It is important that management be involved in all stages of developing an ISMS for your business however there is a formal stage where they must review the documents before acceptance.
Management/Directional Overview of the ISMS
Management will review the organization’s ISMS at planned intervals to ensure its continuing suitability,
Adequacy and efficacy. This review shall include assessing opportunities for improvement and the
Need for changes to the ISMS, including the security policy and security objectives. The results of the
Reviews will be clearly documented and documents will be maintained (see 4.3.3).
Review input
The input to a control review will consist of info on!
A) results of ISMS reviews and audits;
B) comments from interested parties;
C) techniques, products or procedures, which could be used in the organization to improve the ISMS
Functionality and effectiveness;
d) status of preventative and corrective actions;
E) vulnerabilities or threats not adequately addressed in the preceding risk assessment;
f) follow-up actions from previous management reviews;
G) any changes that could affect the ISMS;
h) recommendations for improvement.
Review output
The output from the management review shall include any decisions and actions related to the following.
a) Improvement of the effectiveness of the ISMS.
B) Modification of procedures that effect info security, as necessary, to respond to internal or
External events that might influence on the ISMS, including changes to:
1) business demands;
2) security requirements;
3) business process effecting the existing business requirements;
4) regulatory or legal environment;
5) amounts of levels or risk of risk acceptance.
C) Resource needs.
Internal ISMS audits
The organization shall conduct internal ISMS audits at planned intervals to determine whether the control
Goals, controls, procedures and processes of its ISMS:
A) conform to the demands of this standard and appropriate legislation or regulations;
B) conform to the identified info security requirements;
C) are economically implemented and maintained;
D) perform as expected.
An audit program shall be planned, considering the status and significance of the processes and areas to be audited, plus also including the results of prior audits. The audits criteria, scope plus the methods shall be described. Selection of auditors and conduct of audits shall ensure objectivity and the impartiality of the audit process. Auditors shall not audit their own work.
The responsibilities and requirements for planning and conducting audits, and for reporting results and
keeping records will likely be defined in a documented procedure. Completed management report should be stored alongside the ISMS documentation and updated in accordance with the policy itself. If modified and accessed remotely this should be done via a secure transfer method such as SFTP or file transfer across a VPN (Virtual Private Network). In situations where VPNs are banned such as this, then a copy should be updated locally and uploaded as soon as possible.
The management accountable for the area being audited shall ensure that actions are taken without undue
delay to eliminate detected nonconformities and their causes. Improvement activities shall include the
verification of the actions taken and the reporting of verification results (see Clause ‘7).
John Bardour