Scribd Logo
Upload

Welcome to Scribd!

  • ISMS Control of Management Reviews

    Uploaded by

    Amine Rached
    44 views4 pages
    The document outlines an organization's procedure for conducting management reviews of its information security management system (ISMS). Key points: 1) Management reviews are scheduled at least every [MRM Months] months and attended by senior management, the ISMS manager, HR manager, and others as needed. 2) The agenda covers performance data, risks, audits, incidents, compliance, training, and continual improvement. Progress on objectives and any needed changes to the ISMS are also assessed. 3) Actions arising from the review are documented and their completion is tracked.

    Original Description:

    Original Title

    ISMS Control of Management Reviews.docx

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document outlines an organization's procedure for conducting management reviews of its information security management system (ISMS). Key points: 1) Management reviews are scheduled at least every [MRM Months] months and attended by senior management, the ISMS manager, HR manager, and others as needed. 2) The agenda covers performance data, risks, audits, incidents, compliance, training, and continual improvement. Progress on objectives and any needed changes to the ISMS are also assessed. 3) Actions arising from the review are documented and their completion is tracked.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    44 views4 pages

    ISMS Control of Management Reviews

    Uploaded by

    Amine Rached
    The document outlines an organization's procedure for conducting management reviews of its information security management system (ISMS). Key points: 1) Management reviews are scheduled at least every [MRM Months] months and attended by senior management, the ISMS manager, HR manager, and others as needed. 2) The agenda covers performance data, risks, audits, incidents, compliance, training, and continual improvement. Progress on objectives and any needed changes to the ISMS are also assessed. 3) Actions arising from the review are documented and their completion is tracked.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 4

    <Short Name> Information Security Procedure

    Control of ISMS Management Reviews

    1 Introduction
    2 Scope
    This procedure sets out <Short Name>’s arrangements for conducting periodic formal
    management reviews of our information security management system.

    3 Revision History
    Revision Date Record of Changes Approved By
    0.0 [Date of Issue] Initial Issue

    4 Control of hardcopy versions


    The digital version of this document is the most recent version. It is the responsibility of the
    individual to ensure that any printed version is the most recent version. The printed version
    of this manual is uncontrolled, and cannot be relied upon, except when formally issued by
    the <Document Controller> and provided with a document reference number and revision in
    the fields below:
    Document Ref. Rev. Uncontrolled Copy X Controlled Copy

    5 References
    Standard Title Description
    ISO 27000:2014 Information security management systems Overview and vocabulary
    ISO 27001:2013 Information security management systems Requirements
    ISO 27002:2013 Information technology - security Code of practice for information security
    techniques controls

    6 Terms and Definitions


    “we” and “our” refer to <Short Name>.

    7 Responsibilities
    The <ISMS Manager> is responsible for all aspects of the implementation and management
    of this procedure, unless noted otherwise.
    Managers and supervisors are responsible for the implementation of this procedure within
    the scope of their responsibilities and that reports are prepared as required by the <ISMS
    Manager> for circulation in good time before each meeting.

    Control of ISMS Management Reviews Page 1 of 4


    <Short Name> Information Security Procedure

    8 Conducting Management Reviews


    9 Purpose
    The <Senior Management Team> formally reviews the suitability, adequacy and
    effectiveness of our information security management system through periodic information
    security management review meetings.

    10 Frequency and attendance


    Information security management review meetings are scheduled, organised and held, as a
    minimum, every <MRM Months> months.
    Those attending should include:

     <ISMS Manager>
     <HR Manager>
     MRM Attendees
    List the top management and other attendees
    If any of these attendees are unavoidably absent, they should send an alternate if at all
    possible.
    Others attend as required by the <ISMS Manager> for a specific purpose or to meet the
    requirements of the agenda set out below.
    Where an attendee or member of staff wishes to add an item to the agenda they should
    make that request to the <ISMS Manager> in good time.

    11 Agenda
    The agenda includes the assessment of opportunities for improvement, and the need for
    changes to, our information security management system, including our information security
    policy and objectives.
    The agenda for the information security management review meeting, as a minimum,
    includes the following items:
    Actions from the previous The <ISMS Manager> reports on the status of action itISMS
    meeting from previous meeting. Items that are not completed are
    carried forward to the next meeting.

