ISMS MANAGEMENT REVIEW PROCEDURE For Godrej & Boyce Mfg. Co. Ltd. Datacenter
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
Revision History
Sr.No.
Section
1
-
Description Of Change Version superseded during yearly review
Current Rev No.
Remarks
R03
Prepared By :
Approved By :
Information Security Officer
Information Security Management Forum(ISMF)
Internal
Page 2 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
Table of Content 1.
Scope ............................................................................................................................. 4
2.
Procedures .................................................................................................................... 4
2.1.
Procedure for Management Review ......................................................................... 4
2.2.
Review Meetings ........................................................................................................ 6
2.3. 2.4.
3.
Procedure for Internal ISMS Audit ............................................................................................ 7 Procedure for carrying out internal audits................................................................................. 8
Annexure ..................................................................................................................... 13 A B C D
Audit Frequency .......................................................................................................................... 13 Format for Audit Schedule .......................................................................................................... 14 Internal ISMS Audit Report ......................................................................................................... 15 Format for Audit Summary Report .............................................................................................. 16
Internal
Page 3 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
1. Scope This procedure is in line with the ISMS Management Policy and adheres to below mentioned ISO 27001 clauses:
• 4.2.3 – Monitor and review the ISMS • 6 – Internal ISMS audits • 7 – Management review of ISMS
2. Procedures 2.1. Procedure for Management Review Responsibility Activity
/ Authority
Record Name & Number
Following Matters to be considered for review of ISMS: Information
a) Results of ISMS audits and reviews
b) Feedback from related departments, users, Security Management
parties
c) Techniques, products or procedures, which Forum (ISMF), could be used in organization to improve the ISMS performance and effectiveness d) Status of preventive and corrective actions
Information Security Officer
e) Vulnerabilities or threats not adequately (ISO), addressed in the previous risk assessment f)
Follow-up
Internal
actions
from
previous Information
Page 4 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
management reviews
Title: ISMS Management Review Procedure
Security
g) Any changes that could affect the ISMS
Implementation
h) Any recommendations for improvement
Team
i)
Any other suggestions by the members
(ISIT)
j)
Minutes / Output of ISMF meeting
Review output: The output from the management review shall include any decision and actions related to a) Improvement of the effectiveness of the ISMS. b) Modifications
of
procedures
that
effect
information security, as necessary, to respond to internal or external events that may impact on the ISMS, including changes to: 1. Business requirements 2. Security requirements 3. Business processes effecting the existing business requirements
Information Security Management Forum (ISMF)
4. Regulatory or legal environment 5. Levels of risk and / or levels of risk acceptance c) Resource requirement The target date and time frame for completion of agreed corrective and preventive actions and responsibility. Records to be maintained for proceeding of Management Review Meeting. ISIT is responsible for preparing, and maintaining the minutes of Management Review Meeting.
Internal
Management ISIT
Review Records
Page 5 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
2.2. Review Meetings
Activity
Responsibility
Record Name
/ Authority
& Number
Frequency of Management Review Meeting:
Management
Review
Meeting
to
be
Conducted at least once in Six months Purpose of Meeting: To review the G&B-DC - ISMS to 1. Ensure its continuing suitability, adequacy and effectiveness 2. Assess opportunities for improvement and the need for change to ISMS, Information Security Policy and Procedures Persons to participate in Meeting: 1. Information Security Management Forum (ISMF) 2. Information Security Officer (ISO) 3. Information Security Implementation Team (ISIT) Any other as decided by the ISMF/ISO
Internal
Page 6 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
2.3. Procedure for Internal ISMS Audit
Activity
Responsibility / Record Name Authority
& Number Identified
Define following:Audit team (Refer Note “A” to this procedure)
ISO
Team Members (ISIT)
Define following:Audit Plan for the year (Refer Note “B”) Audit Plan to be made in format specified in
ISO
Audit Schedule
Annexure ‘B’ Notify Audit Plan to each personnel responsible for ‘Area of Work’ to be audited
Internal
Page 7 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
2.4. Procedure for carrying out internal audits On the basis of Audit Plan for the year, identify at the beginning of each quarter ‘work area’ to be ISIT audited during the quarter. Select Auditors from Audit Team for auditing the selected area of work. Representative of Audit Team shall not be
ISIT
