Management Review

Video Activity
Start your free 3-day trial and become one of the 3 million Cybersecurity professionals advancing their career goals
Sign up with
OR

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
Listen 7.3
00:02
Management review
00:08
In this video, we will cover the management review agenda,
00:12
outputs from the management review
00:15
and additional documents required.
00:18
This lesson
00:19
covers close 9.3.
00:26
Management reviews are another key area to assess the performance off the ice mess and whether or not it is meeting its requirements.
00:35
This is, as the name suggests, a predominantly management meeting.
00:39
But anyone that is in the ice miss in critical roles should also be present.
00:45
It is important that top management representatives off the bulk of the organization covered in the ice mess scope is present,
00:53
which would probably extend to the head off every department in the organization.
00:58
It is important from this to demonstrate that there is full organization commitment to an understanding off the ice mess.
01:06
And this is that this is not just a nightie or information security team problem.
01:15
If your organization has an information security forum, it might be good to include those participants as well as the top management stakeholders in the management review sessions.
01:26
The management reviews should occur as poet per your organization's defined frequency
01:32
as per the standard, they should occur at a minimum on an annual basis,
01:36
But it is up to you to decide how often management review meetings will take place
01:42
for newly implemented ice AMIS.
01:46
Having management review meetings more often than manually is it annually is advised,
01:51
For example, quarterly or monthly?
01:55
The standard is quite prescriptive in terms of what these meetings need to cover, as well as the agreed actions that need to come from. The management reviews
02:02
the recommended agenda as per I. So 27,001 on ESO 27,003 is provided in the slide, and we'll cover that in a moment
02:15
you can tailor and a justice agenda is necessary
02:17
as long as these topics are in some way or form addressed during the management review,
02:23
it is also possible that the Information Security Team,
02:28
all the Ice Maze team,
02:30
prepares the information necessary to present at your management review meeting
02:35
and management simply provides they input on the information shown and agrees on the required actions going forward.
02:43
Let's have the agenda quickly.
02:46
The first topic
02:49
is you would want to cover the status of action from previous reviews.
02:53
So at the start of each meeting,
02:57
a recap on the actions agreed upon from the previous meeting
03:00
must be going country
03:02
changes in the internal and external factors which could impact the SMS.
03:09
These are the items that we spoke about all the way back in clause for with understanding the organizational context,
03:17
changes to internal and external factors
03:21
might have an impact on your ice maze in some other way.
03:27
We would also want feedback from top management on the ice mess,
03:30
including any non conformity ease and corrective actions,
03:35
monitoring and measurement results, ordered results and progress on information security objectives,
03:42
feedback from interested parties,
03:45
specifically suggestions for improvement.
03:49
We would cover the results of information security, risk assessments and risk treatment progress
03:55
as well as discuss any opportunities for continual improvement.
04:05
So what outputs do we get from the management review
04:09
the outputs of what needs to come out of the management review and would also serve as evidence of the management review taking place?
04:16
An auditor, especially for your certification ordered, would want to see evidence of which participants attended the management reviews,
04:24
that the reviews took place as per the divine interval
04:28
that actions were identified and agreed upon
04:30
on that these actions are being implemented and tracked outside of the management review meeting within the appropriate channels.
04:38
These are some of the outputs that the ice a 27,003 guidance document recommends.
04:44
However, it is possible that additional outcomes or that none of these outcomes occur from the management review.
04:53
Firstly, changes to policies and procedures.
04:56
This could be driven by changes within the organization or from factors external to the organization.
05:02
Needs and requirements of interested parties could also result in changes to policies and procedures.
05:12
Change of risk criteria.
05:14
Your organization might become more or less risk tolerant due to a variety of factors
05:20
which would end up resulting in a change to the criteria determining whether or not a risk can be accepted.
05:29
Corrective and improvement actions.
05:30
If the performance of the ice miss has not been what is expected,
05:35
actions to correct this performance may be required.
05:41
Updated risk treatment plan
05:44
and statement of applicability,
05:46
as well as adjustments to monitoring and evaluation activities.
05:51
There may be new processes or controls to be monitored,
05:56
or perhaps some metrics have been redundant.
06:09
Documentation to consider
06:11
is the documentation you will create in the process of setting up and having these management reviews.
06:17
So be sure to properly save copies of everything you need to your isom s documentation file for the content management system. Whatever you're using for safekeeping,
06:28
this is one of the big items your certification orders is want to see.
06:32
So the more good stuff you have to show here the better.
06:36
A lot of your outputs will also serve as supporting evidence,
06:42
so you will have agendas and meeting minutes from the management review sessions.
06:46
Attendance registers are really good to have as this will show who the attendees were
06:54
communicated action items.
06:57
This will come after the meeting showing that agreed upon actions have been communicated for action to the relevant staff members.
07:04
Any budget plans, notes or other items that have come from these sessions
07:11
and during the audit, specifically either an internal audit or your certification audit.
07:16
The order to may want to interview top management representatives for their input on these sessions.
07:24
So be sure to give your top management their heads up during and when the orders are taking place
07:30
so that they can spare 10 minutes in their day to come and have a chat to the order to If required
07:42
to summarize.
07:43
In this lesson, we covered the specifics off the management review
07:46
and that this is mainly a session for top management to ensure that the ice maze is achieving its objectives
07:53
and is on track as intended
07:55
or if not
07:56
that corrective measures are planned and executed.
08:00
We looked at the various outputs that come from the management review,
08:05
and we also take a brief look at some additional documentation that could serve as valuable ordered evidence.
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By