ISO Yearly Review — end-to-end tutorial

Goal

By the end of this tutorial you will have imported the ISO Yearly Review Scrydon Pack, instantiated it for the fictional Lumen.health 2026 annual ISMS+AIMS review, walked the full 12-stage sequence (Plan & Scope → Risk Register Snapshot → Penetration Test → IRP Tabletop → DR Tabletop → Restore Test → IR Training → AI Impact Assessment → AIUC-1 Delta → Peer Review → Management Review → Audit-Pack Sync), and produced a BELAC stage-1-ready evidence pack for the September 2026 audit.

This template runs once a year and is the heaviest single instance in the docs — 60-ish tasks, eight personas, sequential gates, all anchored on the BELAC audit window. It is the natural companion to the ISO Quarterly Review tutorial, which runs four times a year against the same compliance posture.

Priya Ramaswamy (Compliance Lead at Lumen.health), CEO Daniel Foley, CTO Marco Esposito, CISO Aisha Khan, AI Governance Owner Lukas Berg, DPO Anne Verwoerd, SRE Lead Jakub Vaníček, and external pen-test lead Mariella Greco (PenTestPartners) walk this through together. All entities, numbers, findings, and resolutions are fictional.

Prerequisites

You have a Scrydon deployment with the agentic and ontology surfaces enabled. Set the following env vars in your shell for the import step:

export SCRYDON_URL="https://<your-scrydon-url>"
export ORG_ID="<your-org-id>"
export SESSION_COOKIE="$(cat ~/.scrydon/session-cookie)"

The template references two system workflows: compliance-vanta-final-check (validates "0 NEEDS_ATTENTION" before audit) and compliance-evidence-sync (pushes evidence to Vanta). Both degrade to manual checklists if not yet deployed.

Step 1 — Download the pack

Download iso-yearly-review-1.0.0.scrydon-pack.tar.gz

mkdir -p iso-yearly-tutorial && cd iso-yearly-tutorial
curl -O https://docs.scrydon.com/static/process-pack-examples/iso-yearly-review-1.0.0.scrydon-pack.tar.gz

The pack is ≈ 5 KiB.

Step 2 — Inspect the pack

bunx @scrydon/sdk-authoring pack inspect iso-yearly-review-1.0.0.scrydon-pack.tar.gz

Pack:
  Package:  iso-yearly-review@1.0.0
  Contents: ontology@1.0.0, process-flow@1.0.0
  Install order: ontology → process-flow
  ontology: iso-yearly-review@1.0.0
  process-flow: iso-yearly-review (12 stages)

Step 3 — Upload the pack

curl -X POST "$SCRYDON_URL/api/packs/import?organizationId=$ORG_ID" \
  -H "Cookie: $SESSION_COOKIE" \
  -F "file=@iso-yearly-review-1.0.0.scrydon-pack.tar.gz"

Step 4 — Create the annual review instance

Browse to $SCRYDON_URL/process-flows. The ISO Yearly Review card appears under the Compliance tag. Click New from template, name the instance Lumen.health 2026 ISMS+AIMS Annual Review.

The instance opens on the wizard view. The left rail lists the twelve stages and their tasks; the right panel walks through each task as a scene. Stages are sequential; the meeting happens at the end (stage 11), and the final stage is the audit-pack sync.

Step 5 — Plan & Scope (2 weeks)

Priya kicks off the annual cycle in early February:

• Confirm review window (covers prior 12 months).
• Confirm scope: which AI systems (7), which network segments, which vendors.
• Book external pen-test engagement (target start 15 May).
• Book AIUC-1 evaluator engagement (Q2 + Q3 + Q4).
• Open audit-pack folder for 2026 in Vanta + Notion.
• Confirm reviewer roster across all eight personas.

Stage gate: approval from Priya + Daniel.

