“The best way to get management excited about a disaster plan is to burn down the building across the street.”
—Dan Erwin
Conducting the review
Planning for improvements
Communicating
Conducting the Review
When you implement large improvement initiatives in an organization, it is essential for management to know about them. And this is also a requirement of the ISO 27001 standard. Organizations must plan and conduct the standard based on a frequency that’s feasible to the organization.
Organizations, at a minimum, should plan for semiannual management review meetings. The decisions made at such meetings are made for the future improvement of the organization and their impacts/benefits can usually be analyzed in a six-month timeframe. This way, the organization does not have to wait too long to know the benefits achieved from a previous plan or course of action. Also, if any planned initiatives/decisions aren’t working, changes can be made accordingly. Hence, this is the reason that the ISO 27001 standard clearly requires management commitment. It’s critical to improving the ISMS implemented in the organization/business unit.
What Is Expected from Department Heads/Stakeholders?
As mentioned, a lot of time is required from the department heads and their teams, as they need to collect and analyze the data in order to prepare the presentation. They report on the security controls that are working, what is yet to be implemented, and issues that need discussion from management to arrive at the conclusion.
The data that’s collected are the information security objectives/KPIs from each department. The KPIs/metrics performance achieved in the past month or on a monthly basis show whether you are achieving the information security objectives. This will show management that teams are following the processes needed to maintain the ISMS.
It is true that department heads/teams collect that data for analysis on a monthly basis and then share that information with middle management as part of their monthly review meetings.
However, in order to meet the defined information security objectives, it’s better to observe performance over a longer period, such as quarterly, semiannually, or yearly. Only then can you conclude that the performance you want is achieved consistently (i.e., the security controls are working fine over time).
Therefore, you can see why it’s better to conduct a management review meeting on a semiannual basis and not on a monthly basis.
Scheduling the Management Review Meeting
You can schedule this meeting in two ways.
First Way
If an organization is trying to implement the ISMS the first time, it is best to schedule the review meeting after all the policies and procedures are defined, the security controls are implemented, and one round of the internal audit exercise has been completed.
Note
Sometimes it is not feasible to implement all the controls before the first review. In such scenarios, you don’t have to wait. You can go ahead with the review meeting to discuss what is implemented. You should always ensure whatever is implemented has been audited once.
Second Way
In some organizations, the implementation has been complete for a year or two, but they never planned the management review meeting. Such organizations must plan for the review and, once the first management review is conducted, a second management review should be planned in six months. This way, the management reviews are conducted in a planned manner. This is the best way for an organization that has already secured ISO 27001 certification and is now maintaining it.
Schedule the Meeting
Look for a suitable day to schedule the management review meeting, ensuring that all members can attend. Send the invite to all the participants/stakeholders at least two weeks in advance so that they can mark their calendars and have enough time to prepare. Otherwise, participants might feel that they don’t time to prepare and nobody wants to go in front of management unprepared.
Preparing the Presentation
The easiest way to present the data is to prepare a slideshow presentation. The information security team should prepare a common template, which will be helpful for all the participants to follow. When all participants prepare their presentation in their own formats, it takes participants more time to understand and there is a chance that important points regarding security controls might get missed. Using a predefined common format is advisable. If there are specific points that need to be part of the format, they can always be added (the information security team should clarify this when sharing the presentation format.)
Tip
Department heads should share the presentations with the information security team so they can review them before they are finalized.
The information security team also has to prepare a presentation to showcase the areas that they are responsibility for. They should also highlight any issues/challenges they are facing that need to be discussed during the review meeting.
Items To Be Covered in the Presentation
Information security policy—Discuss if any changes are required in the policy statement or whether it is okay as is.
Organization risks and opportunities—Discuss the risks that are critical, actions taken to address them, and the risks for which action is still pending.
Information security objectives—Discuss the status of the defined objectives, whether you’re meeting them or not, any challenges, etc.
Resource status—Discuss critical tools or any manpower needed or any other requirements related to resources.
Internal audit findings—Discuss the total findings observed in the internal audit, the status of the findings, their corrective/preventive actions, whether all findings are closed, and the challenges in closing them.
ISMS implementation status—Organizations that have implemented ISMS for the first time should discuss the status of implementation and cover any challenges in achieving the objective.
Process improvements implemented—Mention observed improvements. Management wants to see such improvements, so they can see that the ISMS implementation is improving the organization’s information security system.
