Conformio’s Management Review module allows upper management to perform activities required by ISO 27001 about how the ISMS implementation is progressing. The Management Review is usually done at a top management meeting. Management review is essential because, without such a systematic approach to reviewing and decision-making, it is likely that the most important issues about information security would not reach the top-level executives. Conformio streamlines this process as much as possible so that upper management can perform their primary duties without much interruption.
Accessing Management Review
here are 2 ways to access the Management Review:
- Through the Management Review step in the Implementation steps;
- Through Registers and Modules.
Note: From a procedural point of view, there is no difference in accessing the Management Review module through the Registers and Modules or Implementation steps.
Accessing through Management Review
Follow these steps to access the Management Review:
- Go to Compliance and select Implementation steps;
- Find the First official management review and click the View step button;
- From the step, click the Open Register button.
Note: We recommend first completing the Setting up Management review document under implementation steps before accessing the Management Review module.
Accessing through Registers and Modules
Follow these steps to access the Management Review:
- Go to Registers and Modules;
- Click the Go To Register button in the Management Review module.
Working on Management Review
To start working on the Management Review, click on the Settings button.
In the Management review settings, you can:
- View activities to be performed;
- Select activity frequency;
- Select a person doing the review – It can be multiple persons, usually all from upper management (CEO, Sponsor).
When all the activities are reviewed and confirmed, click the Confirm Changes button to save the selected settings.
Starting Management Review
To start the Management Review, click the Start Management Review button.
Under Performing Management Review, you can see the activities that need to be performed:
- Opening corrective actions if needed
- Changing security objectives if needed
Note: Some items are for your information only – you do not need to do anything about them.
Completing Management Review
When all information is entered, click the Complete Review button to complete the Management Review.
Once you click the Complete Review button, all activities are marked as performed, and the status on the main page is changed to green.
Completing the Management Review creates 2 documents:
- Objectives fulfillment report;
- Management review report;
Both documents can be directly accessed under the Related Documents tab in the Management Review module.
The documents can also be found in the Documents Explorer under the Lists Report Statements and Plans folder.
Frequently Asked Questions:
1. What is management review, and why is it important?
Management review is when a company’s top management needs to review the most important facts about the ISMS and make crucial decisions on information security. The management review is usually done at a top management meeting. Management review is important because, without such a systematic approach to reviewing and decision-making, it is likely that the most important issues about information security would not reach the top-level executives. In other words, this management review is nothing more than a regular meeting of your top executives with a specific topic: information security. Conformio enables you to automatically schedule management review meetings and prepare all the necessary materials for that meeting; it also automatically creates the record from the meeting in the form of Management review minutes.
2. How often do we have to perform the management review?
You must perform the management review at least once a year after the internal auditor has completed the internal audit and has prepared the Internal audit report. However, it is recommended to have management review meetings more often because circumstances related to information security change very fast, and your ISMS probably needs more attention from the top management than once a year. Conformio enables you to automatically schedule management review meetings at the frequency you see fit for your company.
3. What will the certification auditor ask regarding the management review?
Conformio enables you to schedule management review meetings, prepare all the input materials for that meeting, and invite participants; it also automatically creates the record from the meeting in the form of Management review minutes. During the ISO 27001 certification audit, the auditor will ask you the following:
- To show the mandatory document – Management review minutes;
- If at least one member of the top management has participated in the management review;
- If the management review is performed regularly;
- If all the required inputs were presented at the management review;
- If adequate decisions were made at the management review.