# Vanta Status Snapshot — Q1 2026

**Tenant:** Lumen.health
**Scope:** ISO 27001:2022 + ISO 42001 + GDPR + SOC 2 Type II
**Snapshot taken:** 31 Mar 2026, 09:14 UTC
**Pulled by:** workflow `compliance-quarterly-prefetch` (system)
**Pulled into instance:** Lumen.health Q1 2026 ISMS+AIMS Review

---

## Headline

- **Total tests:** 412 across all frameworks.
- **Green (pass):** 387 (94 %).
- **Needs attention:** 17 (4.1 %) — up 3 from Q4 2025.
- **Failing:** 8 (1.9 %) — down 4 from Q4 2025.
- **Net delta:** +7 (improvement) since Q4 2025.

## Framework breakdown

| Framework | Total tests | Green | Needs attention | Failing |
|---|---|---|---|---|
| ISO 27001:2022 | 196 | 184 | 8 | 4 |
| ISO 42001 | 64 | 58 | 4 | 2 |
| GDPR (custom) | 67 | 65 | 1 | 1 |
| SOC 2 (TSC + CC1-CC9) | 85 | 80 | 4 | 1 |

## Needs-attention items (17)

### ISO 27001:2022 (8)

| Test | Control | First detected | Owner |
|---|---|---|---|
| `change-control-evidence-monthly` | A.8.32 | 14 Feb 2026 | CTO |
| `vendor-review-quarterly` | A.5.19 | 22 Feb 2026 | DPO |
| `access-review-quarterly-on-call` | A.5.18 | 03 Mar 2026 | CISO |
| `business-continuity-test-quarterly` | A.5.30 | 11 Mar 2026 | CTO |
| `risk-assessment-recurring` | 6.1.2 | 18 Mar 2026 | Compliance Lead |
| `awareness-training-evidence` | A.6.3 | 22 Mar 2026 | People Ops |
| `tls-cert-rotation-evidence` | A.8.24 | 24 Mar 2026 | CTO |
| `dlp-policy-applied-evidence` | A.8.28 | 28 Mar 2026 | CISO |

### ISO 42001 (4)

| Test | Control | First detected | Owner |
|---|---|---|---|
| `ai-impact-assessment-current` | 6.1.4 | 17 Feb 2026 | AI Governance Owner |
| `ai-system-inventory-current` | 6.1.2 | 09 Mar 2026 | AI Governance Owner |
| `peer-review-records-current` | A.8.5 | 14 Mar 2026 | AI Governance Owner |
| `aiuc1-evidence-pack-current` | A.9.2 (mapped) | 26 Mar 2026 | AI Governance Owner |

### GDPR (1)

| Test | Reference | First detected | Owner |
|---|---|---|---|
| `dsar-response-time-evidence` | Art. 12(3) | 19 Mar 2026 | DPO |

### SOC 2 (4)

| Test | TSC | First detected | Owner |
|---|---|---|---|
| `secure-development-evidence` | CC8.1 | 28 Feb 2026 | CTO |
| `disaster-recovery-test-evidence` | A1.2 | 11 Mar 2026 | CTO |
| `customer-communication-evidence` | CC2.3 | 17 Mar 2026 | Customer Ops |
| `subprocessor-list-current` | CC9.1 | 24 Mar 2026 | DPO |

## Failing items (8)

| Test | Framework | Failing since |
|---|---|---|
| `mfa-on-all-prod-accounts` | ISO + SOC 2 | 02 Feb 2026 — 3 service-account exceptions |
| `prod-db-encryption-at-rest` | ISO + GDPR | 04 Feb 2026 — staging-db lacks encryption |
| `customer-data-deletion-evidence` | GDPR | 19 Feb 2026 — 2 DSAR deletion requests pending verification |
| `incident-response-test-annual` | ISO 27001 | 19 Feb 2026 — last test 22 Feb 2025 (out of cadence) |
| `vendor-risk-score-monthly` | ISO + SOC 2 | 28 Feb 2026 — 6 vendors not re-scored |
| `aims-policy-published` | ISO 42001 | 03 Mar 2026 — policy in draft since Jan |
| `ai-impact-assessment-coverage` | ISO 42001 | 14 Mar 2026 — covers 4/7 AI systems |
| `signed-acceptable-use-policy` | ISO + SOC 2 | 14 Mar 2026 — 3 contractors lack signatures |

## Net delta vs. Q4 2025

- +5 ISO 27001 controls moved into Green this quarter (encryption-in-transit, secure-coding training, audit logging, backups, access-removal).
- −2 ISO 42001 controls regressed (`ai-impact-assessment-coverage` from 5/7 to 4/7 because the new RAG retrieval feature shipped without its impact assessment; `aims-policy-published` regressed when the draft was returned for legal review).
- +4 SOC 2 controls moved into Green (logical access, change management, encryption, monitoring).

## Trajectory toward audit readiness

- **BELAC stage-1 ISO 27001 + 42001 audit target:** September 2026.
- **Remaining gaps to close before stage-1:** AIMS policy publication, AI impact-assessment coverage 7/7, all eight failing items closed, incident-response test executed.
- **Best-case audit-ready date:** 31 July 2026 (assumes Q2 closes all failing items + Q2 quarterly review is also green).

## Notes for the Q1 review meeting

- The `change-control-evidence-monthly` test failure was a tooling bug in the GitHub → Vanta integration (now patched). Re-run on 30 Mar 2026 expected to flip it green.
- Three SOC 2 items overlap with ISO 27001 controls (MFA, encryption, vendor risk) — close once, satisfies both frameworks.
- The 17 needs-attention items are spread across 5 owners; no single owner is blocking. Engineering Lead (CTO) carries the largest count (5).