Management Review Meeting (MRM) Input & Output Interpretation

[AnandR]

Good Afternoon!

I having difficult in interpreting the following MRM inputs and Outputs related to ISO 9001 and ISO 27001. Help from experts is appreciated.
Thanks
Anand

ISO 9001:
MRM Inputs:
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?

MRM Outputs:
1) Improvement of effectiveness of QMS & Its Processes
2) Improvement of product related to customer requirements

Is the above MRM output different from the Recommendations for improvement made in MRM input?



ISO 27001:
MRM Inputs:
1) Results of ISMS audits and reviews
2) Feedback from interested parties on ISMS
3) Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
4) Results from effectiveness measurements


In QMS, it is only the results of audit. But, in ISMS it says results of audits and reviews

Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
Here is it meaning recommendations for improvements? Is it for bringing in new items that never exists?


MRM Outputs:

• Modification of procedures & controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:
  a)Business Requirements b) Security Requirements c) Business Processes effecting the
  existing business requirements d) Regulatory or Legal Requirements
  e) Contractual Obligations & f) Levels of risks and/or criteria for accepting risks
• Improvements to how the effectiveness of controls is being measured

 

[Richard Regalado]

First of all AnandR, there is no requirement for an MRM or management review meeting. The requirement is for management to review the required inputs and come up with sensible outputs. You can do this is in various ways other than a meeting. I've seen organizations with management abroad doing management reviews via email exchanges.

I will answer the ISMS part first. You asked:

ISO 27001:
MRM Inputs:
1) Results of ISMS audits and reviews
2) Feedback from interested parties on ISMS
3) Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
4) Results from effectiveness measurements

1. Reviews are activities distinct from audits which can help ensure the preservation of CIA of your information assets. Reviews encompass technical vulnerability reviews such as penetration testing and vulnerability assessments.

2. Interested parties to your ISMS may include customers, stakeholders, the government, employees, contractors, 3rd-party vendors, consultants, etc.

3. Supposed one of your higher risk is employees tail-gating the main door and bypassing the current swipe card access. A product which can improve this situation such as installing a turnstile system could be part of the management review. The same goes for new products or techniques in the market which could lower your risk exposure and improve performance. A new co-lo site perhaps? A faster internet service provider?

4. There is a requirement to measure the effectiveness of the chosen and implemented controls. Make sure the results of the measurement process are part of the management review.

Will get back later after dinner. Wifey calling me.

 

[Richard Regalado]

I'm back! Now for the outputs.

You said:

MRM Outputs:
Modification of procedures & controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:
a)Business Requirements b) Security Requirements c) Business Processes effecting the
existing business requirements d) Regulatory or Legal Requirements
e) Contractual Obligations & f) Levels of risks and/or criteria for accepting risks
Improvements to how the effectiveness of controls is being measured

One the required output of the management review for ISMS is how will management respond if there changes to the factors listed in a-e.

Business requirements pertain to your own organization changing requirements. For example, the next door office was recently robbed and ransacked. This will trigger or initiate your own review of physical security and if the risk is validated, certain control may be added. Regulatory and legal requirements are from the government and regulatory bodies while contractual obligations are normally from your customers. You need to determine the actions to be taken by the organization should there be changes to these.

The last MR output requirement is very straightforward. As a result of reviewing the results of the measurement of effectiveness of controls, what changes would management want to implement to improve the measurement process for controls' effectiveness. Would you want to measure with more regularity? Would you want to automate the measurement process?

 

[AnandR]

Richard, I thank you very much for taking time to explain me my queries. It really helps.
Request you to help me on MRM inputs for ISO 9001.
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?

 

[somashekar]

Richard, I thank you very much for taking time to explain me my queries. It really helps.
Request you to help me on MRM inputs for ISO 9001.
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?

A management review input is not only a status information of all business related processess, but also possible actions that can be taken up for the changes faced in a dynamic business world, for the results of analysis of various data concerning to internal activities., with a vision to improve.
You bring about all the prospects and consequences (pro's and con's) in the MR input and the MR outputs sets direction for future actions.
In very simple words, inputs help management to give outputs. Good inputs gets effective outputs.

 

[AnandR]

Thanks Somashekar

 

[alicealicia]

Richard,

I need your help to elaborate details for the inputs and outputs for ISMS management review meeting

[FONT=&quot]2. [/FONT][FONT=&quot]Feedback from interested parties[/FONT][FONT=&quot][/FONT]
Does it covers the developers and maintainers and also the suppliers? Can I have some samples or examples for the feedback?

[FONT=&quot]4. [/FONT][FONT=&quot]Status of preventive and corrective actions
Does it means that for the NCR and OFI from the internal and external audits?


