7 hours 52 minutes
In this video, we will cover the management review agenda,
outputs from the management review
and additional documents required.
covers close 9.3.
Management reviews are another key area to assess the performance off the ice mess and whether or not it is meeting its requirements.
This is, as the name suggests, a predominantly management meeting.
But anyone that is in the ice miss in critical roles should also be present.
It is important that top management representatives off the bulk of the organization covered in the ice mess scope is present,
which would probably extend to the head off every department in the organization.
It is important from this to demonstrate that there is full organization commitment to an understanding off the ice mess.
And this is that this is not just a nightie or information security team problem.
If your organization has an information security forum, it might be good to include those participants as well as the top management stakeholders in the management review sessions.
The management reviews should occur as poet per your organization's defined frequency
as per the standard, they should occur at a minimum on an annual basis,
But it is up to you to decide how often management review meetings will take place
for newly implemented ice AMIS.
Having management review meetings more often than manually is it annually is advised,
For example, quarterly or monthly?
The standard is quite prescriptive in terms of what these meetings need to cover, as well as the agreed actions that need to come from. The management reviews
the recommended agenda as per I. So 27,001 on ESO 27,003 is provided in the slide, and we'll cover that in a moment
you can tailor and a justice agenda is necessary
as long as these topics are in some way or form addressed during the management review,
it is also possible that the Information Security Team,
all the Ice Maze team,
prepares the information necessary to present at your management review meeting
and management simply provides they input on the information shown and agrees on the required actions going forward.
Let's have the agenda quickly.
The first topic
is you would want to cover the status of action from previous reviews.
So at the start of each meeting,
a recap on the actions agreed upon from the previous meeting
must be going country
changes in the internal and external factors which could impact the SMS.
These are the items that we spoke about all the way back in clause for with understanding the organizational context,
changes to internal and external factors
might have an impact on your ice maze in some other way.
We would also want feedback from top management on the ice mess,
including any non conformity ease and corrective actions,
monitoring and measurement results, ordered results and progress on information security objectives,
feedback from interested parties,
specifically suggestions for improvement.
We would cover the results of information security, risk assessments and risk treatment progress
as well as discuss any opportunities for continual improvement.
So what outputs do we get from the management review
the outputs of what needs to come out of the management review and would also serve as evidence of the management review taking place?
An auditor, especially for your certification ordered, would want to see evidence of which participants attended the management reviews,
that the reviews took place as per the divine interval
that actions were identified and agreed upon
on that these actions are being implemented and tracked outside of the management review meeting within the appropriate channels.
These are some of the outputs that the ice a 27,003 guidance document recommends.
However, it is possible that additional outcomes or that none of these outcomes occur from the management review.
Firstly, changes to policies and procedures.
This could be driven by changes within the organization or from factors external to the organization.
Needs and requirements of interested parties could also result in changes to policies and procedures.
Change of risk criteria.
Your organization might become more or less risk tolerant due to a variety of factors
which would end up resulting in a change to the criteria determining whether or not a risk can be accepted.
Corrective and improvement actions.
If the performance of the ice miss has not been what is expected,
actions to correct this performance may be required.
Updated risk treatment plan
and statement of applicability,
as well as adjustments to monitoring and evaluation activities.
There may be new processes or controls to be monitored,
or perhaps some metrics have been redundant.
Documentation to consider
is the documentation you will create in the process of setting up and having these management reviews.
So be sure to properly save copies of everything you need to your isom s documentation file for the content management system. Whatever you're using for safekeeping,
this is one of the big items your certification orders is want to see.
So the more good stuff you have to show here the better.
A lot of your outputs will also serve as supporting evidence,
so you will have agendas and meeting minutes from the management review sessions.
Attendance registers are really good to have as this will show who the attendees were
communicated action items.
This will come after the meeting showing that agreed upon actions have been communicated for action to the relevant staff members.
Any budget plans, notes or other items that have come from these sessions
and during the audit, specifically either an internal audit or your certification audit.
The order to may want to interview top management representatives for their input on these sessions.
So be sure to give your top management their heads up during and when the orders are taking place
so that they can spare 10 minutes in their day to come and have a chat to the order to If required
In this lesson, we covered the specifics off the management review
and that this is mainly a session for top management to ensure that the ice maze is achieving its objectives
and is on track as intended
or if not
that corrective measures are planned and executed.
We looked at the various outputs that come from the management review,
and we also take a brief look at some additional documentation that could serve as valuable ordered evidence.