Management Review

We refer to the content of ISO27001 – Chapter 9.3:

Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

The management review shall include consideration of:

a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in:

1. nonconformities and corrective actions;
2. monitoring and measurement results;
3. audit results; and
4. fulfilment of information security objectives;

d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f) opportunities for continual improvement.

The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organization shall retain documented information as evidence of the results of management reviews.

General Process

  • On a yearly basis a Management Review is being performed – plan approx 1-2 months before your external audit.
    preferably after the Internal Audit. 
  • Assign a person who is responsible for Management Review, that person will draws up a concept – using Compleye Online – make sure the person is onboarded user
  • After the draft is ready – suggestions for Improvements are defined and noted as concept
  • MT/CEO meeting is planned to discuss all topics and suggestions for improvement.
  • MT/CEO defined final improvements and accept the suggested improvements
  • Create a final Version of the Management Review, to be shown as evidence during external audit.
  • Make sure all the suggested improvements have been added as new improvements in your ISMS. 

Where to start

We have created an automated process for generating the Management Review Report. And here are the steps you need to follow:

1. Start by looking at the closed Improvements from Compleye Online. There is a section with content “Management Review Topic” and “Text for the Management Review”, use that to build the content of your Management Review concept. Read more about Improvements on Wiki.

image-1646127327896.png

2. Creation of the management review report starts at the Improvement section, by clicking on the button “Management Review Report”, window with all closed improvements will pop up.

3. Select from the list improvements you would like to include in your management review report. From these selected improvements – only content entered in the evaluation field relating to the management review will be prefilled in the generated report.

4. When ready, select “start the management review report” You will be redirected to Management review subsection. Be aware that from this point you wont be able to add automatically more content from improvements to the report draft you are creating.

5. Enter the title, person reviewing the Management Review Report, and the date of this concept management report being created. Topics will be prefilled from selected improvements. Add or review content as needed, fill in suggestions for improvement on that topic and indicate when management accepts the suggested improvements 

There are 2 topics that need to be manually filled in as they are not part of the closed improvements card – Effectiveness of entire ISMS and Security and Compliance Objectives for a next year. 

6.. Evaluate and write about the Effectiveness of entire ISMS framework in the open text field of the section, here again mention any suggested improvements and indicate when management accepts the suggested improvements. 

7. Update the topic Security and Compliance Objectives for next year– check your last years objectives by clicking on the suggested link and indicate whether the objectives from last year have been met.  Make sure you note any suggestions for the improvement and management accepts them. 

8. After the management review meeting (where content is reviewed, adjusted and approved by the management team), you can either finalize the report by clicking finalize the report button or you can save it and continue later

9. Management Review Report preview is generated and this can be either approved or saved for later. In case it is ready for the approval, type in the pop up window name of the person approving the report.

10. Finalized and approved Management review report can be downloaded   

Tips for  writing the Mandatory Topics in the  Management Review:

Note: Next to the closed improvements, you can find also input in other sections of Compleye Online.
For each of these topics, suggestions for improvements and decision of the management regarding the improvement should be documented.

  1. Periodic assessment Policy
    Check if you have made any new versions of Policies & Procedures and/or added new documentation.
  2. Assess the outcome of the supplier assessment
    Check the section Supplier Assessment for High Risk Suppliers – any new suppliers since last year? anything changed that is mentioning worthy?
  3. Status actions of previous management reviews
    Check last version of Management Review if you have addressed and closed all improvements of last year. It this is your first year.. you can add Not Applicable.
  4. Change in external and internal topics that are relevant to the ISMS
    If you do not have any improvement for this topic – check if you have made changes in your product or services, any new stakeholders with new legal requirements or check the Global Impact sections, perhaps you have entered new markets/countries that are relevant.
  5. Feedback and trends on Incidents
    Check the security metrics – can you spot trends in certain incidents (security, privacy or quality?)
  6. Feedback and trends on Measure & Control
    Review the Controls, were they performed on time? any changes made? review the results of the controls.
  7. Feedback and trends on Audit Results (internal/external)
    Review the findings / improvements reported and compare with previous years.. any trends that repeats? or did you make great process?
  8. Feedback and trends in meeting security objectives
    In section ISMS Objectives, you have defined your objectives and – if you add them to the security metrics overview, you have monitored them on a regular base. What can you conclude? and what can you change (e.g. make them more smarter, more measurable.
  9. Feedback from Stakeholders that concerns the availability, integrity and retransmission of information.
    Stakeholders are not only Customers, that can be all stakeholders you have added to your stakeholder overview (section Interested Parties & Legal requirements).
    What feedback did you receive? Do you have plan in place to check on that feedback? e.g. customer satisfaction reviews, employees satisfaction questionnaires etc.
  10. Results of the risk assessment and the status of the risk treatment plan
    Every finding of risk assessment has been transferred into an improvement… so this section should be well completed.
  11. Opportunities for continuous improvement (leadership, communication, resources, organization architecture, people and processes)
    Probably you have defined during the year (apart from assessments and audits – specific improvement that you encountered during operations. If not – please make sure that next year you will define improvements during your security meetings. You can always check your notes of the meetings (and closed call to actions) . You will be surprise of small things that you have improved over the year.
  12. Total Effectiveness of ISMS framework (content needs to be written, it is not part of the closed improvements card)
    Well, in all closed improvements you have already addressed the effectiveness of every individual improvement. what you can do is check high level where most improvements have contributed to. E.g. more focus on documentation, awareness, technical improvements, trainings  or any other effect that you have experienced yourself while working past year, working as an ISMS Team.
  13. Security & Compliance Objectives (content needs to be written, it is not part of the closed improvements card)
    Now it is time to define your new ISMS Objectives … and make sure you have added these in the section Strategy & Ambition – ISMS Objectives.
If all information is added, you have discussed and evaluated with your ISMS Team, someone on C-Level (management) should approve the final document (preferably with date and signature). Add this document to Compleye Online.
Oh… and do not forget that all improvements that are accepted – need to be transferred to new Improvements Cards in Compleye Online. That is what we call Continuous Improvement Process.
At the end of this wiki, I would like to add, that although it probably looks like a lot of work – and yes it is. At the same time this is also the proof of the ISMS27001-pudding… This will show that all efforts made over the past year, have lead to a more professional security organization and  your organization becoming more mature every year. Something to be very proud of and that you can use during your sales pitches.
 
 

    Shortly, we will add here screenshots and more explanation on how to fill in fields and examples. In meanwhile refer to the section “How” where steps are already addressed and explained. 

    Was this article helpful?
    0 out of 5 stars
    5 Stars 0%
    4 Stars 0%
    3 Stars 0%
    2 Stars 0%
    1 Stars 0%
    How can we improve this article?
    Please submit the reason for your vote so that we can improve the article.