selected for Audit of its own work area. Prepare Audit Schedule for the quarter on the basis of Audit Plan Audit schedule to be prepared in format specified
ISIT
Audit Schedule
in Annexure ‘C’
Circulate
audit
schedule
to
the
respective
personnel for their area of work to be audited
Brief the Auditors on audit procedure to be adopted and scope of the Audit
Internal
Information Security Officer (ISO)
Information Security Officer (ISO)
Page 8 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Activity Study ISO 27001 standard, Standard operating Procedures, Information Security Manual
Title: ISMS Management Review Procedure
Responsibility
Record Name
/ Authority
& Number
ISIT
Conduct the Audit according to audit procedures. Auditor shall conduct the audit work objectively ISIT and impartially and shall not audit their own work Record non-conformities and observations found during Audit in the Internal ISMS Audit Report. ISIT Refer Annexure ‘D’ for format. Submit
Audit
Report
to
ISMF
along
Internal
ISMS
Audit Report
with
recommendation and responsibility for action to clear the non-conformities or observations found during the audit. Such recommendations to be made after discussion with Auditor. Where the observations of the auditor are of a nature, which require changes to the Standard Operating Procedures (SOP) then the procedures for change to document as given in SOP for Control of Documents and Records are to be followed. At completion of period granted for taking corrective action, ISO shall appoint a member of Audit Team (Follow-up Auditor) to verify whether Information recommended
corrective
action
has
been Security Officer
implemented or not. For this purpose ISO to hand (ISO) over original Internal ISMS Audit Report to Followup Auditor. Follow-up Auditor after carrying out Follow-up Follow-up Audit shall record it’s finding in original ISMS Audit Auditor
Internal
Page 9 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Activity
Title: ISMS Management Review Procedure
Responsibility
Record Name
/ Authority
& Number
Report also providing objective evidence and sample chosen of the follow-up audit done. Hand
over
Internal
Security
Audit
Report Follow
containing the follow up Audit findings to ISO. If
follow
up
auditor’s
finding
suggest
auditor that
necessary action has not been taken by person; then
ISO
must
ensure
that
up
recommended
ISO
Corrective/Preventive action has been carried out. After implementation of Corrective action ISO shall sign the relevant audit report to close the non- ISO conformity/observation
Internal
Page 10 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Activity
Title: ISMS Management Review Procedure
Responsibility/
Record Name
Authority
& Number
Prepare Final Audit Summary Report for the quarter for reporting to Management Review Meeting. Final Audit Summary Report to be made ISO in format specified in Annexure ‘E’ to this
Audit Summary Report
procedure Hand over the Internal ISMS Audit Reports to ISMF for review of findings and corrective actions so that appropriate preventive action, if required
ISO
can be determined ISO shall sign the relevant Internal ISMS Audit Report after reviewing the same and shall hand ISO over the Report to CMD File Internal ISMS Audit Report arranged report number wise in Internal ISMS Audit Report File
Internal
ISIT
Internal
ISMS
Audit Report file
Page 11 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
Note “A” - Audit Team A person shall have sufficient knowledge and understanding of requirements set by ISO 27001 for an information security management system, to be a member of Audit team. Members of Audit team shall attend refresher course in audit techniques every year, record of such training titled as Training Records of employees performing Audit shall be kept and maintained by the HR Department / ISMF.
Note “B” - Audit Plan Audit Plan shall encompass all activities within the purview of Information Security Management System, Provide frequency of Internal ISMS Audit. Frequency of audit shall be based on status and importance of activity to be audited Frequency of audit can be changed and reviewed based on status and Importance of an activity, but the maximum Interval between two audits of same activity shall not exceed 6 months
Internal
Page 12 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
3. Annexure A Audit Frequency AUDIT PLAN FOR THE YEAR ____________
Department
to
be Jan
Audited
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Signature
Oct
Nov
Dec
Date
Prepared by:
Authorized by:
Circulation List: Department
Internal
Signature of Department Heads
Date
Page 13 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
B Format for Audit Schedule No:
______________________
Quarter: _____________________ Month: ______________________
Name of Department
Auditor
Auditee
Date of
Time of
Audit
Audit
Scope of Audit
Signature
Prepared by:
Authorized by:
Date
ISO
ISMF
Circulation List: Department
Internal
Signature of Department Heads
Date
Page 14 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
C Internal ISMS Audit Report
Int_Audit_Summary_ Report_DC.xls
Internal
Page 15 of 16
Godrej & Boyce Mfg. Co. Ltd. Datacenter
ISMS 27001 : 2005 Clause: 4.2.3 ,6,7
Information Security Management System Document No.: ISMS/4_8/6_7/IMP/ PRO/ v3.0
Issue: 03 Date: 30.11.2011
Rev. No: 03 Date: 25.10.2011
Title: ISMS Management Review Procedure
D Format for Audit Summary Report Audit No:
---------------------------
Quarter
Month
Auditors Name of Department
Category of Findings
Audited
Nonconformance (NC) Open
Close*
Opportunity for improvement(OI) Open Close*
Total Open
Close*
Total Signature: Date: ISO
* Represents Number of Non conformities resolved
Internal
Page 16 of 16