ISO Management Reviews

3.1 Status of Actions from Previous Management Reviews

Discussion: This is the inaugural ISMS management review for H33.ai. No previous actions to review. The ISMS was formally established in Q1 2026 with ISO 27001:2022 certification as a strategic objective.

Decision: Noted. Baseline established for future tracking.

3.2 Changes in External and Internal Issues Relevant to the ISMS

External changes identified:

• NIST finalized FIPS 203 (ML-KEM/Kyber), FIPS 204 (ML-DSA/Dilithium), and FIPS 205 (SLH-DSA/SPHINCS+) in August 2024. H33 architecture fully aligned with these standards.
• NSA CNSA 2.0 timeline mandates post-quantum migration for national security systems by 2030. H33 is ahead of this timeline, providing competitive advantage.
• Growing enterprise demand for FHE-based privacy-preserving computation, particularly in healthcare (HIPAA) and financial services.
• Increased regulatory scrutiny on biometric data handling (BIPA-style laws expanding to additional states).

Internal changes identified:

• Production pipeline v10 achieved 2.17M auth/sec sustained on Graviton4 (c8g.metal-48xl), exceeding performance targets.
• Credit-based pricing and billing system deployed (March 2026).
• H33 token migration completed (February 2026) to new Solana program.
• Auth1 subsidiary fully integrated with H33 platform for workforce and customer identity.

Decision: No material changes require ISMS scope adjustment. Current scope remains adequate. Continue monitoring NIST PQC updates and state-level biometric data regulations.

3.3 Feedback on Information Security Performance

3.3.1 Nonconformities and Corrective Actions:

No nonconformities identified in Q1 2026. Nonconformity management process established (DCF-566). Zero open corrective action requests.

3.3.2 Monitoring and Measurement Results:

• Drata compliance score: 100% for all active controls
• DataDog infrastructure uptime: 99.97% (Q1 2026)
• Security awareness training completion: 100%
• Endpoint compliance (encryption, patching): 100%
• Access review completion: Completed on schedule (March 2026)
• Vulnerability scan findings: 0 critical, 0 high (Rust memory safety + cargo-audit)

3.3.3 Audit Results:

SOC 2 Type II audit engagement initiated. ISO 27001 certification audit planned for Q3 2026. Internal audit program established (DCF-165) with first audit scheduled Q2 2026.

3.3.4 Fulfilment of Information Security Objectives:

• Objective 1: Achieve SOC 2 Type II attestation — In Progress (audit engagement active)
• Objective 2: Achieve ISO 27001:2022 certification — In Progress (ISMS established, certification audit planned Q3)
• Objective 3: Maintain zero security breaches — On Track (zero incidents in Q1)
• Objective 4: Deploy HIPAA-compliant infrastructure — Complete (BAAs in place, encryption, access controls)
• Objective 5: Achieve NIST PQC alignment — Complete (FIPS 203/204 implemented)

3.4 Feedback from Interested Parties

Discussion:

• Customers: Positive reception of post-quantum security posture. Enterprise prospects requesting SOC 2 Type II report and ISO 27001 certificate as procurement requirements.
• Regulators: No regulatory inquiries or enforcement actions received. HIPAA compliance maintained.
• Partners: AWS partnership provides access to Graviton4 infrastructure. No security concerns raised by technology partners.

Decision: Customer demand confirms strategic priority of completing SOC 2 and ISO 27001 certifications. No changes needed to ISMS based on interested party feedback.

3.5 Results of Risk Assessment and Risk Treatment Plan Status

Discussion:

• Risk register contains 12 identified risks. All risks have treatment plans assigned.
• Top risks: (1) Quantum computing threat to classical cryptography — mitigated by post-quantum architecture (BFV FHE, ML-DSA, ML-KEM), residual risk: Low; (2) Key person dependency (single technical founder) — mitigated by documentation, automated controls, Drata monitoring, residual risk: Medium; (3) Cloud provider outage — mitigated by multi-AZ deployment, automated failover, residual risk: Low.
• No new risks identified requiring treatment plan updates.
• Risk appetite statement reviewed: H33.ai accepts low-to-medium residual risk levels with compensating controls documented.

Decision: Risk treatment plans are adequate. Key person dependency to be addressed through documentation improvement and potential hiring in Q3 2026. Risk register to be reviewed again at Q2 management review.

3.6 Opportunities for Continual Improvement

Discussion:

• Automate additional Drata evidence collection to reduce manual effort.
• Implement automated compliance reporting dashboards in DataDog.
• Expand security training to include post-quantum cryptography concepts for future hires.
• Consider HITRUST CSF certification after ISO 27001 to further address healthcare market requirements.
• Evaluate SOC 2 + HIPAA combined audit to reduce audit burden.

Decision: Approved automation improvements for Q2 2026. HITRUST evaluation deferred to Q4 2026. Combined audit approach to be discussed with external auditor.