83 lines
2.7 KiB
Markdown
83 lines
2.7 KiB
Markdown
Title: Management Review Procedure
|
|
Document ID: [PROC-MGMT-REVIEW-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CISO (Paul Jenkins)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Management Review Procedure
|
|
|
|
## Purpose
|
|
|
|
This procedure defines how BlackDice should prepare for, conduct, record, and follow up formal management reviews of the ISMS.
|
|
|
|
## Scope
|
|
|
|
This procedure applies to formal management review activity for the ISMS, including review inputs, decisions, actions, and evidence of oversight.
|
|
|
|
## Trigger / When Used
|
|
|
|
Use this procedure:
|
|
|
|
- at planned management review intervals
|
|
- when significant change, incident, or audit outcome requires management review
|
|
- when strategic security decisions require formal oversight and recording
|
|
|
|
## Procedure Steps
|
|
|
|
1. Define the review date, scope, participants, and agenda.
|
|
2. Gather required inputs, including status of objectives, risks, incidents, audit results, corrective actions, exceptions, supplier issues, and improvement opportunities.
|
|
3. Prepare the review pack or meeting material and circulate it to participants in advance where appropriate.
|
|
4. Conduct the review and document discussions, decisions, approvals, and required actions.
|
|
5. Confirm whether the ISMS remains suitable, adequate, and effective, and identify any required changes.
|
|
6. Assign owners and due dates for resulting decisions or actions.
|
|
7. Record the review outcome in the approved format and retain supporting evidence.
|
|
8. Track resulting actions through to closure and report status at the next review where necessary.
|
|
|
|
## Inputs
|
|
|
|
- objectives and performance information
|
|
- risk and exception status
|
|
- incident, audit, and corrective action summaries
|
|
- supplier and compliance issues where relevant
|
|
|
|
## Outputs / Records
|
|
|
|
- management review minutes or record
|
|
- decisions and action items
|
|
- updated priorities or improvement actions
|
|
- evidence of oversight
|
|
|
|
## Roles and Responsibilities
|
|
|
|
- [Role] must coordinate the review process and records.
|
|
- Management participants must review the inputs and make informed decisions.
|
|
- Action owners must complete assigned follow-up actions.
|
|
|
|
## Escalation / Exceptions
|
|
|
|
Escalate where:
|
|
|
|
- required inputs are incomplete
|
|
- major risk or nonconformity requires urgent decision
|
|
- assigned actions are not being progressed
|
|
- management attendance or approval cannot be obtained
|
|
|
|
Exceptions to scheduled review timing must be documented and approved.
|
|
|
|
## Related Documents
|
|
|
|
- ISMS Manual
|
|
- Information Security Objectives Template
|
|
- Internal Audit Procedure
|
|
- Management Review Minutes Template
|
|
|
|
## Version Control
|
|
|
|
| Version | Date | Description of Change | Author |
|
|
| --- | --- | --- | --- |
|
|
| 0.1 Draft | [DD Month YYYY] | Initial draft. | [Name or Role] |
|