[/FONT][FONT=&quot][/FONT][FONT=&quot]5. [/FONT][FONT=&quot]Vulnerabilities or threats not adequately addressed in the previous risk assessment[/FONT][FONT=&quot]
Any examples?

6. [/FONT][FONT=&quot]Results from effectiveness measurements[/FONT][FONT=&quot][/FONT]
Does it mean that the security metrics

Review Outputs:
[FONT=&quot]1. [/FONT][FONT=&quot]Improvement of the effectiveness of the ISMS[/FONT][FONT=&quot]
[/FONT][FONT=&quot]
3. [/FONT][FONT=&quot]Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:[/FONT][FONT=&quot]
a. [/FONT][FONT=&quot]Business requirements[/FONT][FONT=&quot][/FONT][FONT=&quot]
b. [/FONT][FONT=&quot]Security requirements
[/FONT][FONT=&quot] c. [/FONT][FONT=&quot]Business processes effecting the existing business requirements[/FONT][FONT=&quot]
d. [/FONT][FONT=&quot]Regulatory or legal requirements[/FONT][FONT=&quot][/FONT][FONT=&quot]
e. [/FONT][FONT=&quot]Contractual obligations[/FONT][FONT=&quot]
f. [/FONT][FONT=&quot]Levels of risk and or risk acceptance criteria[/FONT][FONT=&quot][/FONT][FONT=&quot]
4. [/FONT][FONT=&quot]Resource needs[/FONT][FONT=&quot]
5. [/FONT][FONT=&quot]Improvement to how the effectiveness of controls is being measured[/FONT][FONT=&quot][/FONT]

I need more details on this. Any examples?

 

[Richard Regalado]

Dear Alicia, please see my replies below in blue. FYI my replies are now taken from the ISO/IEC 27001:2013.

Richard,

I need your help to elaborate details for the inputs and outputs for ISMS management review meeting

[FONT=&quot]2. [/FONT][FONT=&quot]Feedback from interested parties[/FONT][FONT=&quot][/FONT]
Does it covers the developers and maintainers and also the suppliers? Can I have some samples or examples for the feedback? The new version of ISO/IEC 27001 requires the implementing organization to understand the organization itself and its context. External and internal issues needs to be understood as well. That being said, you need to ask yourself who are the stakeholders (interested parties) to my company's ISMS? Does it include suppliers? Are they supplying me products and services that needs to be managed in relation to information security? Do not forget your customers. Capture any feedback from them relating to your IS posture. Some customer perform audits. Gather feedback from these interactions.

[FONT=&quot]4. [/FONT][FONT=&quot]Status of preventive and corrective actions
Does it means that for the NCR and OFI from the internal and external audits? Yes indeed.


[/FONT][FONT=&quot][/FONT][FONT=&quot]5. [/FONT][FONT=&quot]Vulnerabilities or threats not adequately addressed in the previous risk assessment[/FONT][FONT=&quot]
Any examples?For example you recently switched from a wired network connection to a wireless network connection. Threats and vulnerabilities from the use of this new technology should be included in your risk assessment.

6. [/FONT][FONT=&quot]Results from effectiveness measurements[/FONT][FONT=&quot][/FONT]
Does it mean that the security metrics You are right. Metrics or any monitoring and measurement relating to information security. It could be as technical as number of viruses detected or as simple as number of attendees to an infosec training.

Review Outputs:
[FONT=&quot]1. [/FONT][FONT=&quot]Improvement of the effectiveness of the ISMS[/FONT][FONT=&quot]
[/FONT][FONT=&quot]
3. [/FONT][FONT=&quot]Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:[/FONT][FONT=&quot]
a. [/FONT][FONT=&quot]Business requirements[/FONT][FONT=&quot][/FONT][FONT=&quot]
b. [/FONT][FONT=&quot]Security requirements
[/FONT][FONT=&quot] c. [/FONT][FONT=&quot]Business processes effecting the existing business requirements[/FONT][FONT=&quot]
d. [/FONT][FONT=&quot]Regulatory or legal requirements[/FONT][FONT=&quot][/FONT][FONT=&quot]
e. [/FONT][FONT=&quot]Contractual obligations[/FONT][FONT=&quot]
f. [/FONT][FONT=&quot]Levels of risk and or risk acceptance criteria[/FONT][FONT=&quot][/FONT][FONT=&quot]
4. [/FONT][FONT=&quot]Resource needs[/FONT][FONT=&quot]
5. [/FONT][FONT=&quot]Improvement to how the effectiveness of controls is being measured[/FONT][FONT=&quot][/FONT]

I need more details on this. Any examples?