Annual Board-level ISMS Review Procedure

Owner: Security Officer · Approved by leadership · Version 1.0 · Effective 27 May 2026 · Next review 27 May 2027

1. Purpose

This procedure defines the controlled annual cadence under which Glassbreak's board exercises oversight of the information security management system (ISMS). It produces signed minutes that record risk-acceptance decisions, policy approvals, and resource allocations and that an auditor can sample.

The annual board review sits above the Quarterly ISMS Management Review: the quarterly review operates the ISMS; the annual board review governs it.

2. Scope

The review covers the ISMS as a whole for the full year under review, including the operation of every cadence procedure listed in section 9 below.

3. Ownership

Accountable owner — the Security Officer convenes the review, prepares the read-ahead pack, and signs the minutes.
Board attendance — the board attends in its oversight capacity; at least one board attendee counter-signs the minutes.
Contributing attendees — engineering and customer-facing leads attend to present evidence and answer board questions.

4. Cadence

One review per calendar year, scheduled at the same point in the year as the policy effective date and completed within a +/- 30-day window.
An interim board review is convened if a SEV-1 incident, a failed external audit at certification scope, or a material strategic change warrants board attention before the next annual window.

5. Standing agenda

5.1 Year in review — summary of incidents, audit outcomes, customer-facing events, and material platform changes in the period.
5.2 Operation of the ISMS — confirmation that every cadence procedure was operated on schedule in the period, with exceptions noted.
5.3 Policy approvals — board approval of every materially revised policy and of any new policy in the published set.
5.4 Information-security objectives — setting the information-security objectives for the year ahead, with measurable targets.
5.5 Risk-acceptance decisions — board consideration of any risk for which acceptance is proposed at a level requiring board approval, with the rationale, expiry, and compensating controls recorded.
5.6 Resource allocation — confirmation that the resources (people, budget, tooling) committed to the ISMS for the year ahead are adequate to deliver the objectives.
5.7 Independence and authority — confirmation that the Security Officer retains the independence and authority required to operate the ISMS.
5.8 Actions — every action arising from the review, with owner and closure deadline.

6. Procedure

The Security Officer prepares the read-ahead pack from the year's quarterly management-review minutes, the annual technical evaluation, the internal-audit programme outputs, and the current risk register.
The read-ahead pack is circulated to board attendees at least 5 business days before the meeting.
The meeting proceeds in agenda order with a scribe capturing decisions and actions in real time.
Draft minutes are circulated within 5 business days of the meeting for correction.
The Security Officer signs the corrected minutes; at least one board attendee counter-signs.
The signed minutes are filed in the compliance evidence store and indexed by year.
Actions are tracked in the standard issue tracker until closure.

7. Template

Each annual board review produces a single minutes document with the following structure. This template is the artefact that an auditor may sample.

Header — review identifier, year covered, target date, actual date, attendees (with board attendance noted), Security Officer, counter-signer(s).
Read-ahead pack — list of attached inputs with their references.
Agenda — each standing item from §5 in order, with: discussion summary, decisions taken, actions raised (with owner and deadline), references to underlying evidence.
Policy approval record — table of every policy version approved at the review.
Information-security objectives — table of the objectives set for the year ahead, with targets and measurement method.
Risk-acceptance register — table of risk-acceptance decisions made or renewed at the review, with rationale, expiry, and compensating controls.
Resource record — committed resources for the year ahead.
Open action register — table of all open actions, with status.
Sign-off — Security Officer signature and date, board-attendee counter-signer signature and date.

8. First instance

The inaugural annual board-level ISMS review was completed on the effective date of this procedure (27 May 2026). It walked the standing agenda end-to-end, approved the published policy set, set the information-security objectives for the first year, and confirmed the resources committed to the ISMS. The signed minutes are held in the compliance evidence store and available under NDA.

9. Records

Signed minutes and their read-ahead packs are retained for at least 5 years.
Risk-acceptance decisions made or renewed at the review are entered in the risk register with the recorded expiry date.
Action items are tracked in the standard issue tracker until closure.

10. Review of this procedure

This procedure is reviewed at least annually at the board review itself, and otherwise after any material change to the framework requirements that change what the board must approve. The next scheduled review is 27 May 2027.

11. Related documents

Counter-signed PDF copy available on request to compliance@glassbreak.io.