Halberd Systems, Amsterdam
Monday week +9, 08:11
Eight weeks after the surveillance audit. The disclosure form is open on your screen.

Halberd Systems, Amsterdam. Monday morning, week nine after the Stenmark surveillance audit. Iris Hartnell at her desk. Coffee cooling. The post-surveillance disclosure form filled out on screen, cursor blinking on the supplementary-information field above the signature line.

She has to send it. The question is what she puts in the supplementary-information field above the signature.

Iris Hartnell
Eight weeks ago I had not opened Felix's SharePoint folder. I want to start there.
Day 1, Week -8
Renaud's office, 09:47
Halberd Systems HQ, third floor. The Stenmark surveillance audit is on the calendar in eight weeks.
Renaud Belmont hands Iris the ISMS Manager keys.

Eight weeks earlier. Monday, 09:47. Renaud Belmont's office on the third floor. The Stenmark surveillance audit is on the calendar in eight weeks.

Renaud Belmont
Iris. Welcome to the seat. I will keep this short because you have had eight weeks of meetings already and the next one is going to be more useful than this one.
Renaud Belmont
Felix left the SharePoint folder. The URL is in your inbox. The Stage 1 + Stage 2 audit was eighteen months ago, the certificate was issued by Stenmark, the lead auditor on the surveillance is Jonas Strindberg out of their Stockholm office. He has done two engagements with us already. Methodical. Reads the SoA before he arrives.
Renaud Belmont
Trielle Pharma's master agreement has a cert-lapse termination clause. They are twenty-two percent of revenue. The Audit Committee will want to see a clean surveillance report. That is the headline. The detail is yours.
Iris Hartnell
What did Felix leave?
Renaud Belmont
Whatever was on his screen the day he walked out. I have not opened the folder. That is your job.
Decision 1
First-day posture
Renaud has finished. Eight weeks before Stenmark arrives, no handover, three first moves available.

Which one do you make first?

Consequence
Decision 1 outcome
Documents-first · +6
You spend the first day inside Felix's documents. By Wednesday you have a working picture of what was certified eighteen months ago and what has not been touched since. The picture is not flattering, but it is yours. (SoA · Clause 6.1.3.)
People-first · +2
You learn about Felix as a person and you learn what the team thinks of the controls. You also lose three days you could have spent reading the SoA. The picture you build is partial, second-hand, and shaped by the colleagues' loyalties to Felix.
Auditor-first · -6
Jonas takes the call. Politely. He notes the call in the engagement file. He cannot tell you anything about the previous surveillance that is not already in the certificate documentation, and he now has a record of you calling on Day 1 with no apparent reason. The call has flagged you as either anxious or fishing. (ISO/IEC 17021-1 auditor independence.)
Tuesday afternoon, week -8
Felix's SharePoint folder

Tuesday afternoon. The SharePoint folder is called ISMS-2024. The last-modified date on the parent folder is twelve weeks ago, three days before Felix left. The folder contains seven sub-folders and forty-one loose files.

The Statement of Applicability is at the top, marked v3.2, dated nineteen months ago. The risk register is one folder down, last edited fourteen months ago. The internal audit programme spreadsheet has rows for Q1 and Q2 of last year filled in; Q3 and Q4 are empty. The management review folder contains minutes from one meeting in February and a calendar invite for May that was declined by every attendee.

Iris Hartnell
He left in week thirty-eight. The last management review was scheduled for week twenty. The internal audit programme stops in week twenty-six.
Iris Hartnell
Three quarters of last year had no internal audit activity logged and no management review held. That is a Clause 9 problem before we even get to Annex A.
Activity 1 of 4 · Document Redline
Risk Register Redline
Felix's risk register has not been updated in fourteen months. Mark each row.

Halberd has shipped three new platform features, signed two new pharma customers, and migrated the primary data store to a new region in that period. Eight risk-register rows are visible. For each row: Stale (needs rewrite), Still-Valid, or Missing-and-Required (the row should exist and does not).

End of week one
The week-7 calendar

End of week one. The risk register has been redlined. The picture is not as bad as Iris feared, and not as good as Renaud assumed. Felix did not falsify. He stopped maintaining.

Iris's calendar for week -7 has one anchor: a meeting with Marisol Quintero on Wednesday. Marisol controls the time budget for the controls testing Iris needs to do before Stenmark arrives. The agenda line reads "ISMS readiness, fifteen minutes." Iris will need more than fifteen minutes.

Iris Hartnell
Three rounds. I will need three rounds with Marisol to get the time I need.
Activity 2 of 4 · 3-round negotiation
Marisol's office, Wednesday week -7, 14:30
Marisol has fifteen minutes. You need a four-week budget allocation.
Refused Position: 50 / 100 Approved-In-Full
03575100
Round 1 of 3
Loading...
Activity 3 of 4 · Inherited-Control Classifier
Ten controls. Four classifications.
Felix's documented controls. Real, Theatre, Partial, or Unverifiable.

For each card: the documented control statement, the artefact attached as evidence, the team owner's quote when you ask. Classify each. Under-classifying Theatre as Real costs the most: it papers over the predecessor's gap and almost guarantees the surveillance auditor lands on it.

Decision 2
Broaching the predecessor pattern with Renaud
The classifier has surfaced four Theatre controls. You have a 1:1 with Renaud on Friday.

The Theatre controls trace back to Felix's habit of writing the SoA optimistically. How do you broach this with Renaud?

