For anyone who has ever managed to try and gather an overloaded management team or Board of Directors together to facilitate a management review meeting for any regulatory compliance standard realises what a nightmare challenge this is to co-ordinate.
Typically a management review will involve circulating, by email in advance, the meeting invitations, the agenda, the evidence and reports for review, or to support the review and the previous items that required action.
During the review, notes can be taken of the findings for subsequent writing up and distribution.
Areas identified for corrective actions and improvements will also need to be documented and tasked to the individuals who will be responsible for completing these actions.
At each step, evidence must be retained to satisfy an external auditor that the review and processes are taking place and being effective.
That’s a lot of emails, a lot of planning and a lot of evidencing!
Imagine an online management review programme that made it simple to set up your ISMS Board team, simple to manage reviews and follow a standard agenda, simple to link to previous reviews, and all the information needed, and simple to assign and track corrective actions and improvements.
Bring everything together in one secure, online environment where you can collaborate with your colleagues, capture the required evidence just once and easily navigate to it before, during and after the review.
You don’t even need all board members to be together in one place…conduct it online and save travel time and expense! Internally we have used Barvas to help us manage our reviews and have created a template to get you started.
The Purpose of Management Review
The value of the information security management system (ISMS) Management Review is often under-estimated.
Some may look on it as a tick-box requirement that needs to take place purely to meet the standard. However, to really ‘live and breathe’ good information security practices, its role is invaluable.
The purpose of the Management Review is to ensure the ISMS and its objectives continue to remain suitable, adequate and effective given the organisation’s purpose, issues and risks. These will previously have been addressed within 4.1 The Organisation and its Context, 4.2 The Requirements of Interested Parties and 6.1. Risk Management.
The results of the management review will enable senior management to make well informed, strategic decisions that will have a material effect on information security and the way the organisation manages it.
Should you Merge with other Management Reviews?
If you implemented both ISO 27001 and ISO 22301, or also ISO 9001 you might be tempted to have all those management reviews done together; however, I wouldn’t recommend that – e.g., business continuity is a big enough topic on its own and it needs 30 or so minutes of undivided attention of your top management, and the same goes for information security or quality management. You could place all the management reviews on the same day, but place them in sequence, not in the same time slot.
What should be included in the Management Review?
The management review must follow a standard format that looks at the expectations of the ISO 27001:2013. And should include consideration of:
a) the status of actions from previous management reviews
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in:
- nonconformities and corrective actions
- monitoring and measurement results
- audit results; and
- fulfilment of information security objectives
d) feedback from interested parties
e) results of risk assessment and status of risk treatment plan
f) opportunities for continual improvement
The outputs of the management review should include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Who should attend the Management Review?
Considering the above, it is clear to see that, given due consideration, the ISO 27001 management review is an indispensable tool for ensuring the ISMS continues to be effective in one of its key objectives, that of mitigating information security risks.
For the ISMS to be effective in an organisation, it needs senior management commitment and, as such, it makes sense for the members of an ISMS “Board’ to have authority in matters pertaining to information security.
Typically an ISMS Board might include the Chief Information Security Officer (CISO), Senior Information Risk Owner (SIRO), Chief Technical Officer and maybe even the CEO.
The outputs of the management review will include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Management Review frequency
There is a minimum requirement to conduct a management review once a year, and more frequently if there are any material changes that could affect information security and the ISMS.
However, the frequency will be defined by the management’s requirement to monitor the success of the ISMS. There is also a danger that, the greater the interval, the greater the work that will be involved in reviewing the previous period. It also increases the risk of failure in the ISMS not being identified promptly.
For those seeking certification of their ISMS, it’s also important to note there is a requirement to evidence, during the Stage 1 desktop audit, that the regular reviews are taking place.
