Publication Summary¶
| Title | Procedure for Management reviews |
|---|---|
| Author(s) | Alessandro Cardinali |
| Issued by | CEO |
Version doc. Review freq. |
0.9 Yearly |
| Date of issue | June 7, 2025 |
| Owner | CEO/Founder |
| Document status | Draft – Final Draft - Final |
| Approval Date | n/a |
| Classification | Internal |
Change Log
| Version | Date | Author | Comments |
|---|---|---|---|
| 0.1 | June 7, 2025 | Olaf Jacobson | First draft document |
Table of Contents
1 Introduction 4
1.1 Purpose of this document 4
1.2 Areas of the standard addressed 4
2 Scheduled management reviews 5
2.1 Scheduling 5
2.2 Attendees 5
2.3 Format 5
2.4 Classification 5
2.5 Review preparation 5
2.6 Areas reviewed 7
3 Annual management review 8
3.1 Scheduling 8
3.2 Attendees 8
3.3 Format 8
3.4 Classification 8
3.5 Annual review preparation 8
3.6 Areas reviewed 9
Introduction¶
The purpose of this document is to set out the procedure for carrying out management reviews as part of the management system operated by Soon B.V. in compliance with the ISO/IEC 27001 information security standard.
Management reviews are a key part of the management system as they provide a regular opportunity to ensure that objectives are being met and that metrics are within acceptable boundaries. They also act as a trigger for corrective action and a strong driver for improvement within the ISMS.
Purpose of this document¶
This document describes the way in which management reviews of the Information Security Management System will be carried out.
Areas of the standard addressed¶
The following areas of the ISO/IEC 27001 standard are addressed by this document:
-
9 Performance evaluation
-
9.3 Management review
-
A.5 Organizational controls
-
A.5.1 Policies for information security
Scheduled management reviews¶
Scheduling¶
Quarterly management reviews will be held on the first working day of the quarter or as soon afterwards as practicable.
Attendees¶
Management reviews will be chaired by the Chief Executive Officer or nominated deputy. Further attendees will normally be as follows:
-
Chief Operating Officer (COO)
-
Chief Financial Officer (CFO)
-
Chief Information Officer (CIO)
-
Chief Privacy Officer (CPO)
-
Information Security Manager
Apologies should be submitted at least one week prior to the scheduled meeting and where possible a deputy should be nominated to attend instead. Additional attendees may be invited to discuss specific agenda items.
All meetings will be minuted.
Format¶
A standard form will be used for the management review. This form will be updated whenever the content of the management review needs to change such as for the addition of further review topics. In most cases the form from the previous review may be used as a starting point, as long as any content changes have been incorporated into it.
Meeting minutes should be named in the format “Management Review [date]” and stored as a Word document (.docx) in the folder [state file location].
Classification¶
The content and the minutes of the management review will be treated as Confidential within the definition of the information classification scheme in use within Soon B.V.. This means that due care must be taken to protect the confidentiality, integrity and availability of the records. They should not be shared with third parties without a non-disclosure agreement being in place.
