Management Review
Section 9.3 is entirely dedicated to a management review, and without a doubt, having an entire chapter dedicated to one topic explains how important this is. So what is a management review?
Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
That's a bit of a mouthful, so let's break it down. A management review, is essentially a regularly occurring meeting, where all key stakeholders of the ISMS come together to discuss the overall ISMS, assess if things are going the way it should, and determine if there is any actions to be taken to improve the quality of the ISMS.
9.3 goes even further. They even provide you a template of what apperas to be an agenda. There's not really much more to it - follow the items, send out the meeting invites, and talk about the agenda items.
Ok - I know that sounds a bit simplistic. Let's break it down.
Sample Agenda
- Actions from previous meetings
- Changes to internal or external issues influencing the ISMS
- Feedback on Security Performance
- Non-conformity and corrective actions
- Security metrics
- Audit results
- Fullfulment of security objectives
- Feedback from interested parties
- Results from risk assessment and risk treatment plans
- Opportunities for continuous improvement
What does it mean?
- Actions from previous meetings is a way to hold each other accountable. Issues may have been raised in the previous meeting, where a commitment was made to resolve or remediate a particular issue. This way, you can ensure that the individual who raised their hand to resolve a particular issue, has in fact done so. In the event where the action was not done, you are in a position to escalate the action, or reallocate it to someone else.
- Changes to internal or external issues influencing the ISMS could indicate changes, either internally to the organisation, be it a structural change, change in company ownership, etc., anything either within, or external to the organganisation that may have an impact to the ISMS. Take for example, if your company decides to buy another company. The new company will bring with it a vast IT infrastructure that may be incompatibile with your own environment. Those additional risks will need to be factored into your ISMS. What if a competitor brings out a revolutionary new product that could siginficantly alter the way how you operate - these factors will all need to be considered during the management review.
- Feedback on Security Performance is having data to back-up what we claim. From the previous meetings, we may have identified some non-conformities (gaps in how a control is being operated), and now we can present on how we're tracking against resolving those issues. You may also have security metrics, that can explain how well your ISMS is operating, and if there are any trends that are not receiving the desired result, actions can be taken to investigate and resolve the gaps.
- Feedback from interested parties will indicate any relevant feedback you may have received from key stakeholders. This might include comments from clients related to any concernes they may have in relation to the security of their solutions, or feedback from senior management on new acquisitions, and how it may impact their security posture of the organisation. In some scenarios, you could also reach out with a survey to key stakeholders to provide you with feedback on the performance of your ISMS. Any feedback is good feedback.
- Results from risk assessment and risk treatment plans will allow you to review the current risk assessment, and track if any of the risk treatment plans require attention. Some risk treatment plans may require a significant investment of time and effort, and this is a good opportunity to ensure the right levels within the organisation is aware of the gaps, and are providing sufficient commitment to resolve the issues.
- Opportunities for continuous improvement is a cornerstone of the ISMS. Any gaps, issue or non-conformity that has been identified must become an opportunity for improvement. Having an issue is ok, as long as you are taking the necessary actions to resolve that issue. This is an opportunity to demonstrate what you've done about it.
Frequency of the meeting
ISO27001 states the meeting must occur at planned intervals, but that's a bit too vague. As a general piece of advice, we would recommend having at least a monthly meeting. There are some situations where organisations choose to have a quarterly meeting instead of a monthly. I'm not a huge fan of reducing the frequency of the management review meetings. As long as your organisation has other forums where security metrics and controls are tracked more frequently, you should be successful with less frequent management review meeting.
If in doubt, stick to a monthly meeting.
Record keeping
Lastly, 9.3 is also quite clear that documented information as evidence is to be retained. After every management review, you need to ensure that the meeting minutes are documented, and distributed to all participants, and of course that you retain a copy of the evidence. You will be asked to produce this during your annual recertification process. Revisit the section on Document Management if you need a refresher on the processes.