What it is
Frameworks like SOC 2 and ISO 27001 expect your organization to hold certain meetings on a regular cadence — and to be able to prove they happened. A quarterly security threat review, an annual management review, a quarterly access review, a Change Advisory Board, a vendor risk review, an incident-response review, a BCP/DR test review, a training review, a policy review. Auditors ask: "Show me that management reviews security on a regular basis," and you need the dates, attendees, agenda, and decisions.
The Governance Meetings page (under Governance & Risk) is a register of those required recurring meetings. For each one it tracks the cadence, computes when the next occurrence is due (and flags it overdue if you miss it), maps it to the SOC 2 / ISO 27001 control it evidences, and keeps every held occurrence — attendees, agenda, minutes, and decisions — as audit evidence.
How it works
There are two layers:
- The register — one entry per required recurring meeting: its name, cadence (weekly / monthly / quarterly / semi-annual / annual / custom), required attendees and quorum, agenda template, and the controls it evidences.
- Occurrences — each time you actually hold the meeting, you log an occurrence. An occurrence is a full Meeting Record (the same kind used in TATER Ops → Meetings): attendees, minutes, decisions, and links to the controls it evidences. Logging an occurrence advances the next-due date automatically.
Because occurrences are real Meeting Records, everything you already get from TATER's meeting documentation — attendee lists, agenda, decision log, even transcripts captured by the Teams meeting bot — becomes part of the governance evidence trail, and the meeting is also visible in TATER Ops → Meetings.
Getting started: seed the SOC 2 set
The fastest way to start is the Seed SOC 2 meeting set button (admins). It adds the standard oversight meetings every SOC 2 / ISO 27001 program runs, each pre-mapped to the control it evidences:
| Meeting | Default cadence | Evidences (examples) |
|---|---|---|
| Security Threat & Risk Review | Quarterly | SOC 2 CC3.1, CC3.2, CC7.2 · ISO 27001 A.5.7 |
| Management Review | Annual | SOC 2 CC1.1, CC2.1 · ISO 27001 Clause 9.3 |
| Risk Assessment / Risk Committee | Quarterly | SOC 2 CC3.1–CC3.4 |
| Access Review Meeting | Quarterly | SOC 2 CC6.1–CC6.3 |
| Vendor / Third-Party Risk Review | Semi-annual | SOC 2 CC9.2 |
| Change Advisory Board (CAB) | Monthly | SOC 2 CC8.1 |
| Incident Response Review | Quarterly | SOC 2 CC7.3–CC7.5 |
| BCP/DR Test Review | Annual | SOC 2 A1.2, CC9.1 |
| Security Awareness & Training Review | Annual | SOC 2 CC2.2 |
| Policy Review | Annual | SOC 2 CC5.3 · ISO 27001 5.2 |
Seeding is idempotent — it only adds meetings you don't already have, so you can run it safely. After seeding, open each meeting to set its required attendees, adjust the cadence/agenda to your program, and (optionally) set a quorum. Use + New meeting to add anything specific to your organization (e.g. a monthly cloud-security review).
Reading the register
Each meeting shows a status computed from its cadence and its occurrences:
- On track — held on cadence; the next occurrence is comfortably in the future.
- Due soon — the next occurrence falls within the reminder window.
- Overdue — the next occurrence is past its due date plus a grace period.
- Never held — defined but no occurrence has been logged yet (treated as a gap, like overdue).
The KPI strip across the top summarizes how many meetings are on track, due soon, and overdue, plus how many controls your meetings evidence. Click any row to see the meeting's cadence, control mapping, and full occurrence history (each occurrence shows attendees, whether minutes and decisions were captured, and whether quorum was met).
Logging a meeting
Right after a meeting, click Log (or Log meeting held in the detail view). Capture the date, who attended, the minutes/summary, and the decisions. TATER:
- creates the occurrence as a Meeting Record,
- auto-links it to the controls the meeting evidences,
- advances the next-due date based on the cadence, and
- warns you if attendance fell below the quorum (so the occurrence might not satisfy the control).
Staying on cadence
You won't have to remember the dates:
- Overdue meetings appear in the dashboard Needs Attention strip.
- Next-due and overdue meetings appear on the Calendar in TATER Manage, and on the subscribable TATER calendar feed (iCal), so they show up in Outlook / Google Calendar alongside your other compliance deadlines.
- Email reminders go to the meeting's chair and required attendees when a meeting is due soon or overdue (a daily check; one reminder per day per meeting).
Reporting & your AI agent
- TATER Insights — the Governance Meeting Compliance report (Compliance category) is your evidence-of-oversight rollup: every required meeting, its cadence, when it was last held and next due, whether it's on cadence, and the controls it evidences. Schedule it to your inbox or export it for an auditor.
- MCP — your AI agent (Claude, Copilot, …) can work the cadence through three tools:
list_governance_meetings(what's on track vs overdue),create_governance_meeting(define a new oversight meeting + its control mapping), andrecord_governance_meeting_occurrence(log a held meeting with attendees, minutes, and decisions). Ask it: "Which compliance meetings are overdue?" or "Log today's security threat review — John and Jeff attended, here are the decisions."
Roles
Admins can seed, create, edit, and archive meetings. Auditors and Admins can log occurrences (capture the evidence). Everyone with access can view the register, statuses, and occurrence history.
Related
- GRC modules overview — Risk Register, Audits, Access Reviews, and the rest of the Governance & Risk suite.
- TATER Ops — Meetings — where the meeting occurrences (and any transcripts) also live.
- MCP setup — connect your AI agent so it can read and update the cadence.