Example of Procedure for ISO 27001:2022 Management Review

Uncategorized 4 Minutes

1. SCOPE

This procedure applies to all the activities within the scope of the XXX Information System Management System.(ISO 27001:2022 )

2. PURPOSE

2.1 To ensure that top management systematically reviews the ISMS and its performance in accordance with the established operating procedures.

2.2 To review the adequacy. suitability. and effectiveness of previous corrective and preventive actions including those related to outsourced service and supplier performance.

3.3 To identify strengths and opportunities for improvement and make recommendations for continual improvement.

3. REFERENCE DOCUMENTS

3.1 XXX Information Security Management system Manual,
3.2 Procedure for Internal ISMS Audit.
3.3 Procedure for Non Conformity & Corrective Action

4. TERMS & DEFINITIONS

4.1 Management Review: cross-functional review by an organization’s top management which takes place at regular intervals aimed to assess the organization’s success at achieving objectives established thus ensuring its continued suitability, adequacy, and effectiveness and to take action to correct it when necessary.

4.2 ISMS Objective: A statement describes what should be achieved within the time frame and available resources. It shall be consistent with the evidence-based practice and the visions that the institution creates itself to achieve.

4.3 Audit: A systematic, independent, and documented process for obtaining audit evidence (records, statements of fact, or other information which are relevant and verifiable) and evaluating it objectively to determine the extent to which the audit criteria (set of policies. procedures, or requirements) are fulfilled.

5. RESPONSIBILITY AND AUTHORITY

The following will be responsible for the process of preparing for the Management Review Meeting :
5.1 CEO :
5.1.1 Assure the implementation of the MR policy
5.1.2 Chair the MR meeting
5.1.3 Invite members of the top management to the meeting
5.1.4 invite other categories of staff as per necessity (e.g. quality focal points, internal auditors)
5.2 CISO and Staff of department:
5.2.1 Set in coordination with the Director, the date and time of the meeting.
5.2.2 Prepare and present the agenda of the meeting according to the agenda stated above.
5.2.3 Take the list of attendance.
5.2.4 Make minutes of the meeting that includes discussion points raised with the suggestions as well as the decisions that have made during the output session.
5.2.5 Follow-up the decisions that have been taken during the output discussion.
5.2.6 Follow-up the implementation of the MR.

6. DETAILS OF PROCEDURE

6.1 Attendants:

6.1.1 Top management review meeting shall be held once a year . The meeting is allocated a maximum of 2:30 hours. The distribution is according to the following:

1 hour: presenting the review input.
30 minutes: questions and answers
1 hour: review output (it is recommended that this section is attended by the CEO, CISO, directors, and  heads of departments)

6.1.2 The Management review meeting to be chaired by CEO or CISO in case CEO is not available. In case CEO is not available, CISO must brief the CEO the finding and the output of the meeting with the CEO.

6.2 Agenda of MR:

6.2.1 Review Input: this part of the review shall include information on:

  1. Follow-up actions from previous management reviews.:This refers to all issues raised or resolved since the last review to make sure problems are being resolved properly. and to look for trends in the data. The action which was taken as result of the previous MRM must be reviewed. It must be verified that all the actions have been taken and also the effectiveness of the action taken must be verified. In case the the action was not completed or was found not to be effective, the root cause must identified and corrective action should be taken.
  2. Changes in external and internal issues that are relevant to the Information Security management system.
  3. Changes in needs and expectations of interested parties that are relevant to the information security management system;
  4. Status of non conformity and corrective actions. This refers to reporting of steps that have been taken to manage failures detected as well as steps to avoid the occurrence of any potential problems that are likely to rise.
  5. Process and result of performance monitoring and measurement. This refers to reporting whether XXX is reaching and/or maintaining performance targets.
  6. Results of audits. By reporting the results of audits carried during the previous period (internal and external). It should include the presentation of data analysis showing strengths and opportunities for improvement in the system.
  7. Information Security objectives: This refers to the Information Security objectives which was established during the previous MRM. The review must verify if the objectives were met and incase they were not met what was the root cause that it was not met and what corrective action was taken . Also the Information Security objective for the next year must be established based on the audit findings and the result of the performance monitoring and measurement.
  8. Feedback from Interested parties . Through analysis of reporting results of feedback from Interested parties that have been collected through various channels such as satisfaction surveys and compliments and complaints system. The reporting should look closely at both the negative and positive feedback.
  9. The result of the Event and Incident Reporting System and analysis.
  10. The effectiveness of actions taken to address risks as a result of risk assessment and the status of the risk treatment plan:
  11. Opportunities for continual improvement. This refers to proposing corrective and preventative actions to be taken based on the outcome of the review of the system carried out since the last MR in order to improve the quality of ISMS.

6.2.2 Review Output: This part of the review shall be allocated to discuss and decide on actions to be taken to improve the management system, services/ processes. and resource needed. The output shall include any decisions and actions related to:

  1. Improvement of the effectiveness of the Information management system and its processes. This refers to the fact that based on the information that has been discussed whether there are areas where worthwhile improvements can be made.
  2. Any need for change in Information Security Management System

6.3 Forms and records of the review:

The record of the review will be maintained by the IT department and a summary report of the meeting will be sent to the Management Representative.

7. RETAINED DOCUMENTED INFORMATION

7.1 Management Review record (ISMS F027)
7.2 Data analysis reports. (ISMS F028)
7.3 Management review agenda and minutes(ISMS F029)

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply