Management Review Meeting (MRM) Input & Output Interpretation

[AnandR]

Good Afternoon!

I having difficult in interpreting the following MRM inputs and Outputs related to ISO 9001 and ISO 27001. Help from experts is appreciated.
Thanks
Anand

ISO 9001:
MRM Inputs:
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?

MRM Outputs:
1) Improvement of effectiveness of QMS & Its Processes
2) Improvement of product related to customer requirements

Is the above MRM output different from the Recommendations for improvement made in MRM input?



ISO 27001:
MRM Inputs:
1) Results of ISMS audits and reviews
2) Feedback from interested parties on ISMS
3) Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
4) Results from effectiveness measurements


In QMS, it is only the results of audit. But, in ISMS it says results of audits and reviews

Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
Here is it meaning recommendations for improvements? Is it for bringing in new items that never exists?


MRM Outputs:

• Modification of procedures & controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:
  a)Business Requirements b) Security Requirements c) Business Processes effecting the
  existing business requirements d) Regulatory or Legal Requirements
  e) Contractual Obligations & f) Levels of risks and/or criteria for accepting risks
• Improvements to how the effectiveness of controls is being measured

[Richard Regalado]

First of all AnandR, there is no requirement for an MRM or management review meeting. The requirement is for management to review the required inputs and come up with sensible outputs. You can do this is in various ways other than a meeting. I've seen organizations with management abroad doing management reviews via email exchanges.

I will answer the ISMS part first. You asked:

Quote:

ISO 27001:
MRM Inputs:
1) Results of ISMS audits and reviews
2) Feedback from interested parties on ISMS
3) Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
4) Results from effectiveness measurements

1. Reviews are activities distinct from audits which can help ensure the preservation of CIA of your information assets. Reviews encompass technical vulnerability reviews such as penetration testing and vulnerability assessments.

2. Interested parties to your ISMS may include customers, stakeholders, the government, employees, contractors, 3rd-party vendors, consultants, etc.

3. Supposed one of your higher risk is employees tail-gating the main door and bypassing the current swipe card access. A product which can improve this situation such as installing a turnstile system could be part of the management review. The same goes for new products or techniques in the market which could lower your risk exposure and improve performance. A new co-lo site perhaps? A faster internet service provider?

4. There is a requirement to measure the effectiveness of the chosen and implemented controls. Make sure the results of the measurement process are part of the management review.

Will get back later after dinner. Wifey calling me.

[Richard Regalado]

I'm back! Now for the outputs.

You said:

Quote:

MRM Outputs:
Modification of procedures & controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:
a)Business Requirements b) Security Requirements c) Business Processes effecting the
existing business requirements d) Regulatory or Legal Requirements
e) Contractual Obligations & f) Levels of risks and/or criteria for accepting risks
Improvements to how the effectiveness of controls is being measured

One the required output of the management review for ISMS is how will management respond if there changes to the factors listed in a-e.

Business requirements pertain to your own organization changing requirements. For example, the next door office was recently robbed and ransacked. This will trigger or initiate your own review of physical security and if the risk is validated, certain control may be added. Regulatory and legal requirements are from the government and regulatory bodies while contractual obligations are normally from your customers. You need to determine the actions to be taken by the organization should there be changes to these.

The last MR output requirement is very straightforward. As a result of reviewing the results of the measurement of effectiveness of controls, what changes would management want to implement to improve the measurement process for controls' effectiveness. Would you want to measure with more regularity? Would you want to automate the measurement process?

[AnandR]

Richard, I thank you very much for taking time to explain me my queries. It really helps.
Request you to help me on MRM inputs for ISO 9001.
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?

[somashekar]

Quote:

In Reply to Parent Post by AnandR

Richard, I thank you very much for taking time to explain me my queries. It really helps.
Request you to help me on MRM inputs for ISO 9001.
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?

A management review input is not only a status information of all business related processess, but also possible actions that can be taken up for the changes faced in a dynamic business world, for the results of analysis of various data concerning to internal activities., with a vision to improve.
You bring about all the prospects and consequences (pro's and con's) in the MR input and the MR outputs sets direction for future actions.
In very simple words, inputs help management to give outputs. Good inputs gets effective outputs.

[AnandR]

Thanks Somashekar