Management Review Procedure¶
Document ID: PROC-005 Document owner: Jan Marc Castlunger (ISO) Classification: Confidential Version: 1.0 Approved: March 2026 Next review: March 2027 Frameworks: ISO 27001 (9.3) | SOC 2 (CC1.2, CC4.2)
1. Purpose¶
This procedure defines the management review process for the ISMS. Management reviews ensure the ISMS remains suitable, adequate, effective, and aligned with the organisation's strategic direction.
2. Scope¶
The management review covers all aspects of the ISMS including policies, risk treatment, control effectiveness, audit results, incidents, compliance status, and improvement opportunities.
3. Review Schedule¶
| Review Type | Frequency | Attendees |
|---|---|---|
| Full management review | Annually (March) | Jan Marc Castlunger (ISO), Sebastian Windeck (DPO / CTO), Malte Toetzke (Chief of AI) |
| Interim review | As needed (triggered by significant events) | Jan Marc Castlunger (ISO) + relevant parties |
4. Review Inputs¶
The following inputs must be prepared and circulated 2 weeks before the review:
| # | Input | Source | Prepared By |
|---|---|---|---|
| 1 | Status of actions from previous management review | Previous review minutes | Jan Marc Castlunger (ISO) |
| 2 | Changes in external/internal context | Business changes, regulatory updates | Jan Marc Castlunger (ISO) |
| 3 | Information security performance metrics | Monitoring data, KPIs | Jan Marc Castlunger (ISO) |
| 4 | Audit results (internal and external) | Audit reports | Jan Marc Castlunger (ISO) |
| 5 | Incident summary and trends | Incident register | Jan Marc Castlunger (ISO) |
| 6 | Corrective action status | CA log | Jan Marc Castlunger (ISO) |
| 7 | Risk assessment and treatment results | Risk Register | Jan Marc Castlunger (ISO) |
| 8 | Feedback from interested parties | Customer complaints, regulatory feedback | Sebastian Windeck (DPO) |
| 9 | Supplier review summary | Supplier Register | Sebastian Windeck (DPO) |
| 10 | Opportunities for improvement | All participants | All |
| 11 | Resource requirements | Budget, staffing, tools | Jan Marc Castlunger (ISO) |
| 12 | SOC 2 compliance status | TSC mapping review | Jan Marc Castlunger (ISO) |
5. Review Outputs¶
The management review must produce documented decisions on:
| # | Output | Action |
|---|---|---|
| 1 | Improvement actions | Specific actions with owners and deadlines |
| 2 | Changes to the ISMS | Policy updates, scope changes, resource allocation |
| 3 | Risk treatment decisions | New risks accepted, treatments modified |
| 4 | Resource needs | Budget approvals, tool procurement, hiring |
| 5 | Updated objectives | Security objectives for the next period |
6. Review Process¶
- Preparation (2 weeks before): ISO collects all inputs and distributes to attendees
- Meeting: Structured discussion following the agenda items in Section 4
- Documentation: Minutes recorded using the Management Review Minutes Template
- Actions: All actions assigned owners and target dates
- Distribution: Minutes distributed to all attendees within 5 business days
- Follow-up: Actions tracked at the next review or via interim check-ins
7. Performance Metrics¶
The following KPIs are reviewed at each management review:
| Metric | Target | Measurement |
|---|---|---|
| Security incidents (P1/P2) | 0 per year | Incident register |
| Mean time to detect (MTTD) | < 24 hours | Incident records |
| Mean time to respond (MTTR) | ≤ 12 hours | Incident records |
| MFA compliance | 100% | Azure AD / Google Admin |
| Overdue corrective actions | 0 | CA log |
| Training completion | 100% | Training records |
| Backup restore success rate | 100% | Test records |
| Audit findings (major) | 0 outstanding | Audit log |
8. Records¶
Management review minutes are retained for 3 years in Google Drive > Security > Management Reviews.
9. Review¶
This procedure is reviewed annually alongside the management review itself.
Approved by: Jan Marc Castlunger (CEO / ISO), CTW Data Solutions GmbH Date: March 2026