# Quarterly Review Report — Q1 2026

**Tenant:** Lumen.health
**Review period:** 01 Jan 2026 – 31 Mar 2026
**Scope:** ISO 27001:2022 + ISO 42001 ISMS/AIMS
**Issued:** 03 Apr 2026
**Author:** Priya Ramaswamy, Compliance Lead
**Approver:** Daniel Foley, CEO + Executive Sponsor

---

## 1. Executive summary

Lumen.health remains on track toward the September 2026 BELAC stage-1 audit for ISO 27001:2022 + ISO 42001 joint certification. The Q1 quarterly review surfaced 17 needs-attention items (up 3 from Q4 2025) and closed 4 of the 12 previously failing items. Two ISO 42001 controls regressed because the new RAG retrieval feature shipped without its impact assessment — this is the most material gap going into Q2 and is the lead decision in § 4.

GDPR compliance posture is essentially stable. SOC 2 Type II observation window is on track to end 31 May 2026.

## 2. AI Governance metrics

| Metric | Baseline (Q4 2025) | Q1 2026 | Trend |
|---|---|---|---|
| AI systems inventoried | 6/7 | 7/7 | ↑ (added RAG retrieval) |
| AI systems with current impact assessment | 5/7 | 4/7 | ↓ regression |
| AI systems with peer-review record this year | 5/7 | 5/7 | flat |
| AI systems with documented safety-resilience controls | 6/7 | 7/7 | ↑ |
| AI agent guardrail test coverage | 71 % | 78 % | ↑ |
| AI evaluation latency (P95) | 870 ms | 740 ms | ↑ |
| Human-in-the-loop intervention rate | 12 % | 9 % | ↑ (lower is better) |

Three AI systems require impact-assessment refresh: the new RAG retrieval feature (no prior assessment), the agent runtime (last reviewed Aug 2025), and the patient-intake guardrails (last reviewed Sep 2025).

## 3. Operational & Security metrics

| Metric | Q4 2025 | Q1 2026 | Trend |
|---|---|---|---|
| Mean time to detect (MTTD) — security alerts | 14 min | 11 min | ↑ |
| Mean time to acknowledge (MTTA) | 4 min | 3 min | ↑ |
| Critical CVE remediation P95 | 6 days | 4 days | ↑ |
| Patches applied within SLA | 96 % | 98 % | ↑ |
| Backup recovery test pass rate | 100 % | 100 % | flat |
| Open vulnerabilities (critical/high) | 3 / 18 | 1 / 14 | ↑ |
| MFA enforcement coverage | 96 % | 96 % | flat (3 service-account exceptions remain) |
| Failed authentication rate | 1.2 % | 0.9 % | ↑ |

The three MFA service-account exceptions are owned by the CTO and queued for Q2; rotation to FIDO2 in progress.

## 4. Engineering gaps status (EG-### roll-up)

| Gap | Status Q4 → Q1 | Owner | Q2 target |
|---|---|---|---|
| EG-002 — secure DEK rotation for tenant data | In progress → In progress | Eng | Close by 15 May |
| EG-007 — DLP egress for AI agent output | In progress → Closed | Eng | n/a (closed in Q1) |
| EG-009 — penetration test annual cadence | Blocked → In progress | CISO | Pen-test SoW signed; engagement 15 May |
| EG-012 — RAG retrieval impact assessment | Not started → In progress | AI Gov | Assessment delivered by 30 Apr |
| EG-015 — customer data deletion audit | In progress → In progress | DPO | Audit complete by 30 Jun |
| EG-018 — IR tabletop annual cadence | Blocked → In progress | CISO | Tabletop scheduled 02 May |
| EG-021 — AIUC-1 evidence-pack refresh | In progress → In progress | AI Gov | Q2 quarterly eval scheduled |

## 5. Decisions taken at this review

See `03-decisions-log.md` for the full decision log. Headlines:

1. **D-2026-Q1-01** — Accelerate RAG impact assessment to "highest priority for AI Gov in Q2."
2. **D-2026-Q1-02** — Defer SOC 2 Type II audit by one quarter (from Sep to Dec 2026) so we don't compete with ISO stage-1.
3. **D-2026-Q1-03** — Approve the engagement with PenTestPartners for the May pen-test (€42 k, 2 weeks).
4. **D-2026-Q1-04** — Commit €18 k for the IRP + DR tabletop facilitator (one-off).
5. **D-2026-Q1-05** — Endorse the AIMS policy public publication (subject to one round of legal review).

## 6. Action items

See `04-findings-and-action-items.md` for the full register. 23 action items raised; 19 close in Q2; 4 carry into Q3.

## 7. Next quarterly review

**Q2 2026:** scheduled 01 Jul 2026 (Wednesday), 09:00–11:00 BST + virtual link.

## Approvals

Signed: Priya Ramaswamy, Compliance Lead — 03 Apr 2026
Signed: Daniel Foley, CEO + Executive Sponsor — 03 Apr 2026
Signed: Marco Esposito, CTO — 03 Apr 2026
Signed: Aisha Khan, CISO — 03 Apr 2026
Signed: Lukas Berg, AI Governance Owner — 03 Apr 2026
Signed: Anne Verwoerd, DPO — 03 Apr 2026