Tip There should not be any last-minute surprises/scenarios that crop up. Management will expect the teams to come with solutions to any problems they found. When you are discussing a problem with management, it is always advisable to suggest a few solutions.
Department risks and opportunities—Discuss the critical risks, the actions taken to address them, and the actions that are still pending due to constraints or challenges.
Department KPI—Discuss the status of the defined KPI, whether it’s meeting or not, any challenges etc.
Change in policy or procedure—If there have been changes, they should be shared in the review meeting.
By covering these points in the presentation, you can have better discussion/presentation during the review meeting. Apart from the presentation, you should also prepare for the questions that management might ask. If you cannot answer or do not have any supporting data available, it can be awkward to handle at the time.
Hence, it is best to be prepared and aware about what questions they might ask. This will help you during the review meeting.
Conducting the Review Meeting
On the day of the meeting, you can start the session with the information security team. The CISO or information security manager can review the agenda of the meeting and then continue to present the points, as mentioned in this chapter. After the information security team speaks, each department head can then present her own ISMS status.
The meeting can be conducted either by inviting all participants/department heads or stakeholders together at the same time, or they can be given an individual timeslot, and according to this timeslot, participants arrive and give their presentations. This scenario can work if you don’t need all the participants to be present at the same time, or simply cannot find a time where they can all come.
It is more beneficial to conduct the meeting with all department heads present, as this way, the important points discussed can be shared with all parties at the same time. These critical issues could very well be of importance to these department heads. Also, if management wants to convey an important message during the meeting, it can be done easily with all affected parties present.
As part of the review meeting, you are presenting the organization’s performance in implementing and managing the ISMS and not an individual employees’ performances. Hence, you should never pinpoint any one person or department with fault.
The data/values you present must be absolutely correct. Any error in the data can cause management to lose confidence in the process; hence, all the data should be reviewed thoroughly.
After completing the presentation, the CISO from the information security team should communicate to all the participants the action points that were developed during the review meeting and get their commitment to close them by the agreed-upon timeline.
Note
If any commitment is required from the management/steering committee during the review meeting, it should be acknowledged at this same time. It is difficult to get commitments later, and you may not have the opportunity to bring them all together again soon.
Participants’ names
Meeting agenda
Points discussed
Action items, with owners and target dates
The meeting’s minutes should be circulated/shared with all the participants, including senior management, on the same day or the day after the meeting.
Sample snapshot of meeting minutes
Plan Improvement
If you refer to the meeting minutes that were prepared after the review meeting, they should cover all the improvement initiatives. Each action item can be taken as one improvement or broken into multiple improvements. One of the important goals of the review meeting is to find any improvement areas. Just imagine all the department heads together identifying improvement areas at the same time. This can also be considered a brainstorming exercise.
All these improvement areas should be mentioned and tracked as part of the improvement plan/tracker as well.
What Do You Improve?
Business processes and efficiency
Security objectives/KPIs
Awareness of the employees
Overall effectiveness of the organization’s ISMS
How Do You Know if You Have Improved?
This is an important question. Management needs to be able to see how the organization has improved. The information security team needs to track the status of each improvement initiative and collect the data to analyze the progress. As part of this, you must compare previous data with data after the implementation and determine whether improvements have been made or not. You also need to determine the scope and size of the improvements.
You need to keep collecting data on a monthly basis. When the time comes for the next management review meeting, you must present this data to management. This way, you manage the ISMS improvement on a year-over-year basis.
Communicate
Here, the information security team and the other department heads must communicate with each other on a regular basis about the status of the improvement areas. If it’s clear that, after the management review meeting, there is no follow-up or communication on the action items noted during the review meeting, this will start impacting the momentum of the ISMS management initiatives.
If the information security team stops following up with the owners/department heads, the people in charge of the action items might not work on them. They might not see these items as their direct charge, and this could delay the initiative target date unnecessarily.
If no significant improvements are made then, during the next management review meeting, management will take notice. They might ask why you have not made any progress. This could be difficult to explain if you did not get support from the action item owners or the information security department could not complete the work.
Hence, it is advisable to track the status of all the action items on the semiweekly or monthly basis. This way, you’ll know whether you are on the right track and progressing well or not. If things are not moving, you can follow up in a timely manner and even escalate things to management. Recall that, during the management review meeting, every member gave their commitment to providing support to the improvement initiatives.
Summary
This chapter taught you the importance of conducting a management review and gave you practical tips on how to conduct it. You also learned about improvement plans and how to track the plan with the team. You lastly learned about the importance of communicating progress and updates with all stakeholders.