ISMS Control of Management Reviews
ISMS Control of Management Reviews
1 Introduction
2 Scope
This procedure sets out <Short Name>’s arrangements for conducting periodic formal
management reviews of our information security management system.
3 Revision History
Revision Date Record of Changes Approved By
0.0 [Date of Issue] Initial Issue
5 References
Standard Title Description
ISO 27000:2014 Information security management systems Overview and vocabulary
ISO 27001:2013 Information security management systems Requirements
ISO 27002:2013 Information technology - security Code of practice for information security
techniques controls
7 Responsibilities
The <ISMS Manager> is responsible for all aspects of the implementation and management
of this procedure, unless noted otherwise.
Managers and supervisors are responsible for the implementation of this procedure within
the scope of their responsibilities and that reports are prepared as required by the <ISMS
Manager> for circulation in good time before each meeting.
<ISMS Manager>
<HR Manager>
MRM Attendees
List the top management and other attendees
If any of these attendees are unavoidably absent, they should send an alternate if at all
possible.
Others attend as required by the <ISMS Manager> for a specific purpose or to meet the
requirements of the agenda set out below.
Where an attendee or member of staff wishes to add an item to the agenda they should
make that request to the <ISMS Manager> in good time.
11 Agenda
The agenda includes the assessment of opportunities for improvement, and the need for
changes to, our information security management system, including our information security
policy and objectives.
The agenda for the information security management review meeting, as a minimum,
includes the following items:
Actions from the previous The <ISMS Manager> reports on the status of action itISMS
meeting from previous meeting. Items that are not completed are
carried forward to the next meeting.
Emergency preparedness The <ISMS Manager> reports on tests and any changes, or
and response proposed changes, to emergency / business continuity
preparedness and response.
Changes that affect the The <ISMS Manager> highlights any process, capacity, or
ISMS other operational or organisational changes that affect the
information security management system and proposes any
consequential actions to update or modify the system.
Risks and opportunities The <ISMS Manager> ensures that the following information
security related risk and opportunity updates are made and
considered:
take additional actions, such as increasing resources
or reallocating responsibilities
drop or reduce the scope of the objective
extend the due date for achieving the objective
New information security objectives may be established
where it is desired or necessary to improve performance.
The management review also considers, from time to time and as appropriate, such issues
as:
12 Actions arising
The information security management review meeting may generate corrective and / or
preventive action reports, or agree to take other actions so as to improve the information
security management system, services, processes or resourcing.
13 Minutes
Outputs from the management review are recorded in the form of minutes where actions
arising are clearly set out and include the appropriate personal responsibilities, timeframe
and resources.
The <ISMS Manager> is responsible for ensuring that the minutes are promptly prepared
and issued and that action items are acted upon in good time.
14 Records
Records retained in support of this procedure are listed in the Controlled ISMS Records
Register and controlled according to the Control of Management System Records
Procedure.