# Q1 2026 Quarterly Review — Decisions Log

**Tenant:** Lumen.health
**Meeting:** Q1 2026 ISMS+AIMS Quarterly Review
**Date:** 03 Apr 2026, 09:00–11:00 BST + virtual
**Quorum:** 6 of 6 (full attendance)
**Recorded by:** Priya Ramaswamy, Compliance Lead

---

## Attendees

| Role | Name | Attending |
|---|---|---|
| Compliance Lead | Priya Ramaswamy | ✓ |
| CEO + Executive Sponsor | Daniel Foley | ✓ |
| CTO + Engineering Lead | Marco Esposito | ✓ |
| CISO | Aisha Khan | ✓ |
| AI Governance Owner | Lukas Berg | ✓ |
| DPO | Anne Verwoerd | ✓ |

## Decisions

### D-2026-Q1-01 — Accelerate RAG impact assessment

**Decision:** The new RAG retrieval feature impact assessment is the highest-priority deliverable for AI Governance in Q2 2026. Target completion 30 Apr 2026.

**Context:** The RAG feature shipped on 11 Mar 2026 without its impact assessment, regressing the `ai-impact-assessment-coverage` test from 5/7 to 4/7. This is the most material gap going into the BELAC stage-1 audit (Sep 2026).

**Vote:** 6–0 unanimous.
**Owner:** Lukas Berg (AI Governance).
**Effective:** Immediately.

### D-2026-Q1-02 — Defer SOC 2 Type II audit by one quarter

**Decision:** Slip the SOC 2 Type II observation-period close from 31 Sep 2026 to 31 Dec 2026.

**Context:** The current ISO 27001 + 42001 stage-1 audit is scheduled for September 2026. Running SOC 2 observation close in the same window would saturate the compliance + engineering teams and risk both. The SOC 2 customer commitments (most of the enterprise contracts) accept the Q4 finalisation date.

**Vote:** 5–1 (Aisha against — concern about customer pipeline messaging). The decision passes; Daniel commits to leading the customer communications himself.
**Owner:** Daniel Foley (CEO).
**Effective:** Immediately. Customer pipeline announcement Q2 week 1.

### D-2026-Q1-03 — Approve PenTestPartners engagement for May pen-test

**Decision:** Sign the Statement of Work with PenTestPartners for a 2-week pen-test starting 15 May 2026. Budget: €42 000 (within EG-009 contingency).

**Context:** Lumen.health has not had an external pen-test since June 2024. EG-009 requires annual cadence. This engagement closes that gap.

**Vote:** 6–0 unanimous.
**Owner:** Aisha Khan (CISO).
**Effective:** SoW signature within 5 working days.

### D-2026-Q1-04 — Commit €18 k for IRP + DR tabletop facilitator

**Decision:** Engage an external facilitator (preferred vendor: Resilient Risk Ltd) to run the IRP + DR tabletops scheduled 02–03 May 2026. €18 000.

**Context:** EG-018 requires annual cadence; last full IRP tabletop was Feb 2025. The DR tabletop is a separate exercise this year given the migration to multi-region active-active in Q4 2025.

**Vote:** 6–0 unanimous.
**Owner:** Aisha Khan (CISO).
**Effective:** Vendor engagement within 7 working days.

### D-2026-Q1-05 — Endorse AIMS policy publication

**Decision:** Endorse public publication of the AIMS policy (currently in draft) once the legal review concludes.

**Context:** The AIMS policy has been in legal review since 18 Jan 2026, blocking the `aims-policy-published` Vanta test. Daniel asked for status; legal expects to clear by 20 Apr 2026. The board endorses publication immediately upon legal clearance.

**Vote:** 6–0 unanimous.
**Owner:** Anne Verwoerd (DPO, with legal).
**Effective:** Upon legal-review completion (target 20 Apr 2026).

## Decisions deferred

- **Custom-data-deletion audit cadence** — Anne raised whether the annual cadence should move to bi-annual given GDPR DSAR volume. Deferred to Q2 for data-driven review.
- **Hire of a dedicated AI Governance Coordinator (full-time)** — Lukas raised the staffing case. Daniel agreed in principle but deferred budget approval pending Q2 financials. To be decided at Q2 review.

## Risks raised but not decided

- **Risk R-2026-Q1-A** — The Q1 RAG impact-assessment gap might be flagged in audit findings if not closed by Q2 close. Mitigation: D-2026-Q1-01 above.
- **Risk R-2026-Q1-B** — Engineering capacity is constrained by Q2 product roadmap; risk that EG-002 + EG-009 + EG-018 all compete for same SRE bandwidth. Mitigation: deferred to Q2 capacity-planning session.

## Sign-off

All decisions signed-off in the meeting. Document archived to Vanta evidence locker (path: `evidence/iso-quarterly-review/2026-q1/`) and to the Lumen.health Notion compliance workspace.