1. Iso 9001 Management Review Procedure

In addition it may also be that the organisation wishes to include other compliance regimes in the review, such as Cyber Essentials, ISO 9001, and other good practices, to facilitate effective reviews and informed decision making. It can even tie the 9.3 information security aspects for 9.3 onto broader senior management meetings or formal. Attached is a general Powerpoint Presentation for a Management Review. Because of the many different people presenting Process Performance and Product Conformance Measures I tend to just place a title slide and then have them present whatever they have prepared.

STANDARD ISSUES

What can you do to add value to QMS review meetings?

by Govind Ramu

ISO 9001:2015 requires top management review of an organization’s quality management system (QMS). This provides an important opportunity for a quality manager to present to upper management a State of the Union-style report on the organization’s quality health.

I have seen all varieties of such meetings: from day-long off-site meetings in which the owner of every business segment presents, to an hour-long ceremonial presentation featuring regurgitated graphs, tables and slides packed with text.

Management review participants often complain that these meetings are a waste of time because the information already has been covered. Or, they tell themselves that it’s just something they must do for International Organization for Standardization (ISO) certification.

Adding value

How can these meetings be restructured so they add value?

The key is to understand the intent of the management review requirements. ISO 9001:2015 clause 9.3.1 states: 'Top management shall review the organization’s quality management system, at planned intervals, to ensure its continuing suitability, adequacy, effectiveness, and alignment with the strategic direction of the organization.'¹ The intent is to ensure:

• Continuing suitability. What has changed in the organization or the QMS that will render the QMS unsuitable or less suitable?
• Adequacy. Sufficiency in terms of people, process, infrastructure and operating environment.
• Effectiveness. The 'extent to which planned activities are realized and planned results are achieved.'²
• Alignment with the strategic direction of the organization. Any changes to strategic direction require realignment of the QMS.

Let’s look at these requirements in more detail.

Continuing suitability

Many changes take place in an organization over time due to shifts in policy and strategy or external factors.

Let’s use the recent spike in ransomware as an example.³ Computer hacking is becoming more sophisticated, and organizations must determine how to prevent an attack or reduce the impact of one. This is IT-related risk mitigation, so what does it have to do with a QMS? A ransomware attack can prevent an organization from serving its customers promptly, and it can compromise private information. It also can put an organization’s intellectual property at risk by posting documented information in a public domain.

Because ransomware attacks are wide-reaching and evolving rapidly, it is important for organizations to review any potential IT vulnerabilities. Perhaps changes must be made to IT policies and procedures to anticipate and prevent such risks. In the event of an unforeseen sophisticated hacking, does the organization have a plan in place for business continuity?

Adequacy

If an organization’s manufacturing or service delivery has expanded to new territories, or if the organization has launched new technology products, is the QMS sufficient to handle this business expansion?

Offering products and services in new territories requires a launch plan that includes obtaining necessary regional certifications, hiring people from the new location (to address language and cultural barriers) and setting up infrastructure (hardware, software, building facilities and transportation, for example). Demo units may be required in the new territories, and an operating environment must be recreated or simulated to show product functionalities to potential customers.

New technology products may require extensive training materials. It shouldn’t be left to salespeople on the ground to figure out. A well thought out launch plan will have all the activities adequately covered so the sales team can provide an experience that delights customers.

Effectiveness

Every organization has its own business processes, initiatives, goals and objectives to improve its bottom line and enhance the customer experience. How effective is the organization at meeting these goals and objectives?

ISO 9001:2015 subclause 9.3.2.c.5 requires the management review to consider monitoring and measurement results that are relevant to the QMS and assess their effectiveness. Not meeting the results could be caused by inadequate resources, internal and external issues, or a lack of risk-based thinking. Should analysis be performed to determine why the results have not been met? Are there any systemic issues or common themes that run through various instances in which results were not met?

Alignment with strategic direction

Organizations may occasionally change their strategies due to market shift and to enhance their offerings to customers. For example, an organization may offer services online, outsource services or partner with a joint venture to manufacture products. All of these scenarios require a QMS to be realigned.

Offering services online requires developing a website, offering on-site support and managing the website’s content. This, in turn, requires hiring a software development team and training virtual support personnel to handle online service requests and customer feedback. Documented information should be readily available online for support personnel to access from anywhere, and records and transaction information may require cloud storage.

If services are outsourced, controls must be in place to ensure quality and continuity of services.⁴ A manufacturing joint venture brings potential challenges regarding differences in QMS processes and controls, so an alignment between the joint venture partners’ QMSs is required to effectively run the business.

What if management review meetings addressed the above-mentioned intent of the ISO 9001:2015 management review requirements? Could the face-to-face time with senior management be more valuable? This is a refreshing approach to the traditional way of just covering requirements on the surface by presenting volumes of graphs, tables and slides.

Myths debunked

There are many different misperceptions about conducting a management review meeting, such as:

• There must be one annual management review.
• Management reviews should cover all requirements in one meeting.
• All senior management should be present at the annual meeting.
• Management review should follow the ISO standard requirement sequence (for example, subsections 9.3.2.a through f).

