Management Review Meeting (MRM) Input & Output Interpretation

A

AnandR

#1
Good Afternoon!

I having difficult in interpreting the following MRM inputs and Outputs related to ISO 9001 and ISO 27001. Help from experts is appreciated.
Thanks
Anand

ISO 9001:
MRM Inputs:
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?

MRM Outputs:
1) Improvement of effectiveness of QMS & Its Processes
2) Improvement of product related to customer requirements

Is the above MRM output different from the Recommendations for improvement made in MRM input?



ISO 27001:
MRM Inputs:
1) Results of ISMS audits and reviews
2) Feedback from interested parties on ISMS
3) Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
4) Results from effectiveness measurements


In QMS, it is only the results of audit. But, in ISMS it says results of audits and reviews

Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
Here is it meaning recommendations for improvements? Is it for bringing in new items that never exists?


MRM Outputs:
  • Modification of procedures & controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:
    a)Business Requirements b) Security Requirements c) Business Processes effecting the
    existing business requirements d) Regulatory or Legal Requirements
    e) Contractual Obligations & f) Levels of risks and/or criteria for accepting risks
  • Improvements to how the effectiveness of controls is being measured
 
Elsmar Forum Sponsor

Richard Regalado

Trusted Information Resource
#2
First of all AnandR, there is no requirement for an MRM or management review meeting. The requirement is for management to review the required inputs and come up with sensible outputs. You can do this is in various ways other than a meeting. I've seen organizations with management abroad doing management reviews via email exchanges.

I will answer the ISMS part first. You asked:
ISO 27001:
MRM Inputs:
1) Results of ISMS audits and reviews
2) Feedback from interested parties on ISMS
3) Techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness
4) Results from effectiveness measurements
1. Reviews are activities distinct from audits which can help ensure the preservation of CIA of your information assets. Reviews encompass technical vulnerability reviews such as penetration testing and vulnerability assessments.

2. Interested parties to your ISMS may include customers, stakeholders, the government, employees, contractors, 3rd-party vendors, consultants, etc.

3. Supposed one of your higher risk is employees tail-gating the main door and bypassing the current swipe card access. A product which can improve this situation such as installing a turnstile system could be part of the management review. The same goes for new products or techniques in the market which could lower your risk exposure and improve performance. A new co-lo site perhaps? A faster internet service provider?

4. There is a requirement to measure the effectiveness of the chosen and implemented controls. Make sure the results of the measurement process are part of the management review.

Will get back later after dinner. Wifey calling me.
 

Richard Regalado

Trusted Information Resource
#3
I'm back! Now for the outputs.

You said:
MRM Outputs:
Modification of procedures & controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:
a)Business Requirements b) Security Requirements c) Business Processes effecting the
existing business requirements d) Regulatory or Legal Requirements
e) Contractual Obligations & f) Levels of risks and/or criteria for accepting risks
Improvements to how the effectiveness of controls is being measured
One the required output of the management review for ISMS is how will management respond if there changes to the factors listed in a-e.

Business requirements pertain to your own organization changing requirements. For example, the next door office was recently robbed and ransacked. This will trigger or initiate your own review of physical security and if the risk is validated, certain control may be added. Regulatory and legal requirements are from the government and regulatory bodies while contractual obligations are normally from your customers. You need to determine the actions to be taken by the organization should there be changes to these.

The last MR output requirement is very straightforward. As a result of reviewing the results of the measurement of effectiveness of controls, what changes would management want to implement to improve the measurement process for controls' effectiveness. Would you want to measure with more regularity? Would you want to automate the measurement process?
 
A

AnandR

#4
Richard, I thank you very much for taking time to explain me my queries. It really helps.
Request you to help me on MRM inputs for ISO 9001.
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?
 

somashekar

Staff member
Super Moderator
#5
Richard, I thank you very much for taking time to explain me my queries. It really helps.
Request you to help me on MRM inputs for ISO 9001.
1) Changes that could affect the QMS
2) Recommendations for improvement

Recommendation for improvement, is it based on the review of all the MRM inputs?
A management review input is not only a status information of all business related processess, but also possible actions that can be taken up for the changes faced in a dynamic business world, for the results of analysis of various data concerning to internal activities., with a vision to improve.
You bring about all the prospects and consequences (pro's and con's) in the MR input and the MR outputs sets direction for future actions.
In very simple words, inputs help management to give outputs. Good inputs gets effective outputs.
 
A

alicealicia

#7
Richard,

I need your help to elaborate details for the inputs and outputs for ISMS management review meeting

[FONT=&quot]2. [/FONT][FONT=&quot]Feedback from interested parties[/FONT][FONT=&quot][/FONT]
Does it covers the developers and maintainers and also the suppliers? Can I have some samples or examples for the feedback?