Consequence
Decision 2 outcome
Forward-looking · +8
Renaud accepts it without flinching. He asks for the list of four and the remediation plan. He notes the framing approvingly. He does not ask about Felix.
Blame-Felix · -2
Renaud's posture changes. He does not defend Felix but he marks the framing as defensive. He says: "Find me a way to fix it that is not about him." The audit-side substance is unaffected. Your standing with Renaud takes a hit it will not entirely recover from in M1.
Delay · -5
Renaud does not know what you have found. The remediation lands in M2 with less time. The audit-integrity bar takes the hit because you are now privately holding a Theatre-classification that the certbody might reach before you do. (Clause 9.2 / 9.3.)
Activity 4 of 4 · Sample-Allocation under time budget
Pick the controls you will deep-test
Loading budget...

Each card shows the M1-classifier outcome, the surveillance-sampling probability that Jonas lands on it, and the remediation cost if it fails. Pick the controls you will deep-test. Wrong picks (low-risk picked over high-risk) become surveillance findings in M3.

Picks: 0 / 0
Week -5, Day 5
The banker's box
Felix's banker's box on Iris's desk, Day 1.

On Iris's desk, week -4, Monday morning, sits a banker's box. Felix's leftovers. Three SoA print-outs, two USB sticks, a coffee mug with a faded Halberd logo, and an unopened envelope from Stenmark Certification dated four months ago, addressed to F. Westbrook.

Iris has not opened the envelope. She knows what is inside: the standard Stenmark surveillance-engagement letter for the SA1, the one Felix would have signed and returned. He never did.

She picks up the envelope. She puts it back down. She decides she will open it after she has finished the sample-allocation work, not before. The contents will not change the choices she has already made.

Decision 3
First feedback to Marisol
Week -4, Day 2. Marisol has asked for a fifteen-minute readout.

You have the classifier results, the sample-allocation picks, the redline outcome. What do you tell her?

Consequence
Decision 3 outcome
Full picture · +8
Marisol approves the picture. She asks one question: "Is the supplementary-information field already drafted?" You say no, not yet. She says: "Draft it now. Do not wait until after the audit." She is right. The supplementary-information field is the framing-device resolution.
Headline only · -5
Marisol marks the file. She has heard "on track, defensible" before. She does not ask follow-up questions. She also does not advocate for you with Renaud later. The brief was the moment to demonstrate substance and you spent it on confidence.
Structured · +6
Marisol approves the structure and the honesty about model uncertainty. She suggests adding a one-line worst-case to the readout. You accept the suggestion. The relationship is solidified for M2.
End of M1, good resolution
End of week -4, 19:08 Friday

End of week -4. Iris closes her laptop at 19:08 on a Friday. The classifier has run. The sample-allocation has run. Marisol has the picture. Renaud has the picture. The supplementary-information field on the post-surveillance disclosure form is already drafted, in pencil, in a notebook on her desk.

Four weeks remain before Stenmark arrives. The Theatre controls are in remediation. The Partials are scheduled for evidence-gathering sessions across weeks -3 and -2. The two probable findings are in the surfacing-to-Jonas plan.

Iris has earned her standing with Marisol. She has given Renaud something he can defend at the next Audit Committee. She has not yet had to make any of the difficult choices.

Then on Wednesday of week -3, at 14:08, the credential-stuffing alert lands.

Carry-forward to M2 Classifier accuracy ≥ 80%, sample-allocation hits the top three highest-risk controls, budget approved, Decision 3 forward-looking. M2 opens with Iris on the front foot. Ronan disclosure dial in M2 is more likely to land cleanly.
End of M1, mixed resolution
End of week -4, 20:34 Friday

End of week -4. Iris closes her laptop at 20:34. The picture is mostly there. Some of the classifier picks could have been sharper. The sample-allocation missed one control she knows she should have included.

Marisol has half the picture. Renaud has less than half. The supplementary-information field on the post-surveillance disclosure form is not yet drafted.

Four weeks remain. The remediation plan exists but not in writing. Iris has the next four weekends already lined up.

Then on Wednesday of week -3, at 14:08, the credential-stuffing alert lands.

Carry-forward to M2 Classifier accuracy 60-79%, sample-allocation hits two of three highest-risk controls, budget approved-partial, Decision 3 mixed. M2 opens with Iris managing two pressures at once. Ronan disclosure dial outcomes are more sensitive to player choice.
End of M1, poor resolution
End of week -4, 22:11 Friday

End of week -4. Iris is still at her desk at 22:11 on a Friday. The classifier picks are not all defensible. The sample-allocation missed at least two high-risk controls. Marisol has been told the work is on track. Renaud has been told nothing of substance.

The supplementary-information field on the post-surveillance disclosure form does not yet exist as a concept in her head.

Four weeks remain. The remediation plan is incomplete. The probable major NC is still inside the SoA folder, unsurfaced.

Then on Wednesday of week -3, at 14:08, the credential-stuffing alert lands.

Carry-forward to M2 Classifier accuracy < 60%, sample-allocation misses one or both highest-risk controls, budget refused or weak readout, Decision 3 headline-only. M2 opens with Iris already on the back foot. Ronan disclosure dial cover-up branches become more accessible. Cert Risk bar enters M2 at 40+.
Halberd Systems, Amsterdam
Monday week +9, 08:14
Back at the desk. The cursor still blinking on the supplementary-information field.

Iris at her desk. Monday week +9, 08:14. The cursor is still blinking on the supplementary-information field.

Iris Hartnell
Two months later. The credential-stuffing alert. Ronan in the corner with the commit history open.
ISMS Register
End of Module 1. The Incident is next.
+0
Neutral