ISMS management reviews vs ISMS internal audits
Over on the ISO27k Forum this week, Ray asked us for "guidance on conducting and documenting 'Management Reviews' that include the agenda items required by the standard in 9.3. Any templates shall be much appreciated."
Forumites duly offered advice and agendas. So far so good!
However, I made the point that ISO/IEC 27001 does not require/insist that management reviews take the form of periodic management meetings, specifically, although that is the usual approach in practice.
Personally, since they are both forms of assurance, I advise clients to plan and conduct their ISMS management reviews and ISMS internal audits similarly, with one critical and non-negotiable difference: auditors must be independent of the ISMS, whereas management reviews can be conducted by those directly involved in designing, operating or managing the ISMS. This is not merely a compliance matter or protectionist barrier: auditor independence brings a fresh perspective and valuable insight that insiders simply cannot match.
In my considered opinion, independence and formality follow a continuum through these activities:
- Entirely dependent and informal: various routine operational activities by those working within the ISMS e.g. SOC analysts, security trainers ...;
- Largely dependent, mostly informal: various routine management activities by ISMS managers e.g. the CISO or ISM's monthly updates and weekly ISMS team meetings;
- Semi-independent, somewhat formal: periodic ISMS management reviews by the organisation's managers, including the CISO/ISM and others such as Risk/Compliance Managers e.g. annual or quarterly reviews using ISO/IEC 27001:2022 clause 9.3.2 in whole or in part as an agenda for each one; also supplier security checklists/questionnaires self-completed by the ISM or nominees ... or maybe these days a tame AI/ML bot;
- Reasonably independent and quite formal: ISMS internal audits by competent people not directly associated with or involved in the ISMS (possibly outsiders) e.g. audits every 1-3 years using accepted IT/compliance audit methods, scoped, planned and conducted to fulfil the requirements of ISO/IEC 27001:2022 clauses 9.2.1 and 9.2.2; also supplier security checklists/questionnaires completed by IT auditors on behalf of the CISO and supplier, generally checked and approved by the CISO and Legal before release;
- Largely independent and quite formal: annual surveillance audits of the ISMS by trained and competent compliance specialist auditors employed by other (preferably duly accredited) organisations, following the applicable certification standards and methods defined by the organisation's policies, procedures and training (note: the same people may conduct successive surveillance audits, taking advantage of their prior involvement and picking up on issues raised/noted before); also supplier security audits completed by IT auditors appointed by the supplier;
- Fully independent and formal: certification/re-certification or other external audits of the ISMS by trained and competent compliance specialist auditors employed by other (preferably duly accredited) organisations, ideally having no prior involvement with the target organisation, following the applicable certification standards and defined audit methods;
- Totally independent and highly formal: 'official' investigations by the authorities or other stakeholders and their lawyers plus forensic auditors e.g. following serious privacy or other legal/regulatory/contractual breaches, or as part of merger and acquisition due diligence.
So, although there are wording differences in the requirements between clauses 9.2 and 9.3, it is feasible to conduct management reviews using much the same structured and systematic process as internal audits i.e. scoping, planning, gathering evidence, evaluating it, reporting, responding and following up. The 'management review meeting' is therefore equivalent to the typical 'audit clearance meeting': these meetings are important steps in the processes but there is more to do before and after, with opportunities to add further value. Folliowing similar processes for management reviews and internal audits means their planning and management/oversight are also similar.
Rather than starting from scratch or hunting the Web for examples, the SecAware ISMS Take-off package includes the following customer-editable templates:
- Policies for ISMS internal audits and management reviews;
- A fill-in-the-blanks management review meeting agenda mirroring clause 9.3.2;
- Simple awareness leaflets to prepare auditors and auditees for what's ahead;
- An Internal Controls Questionnaire with which to review or audit the management aspects of the ISMS;
- Plus various other ISO27k materials specifically designed for the management audience - job descriptions, management briefings, checklists, metrics and more, currently in our Easter sale for just US$237.50.
- A detailed (32-page!) ICQ with which to review or audit the information security controls - more than just the cybersecurity controls;
- A succinct ICQ specifically for assessing suppliers' information security management arrangements;
- A scope, objectives and plan document template covering ISMS internal audits and management reviews;
- Role descriptions (essentially vacancy notices) for ISMS internal auditors and management reviewers;
- A reporting template for ISMS internal audits and management reviews.
PS If you believe ISMS internal audits are all about compliance, contact me. They aren't and I'd be happy to explain why, or better still demonstrate the value.