These expectations have evolved over time—likely to make auditing easier—without keeping in mind that management review helps to improve business. In a typical organization, the outcome of a management review is reviewed periodically—weekly, monthly, quarterly or annually, for example (see Table 1). The performance results are reviewed as a business activity irrespective of whether an organization is ISO 9001 certified. For large organizations, it is unlikely that all senior managers will be present at these meetings. However, the information should be made available for comments and decision making when appropriate.

One of the major changes we made in our organization was to move away from arranging the management review presentation in the sequence of ISO 9001 requirements. Instead, we rearranged the contents consistent with other management presentation agendas. Our senior management was familiar with this format, which helped improve engagement with the content.

We were not saying, 'Now presenting ISO 9001:2015 clause 9.3.2.a.' We used appropriate captions, such as business segment highlights and lowlights, challenges, improvement actions and next steps. This kept the conversation relevant to our organization and didn’t give the impression that it was simply satisfying an ISO 9001 requirement.

To help internal and external auditors, we cross-referenced a relevant ISO 9001:2015 requirement in the top right-hand corner of the presentation. The main intent of our management review was to help senior leaders understand our presentation content so they could engage with it and provide value-added feedback. It was not for mere ISO 9001 compliance.

Quality professionals must be innovative in how they implement QMSs and bring value to their organizations. Every organization is different, and every organization’s values, culture and beliefs are different. Move away from the rigid, prescriptive approach to QMS implementation of the past. QMSs exist to help organizations, not the other way around. You should not compromise the intent of meeting ISO 9001 requirements, but you also should be flexible and open-minded when integrating a QMS into existing organizational processes to accomplish your objectives.

References and Note

1. International Organization for Standardization (ISO), ISO 9001:2015 Quality management systems—Requirements.
2. ISO 9000:2015 Quality management systems—Fundamentals and vocabulary, subclause 3.7.11.
3. 'Ransomware' is defined as a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. For more information, visit https://en.wikipedia.org/wiki/Ransomware.
4. Govind Ramu, 'External Demands,' Quality Progress, April 2016, pp. 50-51.

Govind Ramu is senior director of global quality management systems at SunPower Corp. in San Jose, CA. He is a licensed professional engineer from Ontario, Canada. He also is the chair of the U.S. Technical Advisory Group to International Organization for Standardization Technical Committee 176, subcommittee 1 on ISO 9000:2015 standards. Ramu is an ASQ fellow, ASQ Crosby Medal recipient and holds six ASQ certifications: manager of quality/organizational excellence, engineer, Six Sigma Black Belt, auditor, software quality engineer and reliability engineer. He is a regular contributor to QP’s Expert Answers department, author of The Certified Six Sigma Yellow Belt Handbook (ASQ Quality Press, 2016), co-author of The Certified Six Sigma Green Belt Handbook, second edition (ASQ Quality Press, 2015) and a contributing author of The Lean Handbook (ASQ Quality Press, 2012).

What is covered under ISO 27001 Clause 9.3?

It is the responsibility of senior management to conduct themanagement review for ISO 27001. These reviews should be pre-planned and be often enough to ensure that the information security management system continues to be effective and achieves the aims of the business. ISO itself says the reviews should take place at planned intervals, which generally means at least once per annum and within an external audit surveillance period. However with the pace of change in information security threats, and a lot to cover in management reviews, our recommendation is to do them far more frequently, as described below and ensure the ISMS is operating well in practice, not just ticking a box for ISO compliance.

What is the purpose of the ISO 27001:2013 Management Review?

Iso 9001 Management Review Procedure

The value of the information security management system (ISMS) Management Review is often underestimated. Some may look at it as a tick-box requirement that needs to take place purely to meet ISO 27001 requirement 9.3. However, to really ‘live and breathe’ good information security practices, its role is invaluable.

The purpose of the Management Review is to ensure the ISMS and its objectives continue to remain suitable, adequate and effective given the organisation’s purpose, issues, and risks around the information assets. These will previously have been addressed within4.1 the organisation and its context,4.2 the requirements of interested parties, 4.3 scope of the ISMS, and 6.1 for the risk management work.

The work leading up to and around the management review will enable senior management to make well informed, strategic decisions that will have a material effect on information security and the way the organisation manages it.

What should be included in the ISO 27001 Management Review?

The management review must at a minimum follow a standard format that looks at the requirements of 9.3 for ISO 27001:2103. These are outlined below. In addition it may also be that the organisation wishes to include other compliance regimes in the review, such asCyber Essentials, ISO 9001, and other good practices, to facilitate effective reviews and informed decision making. It can even tie the 9.3 information security aspects for 9.3 onto broader senior management meetings or formal Board meetings. Either way it needs to document the results and actions from the reviews.

For organisations that are in the implementation phase of their ISMS, we also recommend they conduct management reviews weekly as part of a good practice building habit, and include implementation lessons, next period goals and issues alongside those elements of the formal management agenda that can be covered off. External auditors really like to see the organisation embrace the spirit of the management review and like to see effectiveness from planning and implementation work, which also fits into the requirements for clause 7.5 and clause 8 for operation.