[FONT=&quot]4. [/FONT][FONT=&quot]Status of preventive and corrective actions
Does it means that for the NCR and OFI from the internal and external audits?


[/FONT]
[FONT=&quot][/FONT][FONT=&quot]5. [/FONT][FONT=&quot]Vulnerabilities or threats not adequately addressed in the previous risk assessment[/FONT][FONT=&quot]
Any examples?

6. [/FONT]
[FONT=&quot]Results from effectiveness measurements[/FONT][FONT=&quot][/FONT]
Does it mean that the security metrics

Review Outputs:
[FONT=&quot]1. [/FONT][FONT=&quot]Improvement of the effectiveness of the ISMS[/FONT][FONT=&quot]
[/FONT]
[FONT=&quot]
3. [/FONT]
[FONT=&quot]Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:[/FONT][FONT=&quot]
a. [/FONT]
[FONT=&quot]Business requirements[/FONT][FONT=&quot][/FONT][FONT=&quot]
b. [/FONT]
[FONT=&quot]Security requirements
[/FONT]
[FONT=&quot] c. [/FONT][FONT=&quot]Business processes effecting the existing business requirements[/FONT][FONT=&quot]
d. [/FONT]
[FONT=&quot]Regulatory or legal requirements[/FONT][FONT=&quot][/FONT][FONT=&quot]
e. [/FONT]
[FONT=&quot]Contractual obligations[/FONT][FONT=&quot]
f. [/FONT]
[FONT=&quot]Levels of risk and or risk acceptance criteria[/FONT][FONT=&quot][/FONT][FONT=&quot]
4. [/FONT]
[FONT=&quot]Resource needs[/FONT][FONT=&quot]
5. [/FONT]
[FONT=&quot]Improvement to how the effectiveness of controls is being measured[/FONT][FONT=&quot][/FONT]

I need more details on this. Any examples?
 

Richard Regalado

Trusted Information Resource
#8
Dear Alicia, please see my replies below in blue. FYI my replies are now taken from the ISO/IEC 27001:2013.

Richard,

I need your help to elaborate details for the inputs and outputs for ISMS management review meeting

[FONT=&quot]2. [/FONT][FONT=&quot]Feedback from interested parties[/FONT][FONT=&quot][/FONT]
Does it covers the developers and maintainers and also the suppliers? Can I have some samples or examples for the feedback? The new version of ISO/IEC 27001 requires the implementing organization to understand the organization itself and its context. External and internal issues needs to be understood as well. That being said, you need to ask yourself who are the stakeholders (interested parties) to my company's ISMS? Does it include suppliers? Are they supplying me products and services that needs to be managed in relation to information security? Do not forget your customers. Capture any feedback from them relating to your IS posture. Some customer perform audits. Gather feedback from these interactions.

[FONT=&quot]4. [/FONT][FONT=&quot]Status of preventive and corrective actions
Does it means that for the NCR and OFI from the internal and external audits? Yes indeed.


[/FONT]
[FONT=&quot][/FONT][FONT=&quot]5. [/FONT][FONT=&quot]Vulnerabilities or threats not adequately addressed in the previous risk assessment[/FONT][FONT=&quot]
Any examples?For example you recently switched from a wired network connection to a wireless network connection. Threats and vulnerabilities from the use of this new technology should be included in your risk assessment.

6. [/FONT]
[FONT=&quot]Results from effectiveness measurements[/FONT][FONT=&quot][/FONT]
Does it mean that the security metrics You are right. Metrics or any monitoring and measurement relating to information security. It could be as technical as number of viruses detected or as simple as number of attendees to an infosec training.

Review Outputs:
[FONT=&quot]1. [/FONT][FONT=&quot]Improvement of the effectiveness of the ISMS[/FONT][FONT=&quot]
[/FONT]
[FONT=&quot]
3. [/FONT]
[FONT=&quot]Modification of procedures and controls that effect information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to:[/FONT][FONT=&quot]
a. [/FONT]
[FONT=&quot]Business requirements[/FONT][FONT=&quot][/FONT][FONT=&quot]
b. [/FONT]
[FONT=&quot]Security requirements
[/FONT]
[FONT=&quot] c. [/FONT][FONT=&quot]Business processes effecting the existing business requirements[/FONT][FONT=&quot]
d. [/FONT]
[FONT=&quot]Regulatory or legal requirements[/FONT][FONT=&quot][/FONT][FONT=&quot]
e. [/FONT]
[FONT=&quot]Contractual obligations[/FONT][FONT=&quot]
f. [/FONT]
[FONT=&quot]Levels of risk and or risk acceptance criteria[/FONT][FONT=&quot][/FONT][FONT=&quot]
4. [/FONT]
[FONT=&quot]Resource needs[/FONT][FONT=&quot]
5. [/FONT]
[FONT=&quot]Improvement to how the effectiveness of controls is being measured[/FONT][FONT=&quot][/FONT]

I need more details on this. Any examples?
 