    Information security The <Senior Management Team> / <ISMS Manager>


    context highlights any changes to the external and internal
    information security context, including changes to the needs
    and expectations of interested parties, that are relevant to the
    information security management system.
    The meeting reviews progress / changes to the Information
    Security Context Log.
    Information security The <ISMS Manager> reports on system performance data
    management system including monitoring, measurement, analysis, evaluation,
    performance nonconformities and supplier conformance/performance

    Control of ISMS Management Reviews Page 2 of 4


    <Short Name> Information Security Procedure
    (where relevant).

    Identification, evaluation The <ISMS Manager> reports on risk identification, risk


    and treatment of risks criteria, risk evaluation, statement of applicability and the
    status of the risk treatment plan.
    Internal and external The <ISMS Manager> reports on the results of internal and
    audits external system audits. This includes: summaries of results
    for the current period and a comparison to the previous
    period, the frequency of negative findings against particular
    elements of the information security management system,
    and discussion of particularly important findings.
    Corrective and The <ISMS Manager> reports on any high risk
    preventative actions corrective/preventive actions implemented through the period
    and the status of pending actions.

    Information Security The <ISMS Manager> reports on any information security


    Incidents incidents.

    Emergency preparedness The <ISMS Manager> reports on tests and any changes, or
    and response proposed changes, to emergency / business continuity
    preparedness and response.

    Compliance obligations The <ISMS Manager> presents their information security


    compliance review and reports on any changes or proposed
    changes to compliance obligations.

    Awareness and The <ISMS Manager> reports on communication / awareness


    Communication activities, both internal and external and on any complaints or
    other correspondence received regarding our information
    security matters.

    Changes that affect the The <ISMS Manager> highlights any process, capacity, or
    ISMS other operational or organisational changes that affect the
    information security management system and proposes any
    consequential actions to update or modify the system.

    Training, development The <HR Manager> reports on the status of training


    and resources programmes, the effectiveness of training provided, and
    meeting manpower, skill and other resource issues.

    Continual improvement The <ISMS Manager> presents data demonstrating progress


    toward achieving continual improvement goals, reviews
    current and completed improvement projects and proposes
    new improvement projects.

    Risks and opportunities The <ISMS Manager> ensures that the following information
    security related risk and opportunity updates are made and
    considered:

     all new, amended or proposed regulations

     changing expectations and requirements of relevant


    interested parties

    Control of ISMS Management Reviews Page 3 of 4


    <Short Name> Information Security Procedure

     new or modified activities, products or services

     advances in technology and science

     changing customer expectations


    Corporate policies, The <ISMS Manager> reviews progress on any issues
    objectives, targets and related to corporate information security policies, objectives,
    KPI’s targets, metrics and key performance indicators.
    Where information security objectives have not been
    achieved on time or inadequate progress has been made, the
    review investigates the causes and consider whether to:


    take additional actions, such as increasing resources
    or reallocating responsibilities
     drop or reduce the scope of the objective
     extend the due date for achieving the objective
    New information security objectives may be established
    where it is desired or necessary to improve performance.
    The management review also considers, from time to time and as appropriate, such issues
    as:

     information security policy

     the cost / benefit of information security performance

     appropriate measures of information security performance

     integration / overlaps of the information security management system with other


    operations and activities

     keeping the ISMS Context Log fresh and up-to-date

    12 Actions arising
    The information security management review meeting may generate corrective and / or
    preventive action reports, or agree to take other actions so as to improve the information
    security management system, services, processes or resourcing.

    13 Minutes
    Outputs from the management review are recorded in the form of minutes where actions
    arising are clearly set out and include the appropriate personal responsibilities, timeframe
    and resources.
    The <ISMS Manager> is responsible for ensuring that the minutes are promptly prepared
    and issued and that action items are acted upon in good time.

    14 Records
    Records retained in support of this procedure are listed in the Controlled ISMS Records
    Register and controlled according to the Control of Management System Records
    Procedure.

    Control of ISMS Management Reviews Page 4 of 4

    You might also like