Management-Review according to ISO 27001
The ISO 27001 standard expects management to regularly address the current state of information security. According to ISO 27001, the so-called management review compares the current state with the desired state specified in the ISMS.
The following topics should be on the management review agenda:
- Security incidents
- Risks
- Expectations
- Deviations
- Goals
The following questions will be discussed in detail:
- What security incidents have occurred? How did we handle the situation? Can the security measures prevent a recurrence of the deterioration? Where do we need to improve our information security organizationally or technically?
- What is the current threat situation? Are we able to respond appropriately to the identified risks? When will measures be implemented to reduce new risks from the evolving threat situation?
- What expectations do regulatory and contractual obligations place on the organization? What do our customers and employees expect from our approach to information security? Where do we need to improve in order to meet the increased demands?
- How do we ensure that we follow our own guidelines? How and when did we check that our security measures are actually being implemented? Are the protective measures active and effective? What insights did we gain from the internal audit?
- What goals have we set for our information security? How far have we deviated from our goals? Have we changed so that our defined goals no longer correspond to reality?