Thread starter Similar threads Forum Replies Date
S Has anybody done IMS - Management Review Meeting ISO 14001:2015 Specific Discussions 8
T Management review meeting workflow ISO 13485:2016 - Medical Device Quality Management Systems 9
Z MRM (Management Review Meeting) Template for ISO 9001:2015 Management Review Meetings and related Processes 3
S Corporate Quality Manager keeping me out of the Management Review Meeting Management Review Meetings and related Processes 28
D What should be included in Management Review Meeting for ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 19
N Incompleted tasks from previous management review meeting Management Review Meetings and related Processes 1
L CB finding on Management Review Meeting Management Review Meetings and related Processes 32
D Management Review Meeting Agenda and Minutes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
D Integrated 9001, 14001, 18001 Management Review Meeting and Minutes Management Review Meetings and related Processes 10
S Executive Management Review Meeting ? Funny Stuff - Jokes and Humour 1
G Management Review Non-Conformance - Meeting Measurable Goals and Objectives ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 14
B CAR (Corrective Action Request) from Management Review Meeting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 3
K Is there a requirement for Management Review Meeting under BRC? Management Review Meetings and related Processes 6
C Example of Management Review Meeting Minutes - ISO 17025 ISO 17025 related Discussions 9
G Minutes (Records) from a Management Review Meeting Quality Management System (QMS) Manuals 4
M How to satisfy the Management Review requirement without a meeting? Management Review Meetings and related Processes 29
I Looking for Ideas/Tips for Management Review Meeting ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 25
O Should Staff be allowed to see Management Review Meeting Minutes? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
P What are the points to be discussed in a Management Review Meeting (MRM) ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 18
S TS 16949 Clause 5.6 - Management Review Requirements - Without a meeting? IATF 16949 - Automotive Quality Systems Standard 17
T Quality Metrics Report for the Management Review Meeting Document Control Systems, Procedures, Forms and Templates 16
L Quality PPM (parts per million) Tracking - Stats for our Management Review Meeting Benchmarking 8
J Does Management Review need to be a Formal Meeting? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 33
V What are all the documents and records to be add for the management review meeting? Management Review Meetings and related Processes 6
V Management Review Meeting - Statistics for Customer Complaints and Non Conformances ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
D Layout Of Management Review Meeting Form Management Review Meetings and related Processes 23
G Is there a requirement for Management Review Meeting Minutes? Management Review Meetings and related Processes 39
tony wardle Management Review Meeting Suggestions Management Review Meetings and related Processes 10
A Record of Inputs to Management Review Meeting (MRM) Management Review Meetings and related Processes 15
J Sample of QMS Management Review Meeting? Management Review Meetings and related Processes 7
R Altering the Actual Date of the Management Review Meeting Minutes Management Review Meetings and related Processes 69
M Management Review - Minutes of Meeting Management Review Meetings and related Processes 9
C Management Review Meeting Process Management Review Meetings and related Processes 5
T Measuring Effectiveness of Internal Audits - Reporting in Management Review Meeting Management Review Meetings and related Processes 13
Raffy Can our daily operations meeting be considered as Management Review? Management Review Meetings and related Processes 31
S Risk Management Review ISO 14971 - Medical Device Risk Management 4
G Management Review (integrated system) Management Review Meetings and related Processes 17
M Management review check-list Management Review Meetings and related Processes 3
S Management Review (9.3) - Management Review Minutes/Report ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 13
J ISO 13485 System 'soft start' - How to best reflect this in initial audits, management review minutes and other records? ISO 13485:2016 - Medical Device Quality Management Systems 3
O ISO 13485 - Is management review required before stage 1? ISO 13485:2016 - Medical Device Quality Management Systems 6
G ISO 17025-2017 Management Review reporting items - Inputs ISO 17025 related Discussions 1
I Management review in conformity assessment standards - Certification Bodies Management Review Meetings and related Processes 6
Casana ISO 9001 - 9.3.1 Management Review - Attendees in a flat organization Management Review Meetings and related Processes 6
C Management Review Agenda Management Review Meetings and related Processes 20
Q Do Management Review records have to be on a controlled form? ISO 13485:2016 - Medical Device Quality Management Systems 30
J ISO 9001:2015 Small Operation Management Review General Auditing Discussions 6
W ISO 9001:2015 Management Review Input Template wanted ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
G ISO 9001 - 9.3.1 Management Review - Content and Frequency Management Review Meetings and related Processes 12
S ISO 9001:2015 Clause 9.3.2 - MR (Management Review) - Adequacy of resources ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8

Similar threads

Top Bottom