10a Isms Management Review Procedure v3

ISMS MANAGEMENT REVIEW PROCEDURE For Godrej & Boyce Mfg. Co. Ltd. Datacenter

Godrej & Boyce Mfg. Co. Ltd. Datacenter

ISMS 27001 : 2005 Clause: 4.2.3 ,6,7

Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0

Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011

Title: ISMS Management Review Procedure

Revision History

Sr.No.

Section

1

-

Description Of Change Version superseded during yearly review

Current Rev No.

Remarks

R03

Prepared By :

Approved By :

Information Security Officer

Information Security Management Forum(ISMF)

Internal

Page 2 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


Table of Content 1.

Scope ............................................................................................................................. 4

2.

Procedures .................................................................................................................... 4

2.1.

Procedure for Management Review ......................................................................... 4

2.2.

Review Meetings ........................................................................................................ 6

2.3. 2.4.

3.

Procedure for Internal ISMS Audit ............................................................................................ 7 Procedure for carrying out internal audits................................................................................. 8

Annexure ..................................................................................................................... 13 A B C D

Audit Frequency .......................................................................................................................... 13 Format for Audit Schedule .......................................................................................................... 14 Internal ISMS Audit Report ......................................................................................................... 15 Format for Audit Summary Report .............................................................................................. 16

Internal

Page 3 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


1. Scope This procedure is in line with the ISMS Management Policy and adheres to below mentioned ISO 27001 clauses:

• 4.2.3 – Monitor and review the ISMS • 6 – Internal ISMS audits • 7 – Management review of ISMS

2. Procedures 2.1. Procedure for Management Review Responsibility Activity

/ Authority

Record Name & Number

Following Matters to be considered for review of ISMS: Information

a) Results of ISMS audits and reviews

b) Feedback from related departments, users, Security Management

parties

c) Techniques, products or procedures, which Forum (ISMF), could be used in organization to improve the ISMS performance and effectiveness d) Status of preventive and corrective actions

Information Security Officer

e) Vulnerabilities or threats not adequately (ISO), addressed in the previous risk assessment f)

Follow-up

Internal

actions

from

previous Information

Page 4 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011

management reviews


Security

g) Any changes that could affect the ISMS

Implementation

h) Any recommendations for improvement

Team

i)

Any other suggestions by the members

(ISIT)

j)

Minutes / Output of ISMF meeting

Review output: The output from the management review shall include any decision and actions related to a) Improvement of the effectiveness of the ISMS. b) Modifications

of

procedures

that

effect

information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1. Business requirements 2. Security requirements 3. Business processes effecting the existing business requirements

Information Security Management Forum (ISMF)

4. Regulatory or legal environment 5. Levels of risk and / or levels of risk acceptance c) Resource requirement The target date and time frame for completion of agreed corrective and preventive actions and responsibility. Records to be maintained for proceeding of Management Review Meeting. ISIT is responsible for preparing, and maintaining the minutes of Management Review Meeting.

Internal

Management ISIT

Review Records

Page 5 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


2.2. Review Meetings

Activity

Responsibility

Record Name

/ Authority

& Number

Frequency of Management Review Meeting:

Management

Review

Meeting

to

be

Conducted at least once in Six months Purpose of Meeting: To review the G&B-DC - ISMS to 1. Ensure its continuing suitability, adequacy and effectiveness 2. Assess opportunities for improvement and the need for change to ISMS, Information Security Policy and Procedures Persons to participate in Meeting: 1. Information Security Management Forum (ISMF) 2. Information Security Officer (ISO) 3. Information Security Implementation Team (ISIT) Any other as decided by the ISMF/ISO

Internal

Page 6 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


2.3. Procedure for Internal ISMS Audit

Activity

Responsibility / Record Name Authority

& Number Identified

Define following:Audit team (Refer Note “A” to this procedure)

ISO

Team Members (ISIT)

Define following:Audit Plan for the year (Refer Note “B”) Audit Plan to be made in format specified in

ISO

Audit Schedule

Annexure ‘B’ Notify Audit Plan to each personnel responsible for ‘Area of Work’ to be audited

Internal

Page 7 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


2.4. Procedure for carrying out internal audits On the basis of Audit Plan for the year, identify at the beginning of each quarter ‘work area’ to be ISIT audited during the quarter. Select Auditors from Audit Team for auditing the selected area of work. Representative of Audit Team shall not be

ISIT

selected for Audit of its own work area. Prepare Audit Schedule for the quarter on the basis of Audit Plan Audit schedule to be prepared in format specified

ISIT

Audit Schedule

in Annexure ‘C’

