«
»

ISO 27001 Implementation Guide – Management review

reader

Summary

This article explains the management review of an organisations’ information security management system that is mandated by the international standard on information security management, ISO 27001. It might be of interest of information security managers and those seeking to implement the ISO 27001 standard.

Agenda

-    What is the “management review of the ISMS” in the context of ISO 27001?
-    What are the roles involved in the management review?
-    What is the purpose and rationale behind this requirement?
-    What are the steps that we need to take in order to fulfil this requirement?
-    How can the results of the management review be documented?

Definition

The “management review of the ISMS” in the context of ISO 27001 refers to the annual activity where management reviews the organization’s information security management system (ISMS), ensuring its continuing “suitability, adequacy and effectiveness” (ISO 27001).

Requirement

The requirement as stated in ISO 27001, chapter 7:

Management shall review the organization’s ISMS at planned intervals (at least once a year) to ensure its continuing suitablity, adequacy and effectiveness. This review shall include assessing opportunities for improvement and the need for changes to the ISMS, including the information security policy and information security objectives. The results of the reviews shall be clearly documented and records shall be maintained

Each of ISOs management systems standards, including ISO 9001 (for quality management systems) and ISO 14001 (environment management systems) have a corresponding requirement that mandates a management review. In fact, the whole idea and the concepts use to describe the management review is directly derived from ISO 9001.

Roles

Management. Management here refers to the group of individuals who has the widest authority in the organization, and essentially control the operations with their decisions. They are concerned not only with information security, but also with the overall aim of the organization. Because of this, they are in the position to see the overall picture and judge weather or not the information security management system is suitable, adqeuate and effective in relation to the current strategies and the road ahead.

Information security officer. However, management need the help of a good information security manager or officer (CISO) in order to review the management system. In fact, most often management do their role in this review by attending one meeting and making some important decisions. It is the information security manager who has to plan this meeting; to gather its inputs, to fascilitate its processing, and to take care of its output.

Rationale

The idea behind this requirement for those seeking ISO 27001 certification is that:

  • Management commitment: High level management commitment is crucial for running a successful information security effort in any organization, therefore they should be involved in taking the decisions so that their executive power is transferred to the information security people.
  • Track development: One of the ideas behind having an information security management system is that high level management is able to track the development of information security in their organization.
  • Reserve resources: High level management’s decisions are needed to get reserved resources for information security, after prioritizing security against other possible alternative investments.

Steps

There are three major steps involved in order to conduct a management review successfully:

  1. Review input: Preparing information for the meeting
  2. Meeting: Presenting the information, discussing, and getting approval
  3. Review output: Documenting decided changes to documents and controls

Review Input

The input to a management review shall include:

a)    Results of ISMS audits and reviews;
b)    Feedback from interested parties;
c)    Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness;
e)    status of preventive and corrective actions;
f)    vulnerabilities or threats not adequately addressed in the previous risk assessment;
g)    results from effectiveness measurements;
h)    follow-up actions from previous management reviews;
i)    any changes that could affect the ISMS; and
j)    recommendations for improvement. (ISO 27001)

Meeting

One natural way to organise the meeting is that the information security manager presents the information in the review input. It should be possible for the management to complement the presentation by looking at and reading actual reports and other review inputs during the meeting.

After the review inputs are presented and discussed, the information security manager gives his/her recommendations for changes, priorities and improvements, and describes the need for financial and other resources.

The result of the meeting is a set of agreed changes / decisions, including the reservation of resources. These actions and decisions are listed here below as review outputs.

Review Output

The output from the management review shall include any decisions
and actions related to the following :

a)    Improvement of the effectiveness of the ISMS.
b)    Update of the risk assessment and risk treatment plan.
c)    Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:

1)    business requirements;
2)    security requirements;
3)    business processes effecting the existing business requirements;
4)    regulatory or legal requirements;
5)    contractual obligations; and
6)    levels of risk and/or risk acceptance criteria.

d)    Resource needs.
e)    Improvement to how the effectiveness of controls is being measured. (ISO 27001)

Documentation

The meeting should be documented in terms of the inputs, the recommendations and the outputs. On way of doing this is that a powerpoint-template of used for the management review presentation every year, including the sections listed in review inputs and outputs aboove. Each section for the inputs are filled with information avout the current state by the information security manager before the meeting. Each sections for the putputs are filled in during the meeting as they are agreed. In addition, there should be a protocol from the management review meeting which lists the date, the participants, and what was agreed. This protocol should be signed by a representative for the top management of the organisation.

About the author: Dr. Fredrik Björck (CISA, CISSP) has been working with information security management systems and certification since 1997, in academia and as an auditor and consultant. He is founder and CEO of Visente, a consultancy specialising in strategic information security advisory services. Visente has taken the first government authority in sweden through ISO 27001 certification, and has helped the Swedish Standards Institute with the Swedish translation of the ISO 27001 and 27002 standards. This article is a part of Visentes’ knowledge sharing initiative fo the benefit of a more secure society.

This entry was posted on Saturday, March 7th, 2009, 11:39 am and is filed under Security Management, Security Standards. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. No comments yet.
(will not be published)
Subscribe to comments feed
  1. No trackbacks yet.
SetPageWidth