Step 6 — Risk Register Snapshot (1 week)

Refresh the risk register (closes the Vanta risks-reviewed-annually test):

• Walk the current register; close stale risks.
• Add new risks from incidents, near-misses, new systems.
• Refresh treatment plans for high-scoring risks.
• Create the 22 Aug 2026 snapshot in Vanta and mark "share with auditors."

Stage gate: approval from Priya.

Step 7 — Penetration Test (6 weeks)

The longest stage. PenTestPartners executes a 2-week pen-test against the auth-service, agentic, analytics, ontology, and the LLM-agent sandbox.

Download 01-pentest-sow.md — PenTestPartners SoW. €42 k, OWASP Top 10 + LLM Top 10 + OWASP API Top 10. 6 deliverables incl. retest within 90 days.

Eight tasks walk the team through scope, engagement, vendor execution, draft report, clarification, remediation tickets for High/Critical, tracking to closure, final evidence upload.

Stage gate: approval from Aisha.

Step 8 — IRP Tabletop Exercise (1 week)

Aisha selects a scenario from the LLM-specific IR playbook and runs the tabletop:

Download 02-irp-tabletop-scenario.md — Scenario SC-A1: cross-tenant LLM leak via retrieval-augmented generation. 8 participants, 2.5-hour exercise, 5 decision points, 6 success criteria, external facilitator (Tomáš Novák, ex-NCSC).

Six tasks: select scenario, distribute brief 24h before, run 60–90 min tabletop, capture timeline + decisions, score against criteria, open remediation tickets, upload tabletop record to Vanta (A.5.27 — Learning from incidents).

Step 9 — DR Tabletop Exercise (1 week)

The SRE-led variant. Jakub picks scenario DR-A2 — multi-region active-active failover — and runs the exercise. RTO + RPO measured against published targets. Five tasks: select, distribute, run, identify gaps, upload record (A.5.29 / A.5.30).

Step 10 — Restore Test Execution (1 week)

Real restore (not tabletop) executed in non-prod from the most recent backup. Four tasks: provision non-prod target cluster; execute restore per the deployment runbook; validate data integrity post-restore (row counts, sample queries); capture timing, upload evidence (A.8.13 / A.8.14).

Step 11 — IR Training Session (2 weeks)

Deliver Modules A–E from the IR training programme:

• Module A — severity classification
• Module B — containment playbooks
• Module C — communication procedures
• Module D — regulator-notification templates (GDPR / NIS 2 / CRA)
• Module E — recent incident debriefs

Seven tasks: schedule, deliver each of the five modules, capture attendance + evaluation forms, upload to Vanta (A.6.3 + A.5.24).

Step 12 — AI Impact Assessment per System (3 weeks)

Run the AI Impact Assessment methodology for each of the seven AI systems:

• Workflow Execution Engine
• Copilot
• Agents
• withDlp capability
• Guardrails workflow block
• RAG / Knowledge Base
• Embedding Pipeline

Nine tasks (one per system + EU AI Act classification confirmation + DPIA refresh for systems processing personal data). All seven assessments delivered by end of Q3.

Step 13 — AIUC-1 Quarterly Delta Review (2 weeks)

The AI Gov-led delta review against the current AIUC-1 release. Five tasks: pull current AIUC-1 release notes, diff against last review's mapping, identify new requirements, plan next quarterly eval, open evidence-pack updates as improvement-log entries.

Step 14 — Peer Review & Expert Consultation (1 week)

Three tasks rolling up the year's peer reviews into ai-governance/peer-review-records.mdx:

• Roll up customer security reviews into the log.
• Roll up advisor / external-expert consultations.
• Roll up regulator engagement (if any).

Step 15 — ISMS + AIMS Management Review (1 week)

The formal management review per ISO 27001 Clause 9.3 + ISO 42001 Clause 9.3. Eight tasks walk the team through the full required input/output cycle:

• Compile management-review pack (4 quarterly reviews + this year's stages).
• Review status of corrective actions from prior management review.
• Review changes in external / internal issues affecting ISMS / AIMS.
• Review information on ISMS / AIMS performance + effectiveness.
• Review feedback from interested parties (customers, regulators).
• Review opportunities for continual improvement.
• Capture management decisions + resource commitments.
• Executive Sponsor sign-off on management-review minutes.

Download 03-management-review-pack.md — Lumen.health's 22 Aug 2026 management-review record: 7 of 12 prior-year corrective actions closed (12 of 12 actually closed in this run), external + internal issue updates (EU AI Act, NIS 2, headcount growth, multi-region active-active, Series C round), performance summary across pen-test + tabletops + training + restore + AI impact assessments + AIUC-1, customer + advisor feedback, 5 management decisions, audit-readiness statement.

The eight-attendee meeting takes 2.5 hours. Daniel (CEO + Executive Sponsor) chairs; Priya records. Five decisions taken:

1. D-2026-AR-01 — Authorise the BELAC stage-1 audit booking (14–18 Sep 2026).
2. D-2026-AR-02 — Commit €120 k for a dedicated AI Governance Coordinator (full-time, Q4 2026).
3. D-2026-AR-03 — Approve SOC 2 Type II observation-period close as Q4 2026.
4. D-2026-AR-04 — Increase awareness training phishing-simulation cadence from quarterly to monthly.
5. D-2026-AR-05 — Publish AIMS policy + redacted pen-test summary on the customer security page within 30 days.

Stage gate: approval from Daniel.

Step 16 — Audit-Pack Sync to Vanta (1 week)

The final stage. Eight tasks push every evidence artifact to Vanta and decide whether to proceed with the stage-1 audit:

Download 04-audit-pack-manifest.md — the full audit-pack manifest covering ISMS+AIMS governance, risk management, performance evaluation, internal audit, operational controls (security testing, training, access, change management, incident management, business continuity), AIMS-specific (inventory + impact + AIUC-1 + peer review), GDPR, and audit-window logistics.

Tasks:

• Upload pen-test report + remediation tracker.
• Upload IRP + DR tabletop + restore-test records.
• Upload IR training attendance + evaluation.
• Upload AI impact assessments (7 systems).
• Upload management-review minutes + decisions.
• Run final Vanta status check (target: 0 NEEDS_ATTENTION) — compliance-vanta-final-check workflow.
• Decide: schedule BELAC stage-1 audit (or defer + document blockers) — approval from Daniel.
• Distribute audit-readiness summary internally — distribution action.
• Schedule next yearly review (T + 365 days).

The decision in this stage is the most important approval of the year. Daniel signs, and the BELAC team receives audit-window logistics confirmation.

Three error variants worth seeing

Customising the pack

Lumen.health's actual annual review diverges from the shipped pack in five places: the BELAC vs. UKAS audit body, the number of AI systems (Lumen has 7; some tenants have 3 or 15+), the 18-vendor pen-test scope expansion for tenants on enterprise plans, the AIUC-1 quarterly cadence (some tenants do twice-yearly), and the publication policy for the AIMS policy. Three customisation paths:

1. Fork the pack in TypeScript. Copy packages/sdk-authoring/src/process-flows/examples/iso-yearly-review/index.ts into your own SDK project, edit, change package.id and template.slug (e.g. lumen-iso-annual), bump package.version, and rebuild with bunx @scrydon/sdk-authoring pack build src/pack.ts --outDir dist.
2. Add typed ontology contributions. A future release could add AuditFinding, PenTestFinding, TabletopOutcome, ImpactAssessment, ManagementDecision Object Types so the annual review emits typed instances queryable cross-year. The CISO could query "show me every High pen-test finding from the last 3 years that is still open" in one sentence.
3. Parameterise the per-system AI impact assessment list. The shipped template hard-codes 7 systems. A custom version could read the AI system inventory from Vanta at instance-create time and auto-generate one task per system.

If you fork, change the slug and package.id away from iso-yearly-review.

Where to go next