Circulate

audit

schedule

to

the

respective

personnel for their area of work to be audited

Brief the Auditors on audit procedure to be adopted and scope of the Audit

Internal

Information Security Officer (ISO)

Information Security Officer (ISO)

Page 8 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011

Activity Study ISO 27001 standard, Standard operating Procedures, Information Security Manual


Responsibility

Record Name

/ Authority

& Number

ISIT

Conduct the Audit according to audit procedures. Auditor shall conduct the audit work objectively ISIT and impartially and shall not audit their own work Record non-conformities and observations found during Audit in the Internal ISMS Audit Report. ISIT Refer Annexure ‘D’ for format. Submit

Audit

Report

to

ISMF

along

Internal

ISMS

Audit Report

with

recommendation and responsibility for action to clear the non-conformities or observations found during the audit. Such recommendations to be made after discussion with Auditor. Where the observations of the auditor are of a nature, which require changes to the Standard Operating Procedures (SOP) then the procedures for change to document as given in SOP for Control of Documents and Records are to be followed. At completion of period granted for taking corrective action, ISO shall appoint a member of Audit Team (Follow-up Auditor) to verify whether Information recommended

corrective

action

has

been Security Officer

implemented or not. For this purpose ISO to hand (ISO) over original Internal ISMS Audit Report to Followup Auditor. Follow-up Auditor after carrying out Follow-up Follow-up Audit shall record it’s finding in original ISMS Audit Auditor

Internal

Page 9 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011

Activity


Responsibility

Record Name

/ Authority

& Number

Report also providing objective evidence and sample chosen of the follow-up audit done. Hand

over

Internal

Security

Audit

Report Follow

containing the follow up Audit findings to ISO. If

follow

up

auditor’s

finding

suggest

auditor that

necessary action has not been taken by person; then

ISO

must

ensure

that

up

recommended

ISO

Corrective/Preventive action has been carried out. After implementation of Corrective action ISO shall sign the relevant audit report to close the non- ISO conformity/observation

Internal

Page 10 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011

Activity


Responsibility/

Record Name

Authority

& Number

Prepare Final Audit Summary Report for the quarter for reporting to Management Review Meeting. Final Audit Summary Report to be made ISO in format specified in Annexure ‘E’ to this

Audit Summary Report

procedure Hand over the Internal ISMS Audit Reports to ISMF for review of findings and corrective actions so that appropriate preventive action, if required

ISO

can be determined ISO shall sign the relevant Internal ISMS Audit Report after reviewing the same and shall hand ISO over the Report to CMD File Internal ISMS Audit Report arranged report number wise in Internal ISMS Audit Report File

Internal

ISIT

Internal

ISMS

Audit Report file

Page 11 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


Note “A” - Audit Team A person shall have sufficient knowledge and understanding of requirements set by ISO 27001 for an information security management system, to be a member of Audit team. Members of Audit team shall attend refresher course in audit techniques every year, record of such training titled as Training Records of employees performing Audit shall be kept and maintained by the HR Department / ISMF.

Note “B” - Audit Plan Audit Plan shall encompass all activities within the purview of Information Security Management System, Provide frequency of Internal ISMS Audit. Frequency of audit shall be based on status and importance of activity to be audited Frequency of audit can be changed and reviewed based on status and Importance of an activity, but the maximum Interval between two audits of same activity shall not exceed 6 months

Internal

Page 12 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


3. Annexure A Audit Frequency AUDIT PLAN FOR THE YEAR ____________

Department

to

be Jan

Audited

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Signature

Oct

Nov

Dec

Date

Prepared by:

Authorized by:

Circulation List: Department

Internal

Signature of Department Heads

Date

Page 13 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


B Format for Audit Schedule No:

______________________

Quarter: _____________________ Month: ______________________

Name of Department

Auditor

Auditee

Date of

Time of

Audit

Audit

Scope of Audit

Signature

Prepared by:

Authorized by:

Date

ISO

ISMF

Circulation List: Department

Internal

Signature of Department Heads

Date

Page 14 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


C Internal ISMS Audit Report

Int_Audit_Summary_ Report_DC.xls

Internal

Page 15 of 16


ISMS 27001 : 2005 Clause: 4.2.3 ,6,7


Issue: 03 Date: 30.11.2011

Rev. No: 03 Date: 25.10.2011


D Format for Audit Summary Report Audit No:

---------------------------

Quarter

Month

Auditors Name of Department

Category of Findings

Audited

Nonconformance (NC) Open

Close*

Opportunity for improvement(OI) Open Close*

Total Open

Close*

Total Signature: Date: ISO

* Represents Number of Non conformities resolved

Internal

Page 16 of 16

10a Isms Management Review Procedure v3

Recommend Documents