# BELAC Stage-1 Audit Pack — Manifest

**Tenant:** Lumen.health
**Audit:** ISO 27001:2022 + ISO 42001 joint certification — BELAC stage-1
**Audit window:** 14–18 September 2026
**Audit pack issued:** 23 Aug 2026 (final), 18 Aug 2026 (preliminary upload)
**Maintained by:** Priya Ramaswamy, Compliance Lead

The audit pack is the formal evidence collection BELAC's auditors will consult during the stage-1 desk review. Everything in this manifest is in the Vanta evidence locker at `evidence/iso-yearly-review/2026/` + a mirror in the Lumen.health Notion compliance workspace.

---

## 1. ISMS + AIMS governance

| Document | Status |
|---|---|
| ISMS Policy (v3.2, signed) | ✓ |
| AIMS Policy (v1.0, signed + published 30 Apr 2026) | ✓ |
| Scope statement (ISMS + AIMS) | ✓ |
| Statement of Applicability — ISO 27001:2022 (114 controls) | ✓ |
| Statement of Applicability — ISO 42001 (35 controls) | ✓ |
| Information security objectives 2026 | ✓ |
| AI management objectives 2026 | ✓ |
| Organisational chart (current) | ✓ |
| Roles & responsibilities matrix (RACI) | ✓ |
| ISMS + AIMS document register | ✓ |

## 2. Risk management

| Document | Status |
|---|---|
| Risk register (snapshot 22 Aug 2026) | ✓ |
| Risk treatment plan | ✓ |
| Risk acceptance log (2 items, signed) | ✓ |
| Methodology documentation | ✓ |

## 3. Performance evaluation

| Document | Status |
|---|---|
| Q1 2026 quarterly review report | ✓ |
| Q2 2026 quarterly review report | ✓ |
| Annual management review minutes (22 Aug 2026) | ✓ (this audit pack) |
| Vanta status snapshot (current) | ✓ |
| KPI dashboard exports (last 12 months) | ✓ |

## 4. Internal audit

| Document | Status |
|---|---|
| Internal audit programme 2025–2027 | ✓ |
| Internal audit results 2026 (Jun 2026) | ✓ |
| Non-conformity log + corrective actions | ✓ |

## 5. Operational controls

### Security testing

| Document | Status |
|---|---|
| PenTestPartners final report (29 May 2026) | ✓ |
| PenTestPartners redacted summary (12 Jun 2026) | ✓ |
| Pen-test remediation tracker (all 23 findings, status) | ✓ |
| IRP tabletop record (SC-A1, 02 May 2026) | ✓ |
| DR tabletop record (DR-A2, 03 May 2026) | ✓ |
| Restore test record (24 Jun 2026) | ✓ |

### Training & awareness

| Document | Status |
|---|---|
| IR training attendance (17 Jun 2026) | ✓ |
| Quarterly IC drill records (3 sessions) | ✓ |
| Awareness training evidence (51 employees) | ✓ |
| Acceptable Use Policy signatures (51/51) | ✓ |

### Access management

| Document | Status |
|---|---|
| Quarterly access reviews (Q1, Q2 2026) | ✓ |
| MFA coverage evidence (100% as of 31 May 2026) | ✓ |
| Privileged access register | ✓ |
| Vendor access register | ✓ |

### Change management & secure development

| Document | Status |
|---|---|
| Change-control evidence (monthly, 12 months) | ✓ |
| Secure-development policy + SDLC evidence | ✓ |
| Code-review records sample (Q1, Q2 2026) | ✓ |
| Dependency-management evidence | ✓ |

### Incident management

| Document | Status |
|---|---|
| IR procedure v3 (signed 12 Feb 2026) | ✓ |
| LLM-specific incident playbook v1 (final, 30 Jun 2026) | ✓ |
| Incident log (12 months — no notifiable incidents) | ✓ |

### Business continuity

| Document | Status |
|---|---|
| BCP v2.1 | ✓ |
| Multi-region active-active architecture documentation | ✓ |
| DR tabletop record (above) | ✓ |
| Backup procedure + test evidence | ✓ |

## 6. AIMS — ISO 42001 specific

### Inventory + impact

| Document | Status |
|---|---|
| AI system inventory (7 systems, snapshot 22 Aug 2026) | ✓ |
| AI impact assessment — Workflow Execution Engine | ✓ |
| AI impact assessment — Copilot | ✓ |
| AI impact assessment — Agents | ✓ |
| AI impact assessment — withDlp capability | ✓ |
| AI impact assessment — Guardrails workflow block | ✓ |
| AI impact assessment — RAG / Knowledge Base | ✓ |
| AI impact assessment — Embedding Pipeline | ✓ |

### AIUC-1 alignment

| Document | Status |
|---|---|
| AIUC-1 evidence pack (current — v0.9.3) | ✓ |
| Quarterly delta reviews (Q1, Q2, Q3 2026) | ✓ |
| Adversarial-robustness eval reports (Q1, Q2, Q3 2026) | ✓ |

### Peer review + consultation

| Document | Status |
|---|---|
| Peer review records log (current) | ✓ |
| External-expert consultation log (3 advisors + 1 ex-NCSC) | ✓ |
| Customer security-review log (14 reviews) | ✓ |

## 7. Privacy / GDPR

| Document | Status |
|---|---|
| RoPA (Record of Processing Activities) | ✓ |
| DPIA — high-risk processing (current) | ✓ |
| Subprocessor list (current — 14 subprocessors) | ✓ |
| DSAR procedure + response-time evidence | ✓ |
| Breach-notification procedure + template | ✓ |
| Customer-data-deletion audit record | ✓ |

## 8. Cross-references

For each control in the SoA, a one-line cross-reference to the supporting document above. (Stored in Vanta as native control-to-evidence mapping; not duplicated here.)

## 9. Audit-window logistics

| Item | Status |
|---|---|
| Auditor read-only access provisioned (BELAC team) | ✓ |
| Auditor on-site logistics (London office, 14–18 Sep) | ✓ |
| Daily debrief slots scheduled with auditors | ✓ |
| Lead auditor: Mihaela Popescu (BELAC) | confirmed |

## 10. Distribution

This manifest + the underlying evidence are accessible to:

1. BELAC audit team (read-only Vanta access provisioned 23 Aug 2026)
2. Lumen.health management review team (full access in Notion compliance workspace)
3. External advisors on request, under NDA

---

**Maintained by:** Priya Ramaswamy, Compliance Lead
**Final review by:** Daniel Foley (CEO), Aisha Khan (CISO), Lukas Berg (AI Gov Owner)
**Date of final review:** 22 Aug 2026