User
Create a script on what should a consultant present at a management review meeting
Experta
To comply with ISO 27001 clause 9.3 Management review, a consultant should present the following at a management review meeting:
1. **Participants and Schedule**: Confirm who is participating in the management review and when it is scheduled to take place.
2. **Input Materials**: Present the prepared input materials that need to be discussed, including internal audit reports, corrective actions and their status, status of tasks from the last management review, changes that could influence security, results of measurements, new required resources, lessons learned, and proposals for improvement.
3. **Decisions to be Made**: Outline the decisions that need to be made during the review, such as whether the ISMS or BCMS has fulfilled its objectives, required improvements, changes to the scope, approval of resources, and modifications to main documents.
4. **Evidence of Compliance**: Provide evidence that the management review minutes have been documented, that top management has participated, that the review is performed regularly, and that all required inputs were presented.
5. **Results and Deviations**: Explain the results and any deviations from expected outcomes, ensuring that decisions made are properly recorded, including what needs to be done, by whom, and related deadlines.
6. **Educational Opportunity**: Use the review as an opportunity to educate executives on information security basics, discuss alternative strategies, and present issues for support.
7. **Documentation and Communication**: Discuss how the results will be documented and communicated, whether through simple meeting minutes or formal proceedings, and how the company plans to communicate the results to relevant employees and third parties.
By following these steps, the consultant can ensure a comprehensive and effective management review meeting.