Review preparation¶
The following actions need to be taken by the chair (or nominated deputy) in preparation for the management review:
-
Invite additional agenda items for the meeting (small items may be raised under AOB)
-
Ensure that the supporting information required for the meeting is updated by the appropriate person, available and distributed to all attendees, including:
-
Internal and external audit reports
-
Risk assessment reports and treatment plans
-
Monitoring and measurement reports
-
Continual Improvement Action Log
-
Information security objectives
-
New or updated ISMS documentation e.g. policies
-
-
Distribute the agenda for the meeting and the minutes from the previous quarter’s management review
-
Ensure that required resources such as meeting room, projector and nominated minute-taker are available
Areas reviewed¶
The areas covered by the management review may change over time as business requirements change. At the date of this procedure the following areas are included:
| REF | ITEM | DESCRIPTION |
|---|---|---|
| 1 | Actions from previous review | Statement of whether actions have been completed or not and if not, what the next steps are |
| 2 | Changes relevant to the management system | Any significant internal or external changes that have occurred since the last review that may have an impact on the management system and so need to be considered |
| 3 | Changes in needs and expectations of interested parties | For those interested parties that are relevant to the ISMS, whether their views of what the ISMS must deliver have changed in any way |
| 4 | Nonconformities and corrective actions | Status of actions raised from previous internal and external audits |
| 5 | Monitoring and measurement results | Noteworthy items from monitoring and measurement reports, particularly exceptional results (good or bad) and whether targets are being met |
| 6 | Audit results | Summary of the conclusions of any audits carried out since the last management review |
| 7 | Fulfilment of objectives | Statement of how far we are towards achievement of information security objectives |
| 8 | Feedback from interested parties | Comments from people and organizations relevant to the ISMS for example customers, suppliers |
| 9 | Risk assessment and treatment status | Changes to risk levels in the last quarter, including any new threats or vulnerabilities; progress on risk treatment plan |
| 10 | Opportunities for continual improvement | Update the plan and summarise progress for existing improvements; identify new opportunities |
| 11 | Resource planning and plan for next quarter | Review of resource adequacy and main activities scheduled for the next quarter |
| 12 | Any other business | Items not covered within the formal agenda |
| 13 | Actions from this review | Actions recorded during this review, with person responsible and target date |
| 14 | Date of next meeting | Ensure that the next meeting has been scheduled |
- Table 1: Areas reviewed*
Actions recorded will tracked to completion as part of the management review process.
Annual management review¶
Scheduling¶
An annual management review will be held at the start of the financial year, to coincide with the re-planning of business objectives for the next year.
Attendees¶
Annual management reviews will be chaired by the Chief Executive Officer or nominated deputy. Further attendees will normally be as follows:
-
Chief Operating Officer (COO)
-
Chief Financial Officer (CFO)
-
Chief Information Officer (CIO)
-
Chief Privacy Officer (CPO)
-
Information Security Manager
-
Relevant business managers as appropriate
Apologies should be submitted at least one week prior to the scheduled meeting and where possible a deputy should be nominated to attend instead. Additional attendees may be invited to discuss specific agenda items.
All meetings will be minuted.
Format¶
A standard agenda will be used for the annual management review (as defined in 3.4 below) which will be updated whenever the content of the management review needs to change such as for the addition of further review topics.
Records should be named in the format “Annual Management Review [date]” and stored as a Word document (.docx) in the folder [state file location].
Classification¶
The content and minutes of the annual management review will be treated as Confidential within the definition of the information classification scheme in use within Soon B.V.. This means that due care must be taken to protect the confidentiality, integrity and availability of the records. They should not be shared with third parties without a non-disclosure agreement being in place.
Annual review preparation¶
The following actions need to be taken by the chair (or nominated deputy) in preparation for the annual management review (in addition to those for the quarterly review):
-
Ensure that the supporting information required for the meeting is updated by the appropriate person, available and distributed to all attendees, including:
-
Details of recommended changes to ISMS documentation
-
Current Statement of Applicability
-
Details of current auditors
Areas reviewed¶
At this review, in addition to the usual quarterly agenda, the following areas will be reviewed:
| REF | ITEM | DESCRIPTION |
|---|---|---|
| 1 | ISMS documentation review | A report on the review of all documents within the management system for content changes, for example updates and removal of out-of-date information i.e. all policies, procedures and information stores |
| 2 | Review of objectives | New annual objectives will be established for the next 12 months |
| 3 | Review of SoA | Review of the Statement of Applicability to identify any changes to applicable controls |
| 4 | Review of auditing | Current auditing methods and appointment of auditors |
- Table 2: Additional areas reviewed at annual review*
Relevant version control will be maintained for all changes and locations where metrics are recorded will be updated to cater for the new year.
The annual review will be minuted and actions tracked to completion.