Management Review Process
- Jan Tenenberg
The purpose of this page is to set out the procedure for carrying out management reviews as part of the management system operated by Vertic Pty Ltd in compliance with the ISO 27001 information security standard.
Management reviews are a key part of the management system as they provide a regular opportunity to ensure that objectives are being met and that metrics are within acceptable boundaries. They also act as a trigger for corrective action and a strong driver for improvement within the VQMS.
Scheduled management reviews
Scheduling
Quarterly management reviews will be held on the first working day of the quarter or as soon afterwards as practicable.
Attendees
Management reviews will be chaired by the Chief Executive Officer or nominated deputy. Further attendees will normally be as follows:
Chief Operating Officer (COO)
Chief Financial Officer (CFO)
Apologies should be submitted at least one week prior to the scheduled meeting and where possible a deputy should be nominated to attend instead. Additional attendees may be invited to discuss specific agenda items. All meetings will be minuted.
Areas reviewed
The areas (or an agreed-to subset of) covered by the management review may change over time as business requirements change. At the date of this procedure the following areas are included:
Reference | Item | Description |
1 | Actions from previous review | Statement of whether actions have been completed or not and if not, what the next steps are |
2 | Changes relevant to the management system | Any significant internal or external changes that have occurred since the last review that may have an impact on the management system and so need to be considered |
3 | Nonconformities and corrective actions | Status of actions raised from previous internal and external audits |
4 | Monitoring and measurement results | Noteworthy items from monitoring and measurement reports, particularly exceptional results (good or bad) and whether targets are being met |
5 | Audit results | Summary of the conclusions of any audits carried out since the last management review |
6 | Fulfilment of objectives | Statement of how far we are towards achievement of information security objectives |
7 | Feedback from interested parties | Comments from people and organisations relevant to the VQMS e.g. customers, suppliers |
8 | Risk assessment and treatment status | Changes to risk levels in the last quarter, including any new threats or vulnerabilities; progress on risk treatment plan |
9 | Opportunities for continual improvement | Update the plan and summarise progress for existing improvements; identify new opportunities |
10 | Resource planning and plan for next quarter | Review of resource adequacy and main activities scheduled for the next quarter |
11 | Any other business | Items not covered within the formal agenda |
12 | Supplier Review | Conduct a detailed external supplier review on a quarterly basis |
13 | Actions from this review | Actions recorded during this review, with person responsible and target date |
14 | Information Continuity Processes Review | Review our current processes for ensuring we can continue to operate effectively in case of disaster |
15 | Date of next meeting | Ensure that the next meeting has been scheduled |
The management meeting minutes and action items can be found here.