An organization that has an ISMS in place conducts management reviews at planned intervals, but does not retain documented information on the results. Is this in accordance with the requirements of ISO/IEC 27001?
A.
Yes. ISO/IEC 27001 does not require organizations to document the results of management reviews
B.
No, ISO/IEC 27001 requires organizations to document the results of management reviews
C.
Yes. ISO/IEC 27001 requires organizations to document the results of management reviews only if they are conducted ad hoc
According to ISO/IEC 27001:2022, clause 9.3.3, the organization must retain documented information as evidence of the results of management reviews. The results of management reviews must includedecisions and actions related to the ISMS policy, objectives, risks, opportunities, resources, and communication. Documenting the results of management reviews is important to ensure the accountability, traceability, and effectiveness of the ISMS. It also helps the organization to monitor and measure the performance and improvement of the ISMS, and to demonstrate compliance with the requirements of ISO/IEC 27001:2022. Therefore, an organization that has an ISMS in place and conducts management reviews at planned intervals, but does not retain documented information on the results, is not in accordance with the requirements of ISO/IEC 27001. (From the PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107)
References:
PECB ISO/IEC 27001 Lead Implementer Course Manual, page 107
PECB ISO/IEC 27001 Lead Implementer Info Kit, page 7
ISO/IEC 27001:2022 (en), Information security, cybersecurity and privacy protection — Information security management systems — Requirements, clause 9.3.3 1
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit