → 4 days).
  • Open critical vulnerabilities down (3 → 1).
  • Three MFA service-account exceptions still open (carried into action items).

Step 9 — Engineering Gaps Status

Marco rolls up the EG-### gap closures:

  • EG-007 (DLP egress for AI agent output) → Closed this quarter ✓
  • EG-009 (annual pen-test cadence) → SoW signed; engagement 15 May
  • EG-012 (RAG impact assessment) → In progress, due 30 Apr
  • EG-018 (IR tabletop annual cadence) → Tabletop 02 May
  • EG-002 (DEK rotation), EG-015 (data deletion audit), EG-021 (AIUC-1 refresh) → In progress, on track

Step 10 — Findings & Decisions

The full review meeting. Priya runs the meeting; the six attendees walk the snapshot, discuss the AI Governance regression, and decide on the quarter ahead.

Download 02-quarterly-review-report.md — the Q1 quarterly review report covering AI Governance, Operational, EG-### roll-up, decisions, and trajectory toward the September audit.

Download 03-decisions-log.md — the five decisions taken at the review meeting: accelerate RAG impact assessment (D-2026-Q1-01), defer SOC 2 by a quarter (D-2026-Q1-02), approve €42 k PenTest engagement (D-2026-Q1-03), commit €18 k for tabletop facilitator (D-2026-Q1-04), endorse AIMS policy publication (D-2026-Q1-05).

Download 04-findings-and-action-items.md — 23 action items captured: 19 close in Q2, 4 carry into Q3. Owners across all five personas.

Priya pastes the report into Compile quarterly review report and the decisions log into Capture decisions and action items. Each action item is logged with owner + due date + acceptance criteria — when the ontology is wired up, each becomes an ActionItem Object instance linked to the Decision it derives from.

Step 11 — Sign-off

Six personas formally sign the quarterly review report (the approval action):

  • Priya Ramaswamy, Compliance Lead
  • Daniel Foley, CEO + Executive Sponsor
  • Marco Esposito, CTO + Engineering Lead
  • Aisha Khan, CISO
  • Lukas Berg, AI Governance Owner
  • Anne Verwoerd, DPO

The instance auto-advances to the final stage.

Step 12 — Evidence Sync to Vanta

The compliance-evidence-sync workflow pushes the signed quarterly report, decisions log, action-items register, and all four sample documents back to the Vanta evidence locker at evidence/iso-quarterly-review/2026-q1/. Each action item becomes a Vanta improvement-log entry with owner and due date; owners receive Slack reminders 7/3/1 days before due dates.

The instance closes. Priya schedules the Q2 review for 01 Jul 2026 (the unlockAfterTaskSlug + unlockDelay: { value: 90, unit: "days" } mechanism creates a follow-up task in Priya's queue exactly 90 days after the instance is closed).

Three error variants worth seeing

ErrorHow to triggerWhat it means
STAGE_DEPENDENCY_NOT_METTry to open Findings & Decisions before all three parallel review stages (AI Gov, Operational, EG-###) complete.Sequential stageFlow enforced; the meeting needs all three reviews done first.
APPROVAL_REJECTED (modeled as approval rejection)Reject Sign-off as one of the six approvers.The instance does not advance to evidence sync; report returns to Findings & Decisions for rework.
WORKFLOW_NOT_FOUNDRun on a tenant where compliance-quarterly-prefetch and compliance-evidence-sync system workflows are not deployed.The workflow-typed actions degrade to manual checklists; the tutorial still runs end-to-end.

Customising the pack

Lumen.health's actual review process diverges from the shipped pack in three places: the reviewer roster (we don't have a separate "External Auditor" persona for quarterly reviews), the action-item categorisation (we use a custom 3-track owner taxonomy instead of the shipped 4 categories), and the Vanta evidence-locker path. Three customisation paths:

  1. Fork the pack in TypeScript. Copy packages/sdk-authoring/src/process-templates/examples/iso-quarterly-review/index.ts into your own SDK project, edit, change package.id and template.slug to a custom value (e.g. lumen-iso-quarterly), bump package.version, and rebuild with bunx @scrydon/sdk-authoring pack build src/pack.ts --outDir dist. Re-upload via /api/packs/import.
  2. Add typed ontology contributions. A future release could add ComplianceFinding, ActionItem, Decision, VantaTest, ComplianceFramework Object Types so each quarterly review emits queryable typed instances — answering "show me every action item open more than 90 days" or "how did mfa-on-all-prod-accounts evolve quarter over quarter" in one query.
  3. Customise per-tenant Vanta path. The compliance-evidence-sync workflow accepts a vantaBasePath parameter; override it at instance time without forking the manifest.

If you fork, change the slug and package.id so your tenant's customisation doesn't collide with the docs example.

Where to go next

ISO Yearly Review

The annual cousin — pen-test, IRP+DR tabletops, IR training, AI impact assessments, management review.

Authoring Process Templates

Anatomy of a template — action types, methodology families, the build / inspect / upload pipeline.

Ontologies

Add typed ComplianceFinding / ActionItem / Decision Object Types so quarterly reviews emit ontology nodes queryable across quarters.

On this page

On this page

GoalPrerequisitesStep 1 — Download the packStep 2 — Inspect the packStep 3 — Upload the packStep 4 — Create a new review instanceStep 5 — Plan & ScheduleStep 6 — Vanta Status PullStep 7 — AI Governance Metrics ReviewStep 8 — Operational & Security Metrics ReviewStep 9 — Engineering Gaps StatusStep 10 — Findings & DecisionsStep 11 — Sign-offStep 12 — Evidence Sync to VantaThree error variants worth seeingCustomising the packWhere to go next
Edit on GitHubCreate documentation issue