The formal ISO 27001 management review 9.3 agenda should include consideration of:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the information security management system;

c) feedback on the information security performance, including trends in:

1. nonconformities and corrective actions;
2. monitoring and measurement results;
3. audit results; and
4. fulfillment of information security objectives.

d) feedback from interested parties;

e) results ofrisk assessmentand status of risk treatment plan; and

f) opportunities for continual improvement.

You might also want to add an additional point g) Agree on Audit Focus for Coming Period. This is optional if you are an agile organisation and not able to fully specify the whole audit programme and plan too far in advance. However, bear in mind that some external auditors want more clarity over the whole programme for the certification cycle!

The outputs of the management review should include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

Who should attend the ISO 27001 management review?

Considering the above, it is clear to see that, given due consideration, theISO 27001 management review is an indispensable tool for ensuring the ISMS continues to be effective in helping the organisation achieve its intended outcomes from the information security management investments.

For the ISMS to be effective in anorganisation, it needs senior management commitment and, as such, it makes sense for the members of an ISMS “Board’ to have authority in matters pertaining to information security. Typically an ISMS Board might include the Chief Information Security Officer (CISO), and other senior management along with the representatives managing the ISMS in practice. Roles around information security do not need to be full time or exclusive, but do need clarity in roles, responsibilities and authorities as outlined in clause 5.3. Having an ISMS Board helps that process too.

The outputs of the management review will include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

What is the ideal management review frequency for ISO 27001 clause 9.3?

There is a minimum requirement to conduct a management review once a year, and more frequently if there are any material changes that could affect information security and the ISMS. However, the frequency will be defined by the management’s requirement to monitor the success of the ISMS. There is also a danger that, the greater the interval, the greater the work that will be involved in reviewing the previous period. It also increases the risk of failure in the ISMS not being identified promptly.

For that reason, we’d recommend monthly, bi-monthly, or even quarterly if your ISMS is quite stable. Certainly, management reviews must take place at planned intervals to ensure the ISMS remains ‘suitable, adequate and effective’.

For those seekingISO 27001 certificationof their ISMS, it’s also important to note there is a requirement to evidence, during the Stage 1 desktop audit, that the regular reviews are taking place.

We suggest weekly management reviews pre Stage 1 audit as this will keep your implementation project on track, build the habit, and within one month you will have built up enough evidence, using the easyManagement Review programme in the platform, to satisfy the auditor and get into the groove for future reviews.

How should you manage communications and actions following ISO 27001 management reviews?

Historically a management review might involve circulating by email in advance, the meeting invitations, the agenda, the evidence and reports for review, or to support the review, and the previous items that required action – multiple copies of…… During the review, notes are taken of the findings for subsequent writing up and distribution. Areas identified for corrective actions and improvements will also need to be documented and tasked to the individuals who will be responsible for completing these actions. At each step, evidence must be retained to satisfy an external auditor that the review and processes are taking place and being effective. That’s a lot of emails, a lot of planning and a lot of evidencing!

Imagine an onlinemanagement review programmethat made it simple to set up your ISMS Board team, simple to schedule reviews and follow a standard agenda, simple to link to previous reviews, see all the information needed, and simple to assign and track tasks, corrective actions and improvements?

You’re imaginingISMS.online; it makes managing your complete ISMS simple including the management reviews for information security.

Bring everything together in one secure, online environment where you cancollaborate with colleagues, capture the required evidence just once and easily navigate to it before, during and after the review. You’ll also want to see all the ISMS insight and activity in one place and the clusters, reports and insight workspace is easy to see in overview then click through the detail too.

You don’t even need all management review members to be together in one place…conduct it online to save travel time and expense!

Ready to take action?

Discover how ISMS.online can help you achieve or improve on your ISMS objectives

The ISO 27001 requirements are listed below:

• 4.1Understanding the organisation and its context
• 4.2Understanding the needs and expectations of interested parties
• 4.3Determining the scope of the information security management system
• 4.4Information security management system
• 5.1Leadership and commitment
• 5.2Information Security Policy
• 5.3Organizational roles, responsibilities and authorities
• 6.1Actions to address risks and opportunities
• 6.2Information security objectives and planning to achieve them
• 7.1Resources
• 7.2Competence
• 7.3Awareness
• 7.4Communication
• 7.5Documented information
• 8.1Operational planning and control
• 8.2Information security risk assessment
• 8.3Information security risk treatment
• 9.1Monitoring, measurement, analysis and evaluation
• 9.2Internal audit
• 9.3Management review
• 10.1Nonconformity and corrective action
• 10.2Continual improvement

The ISO 27001 Annex A Controls are listed below:

• A.5Information security policies
• A.6Organisation of information security
• A.7Human resource security
• A.8Asset management
• A.9Access control
• A.10Cryptography
• A.11Physical and environmental security
• A.12Operations security
• A.13Communications security
• A.14System acquisition, development, and maintenance
• A.15Supplier relationships
• A.16Information securityincident management
• A.17Information security aspects of business continuitymanagement
• A.18Compliance

Ready to take action?

Discover how ISMS.online can help you achieve or improve on your ISMS objectives