PROCEDURE FOR MANAGEMENT REVIEW

Version: 0.1

Created by: Abdulkarim Shahoud

Valantina Jameel Dinha

Approved by: Darwish Mashlah

Date of version: 18/09/2022

Signature:

Change History
Date Version Created by Description of change

18/09/2022 0.1 Abdulkarim Shahoud Basic document outline

Valantina Jameel
Dinha

Page 1 of 7
 Greyhound

Table of contents
1. PURPOSE, SCOPE AND USERS................................................................................................................. 3

2. REFERENCE DOCUMENTS....................................................................................................................... 3

3. CONDUCTING MANAGEMENT REVIEW................................................................................................... 3

3.1. MANAGEMENT REVIEW METHODS.................................................................................................................3

3.2. PERIODIC MANAGEMENT REVIEW..................................................................................................................3
3.2.1. Review Input...................................................................................................................................4
3.2.2. Additional management review.....................................................................................................6
3.3. REVIEW OUTPUT.......................................................................................................................................6

4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT.............................................................7

5. APPENDICES.......................................................................................................................................... 7

Page 2 of 7
 Greyhound

1. Purpose, scope and users

The purpose of this procedure is to ensure systematic and periodic review of the Information security
management system (ISMS) by CEO, to evaluate possibilities for improvement and the need for
changes, including the IS Policy, IS Objectives.

This procedure applies to all processes within the ISMS.

Users of this document are CEO and Senior Solution Manager of Greyhound.

2. Reference documents
 ISO 27001:2013 standard, clause 9.3
 Procedure for Determining Context of the Organization and Interested Parties
 Procedure for Addressing Risks and Opportunities

3. Conducting Management review

The CEO and Senior Solution Manager, conducts the management review.

3.1. Management review methods

The management review can be conducted in the following ways:

 Meetings with previously defined agenda, proceedings and formally determined actions
 Phone or internet conference
 Partial reviews on different levels in organization, with reporting to top management, who
conducts final review according to gathered data
 Considering elements that provide a global view of the system, instead of considering minor
and irrelevant problems

3.2. Periodic management review

HR supervisor organizes the meeting with mid-level management. Other members of staff will be
invited to participate in this review as appropriate.

The objective of the review will be to ensure continued information security:

1. Suitability – The quality of having properties that are right for the specific purpose. An
information security management system should be able to sustain the current performance
levels of the organization, utilizing an acceptable number of organizational resources.
2. Adequacy – Sufficient to satisfy a requirement or meet a need. An information security
management system should be capable of satisfying applicable requirements, including those
specified by the organization, the customer, and any applicable standards and/or regulations.
3. Effectiveness – Adequate to accomplish a purpose; producing the intended or expected
result. An information security management system should enable the organization to meet
its own needs, those of the customer and those of other interested parties.

Page 3 of 7
 Greyhound

4. Alignment with strategic direction of the organization – A course of action that leads to the
achievement of the goals of an organization's strategy. The ISMS should be incorporated into
all activities of the organization and aligned with the strategic direction of the organization.

3.2.1. Review Input

As a minimum, the following information and data are presented during the management review:

 Changes in internal and external issues

The top management must consider changes in the external and internal context of the
organization, determine if there were some changes, and plan further actions to address
those changes.

 Internal and external audits and compliance obligations

Senior Solution Manager presents results of internal and/or external information security
management system audits. This includes summaries of results for the cycle, frequencies of
audit findings against specific elements of the ISMS, and discussion of particularly important
findings.

 Communication(s) from external interested parties, including:

 Announcements from external parties and organization’s response
 Announcements released by organization
 Complaints from interested parties
 Customer satisfaction
 Customer complaints
 Results of customer visits/audits

SDM presents summaries of customer feedback and complaints, including analysis of trends
for specific categories, customer satisfaction data and trends.

SDM highlights any changes in internal and external issues relevant to the ISMS, needs and
expectations of interested parties, significant information security aspects, risks and
opportunities, service delivery, process, capacity, or other operational or organizational
changes that affect the information security management system and proposes specific
actions to update or modify the system in response to these changing circumstances. This
might also include external changes such as a new legal requirement coming into place.

Results of participation and consultation

Participation includes involvement of employees in recommending controls, improvements

of ISMS and reorganization, new processes, procedures or work patterns, etc.

For consultation with external parties, the organization should consider factors such as:

 changes in emergency arrangements

 hazards that can impact neighbors, or hazards from neighbors
 changes in legal or other requirements

Page 4 of 7
Greyhound

 Performance of external providers

Top management must review the performance of external providers, including suppliers
and subcontractors, according to the results of the evaluation of suppliers conducted

 Status of nonconformities and corrective actions and incident investigation

SDM presents the highest-risk nonconformities and the corrective actions which were
implemented, as well as incident investigations through the period and the status of pending
actions.

 Follow-up actions from previous management reviews

SDM reports on the status of action items from previous meetings. Items that are not
completed are carried on as continuing actions and are recorded as such in the minutes.

 Changes that affect the quality system

SDM highlights any service delivery, process, capacity, or other operational or organizational
changes that affect the ISMS and proposes specific actions to update or modify the system in
response to these changing circumstances. This might also include external changes such as a
new legal requirement coming into place.

 Adequacy of resources

Top management must ensure that adequate resources are designated for each of the
planned activities.

 Effectiveness of actions taken to address risks and opportunities

Top management must review the effectiveness of actions taken to address risks and
opportunities and to initiate corrective actions if needed to achieve intended outcomes.

 Recommendations for improvement

Senior Solution Manager presents data demonstrating progress toward achieving continual
improvement goals, and reviews current and completed improvement projects.

 Information security Policies and Objectives

Information security objectives established through the review period are systematically
evaluated to assess progress:

 Objectives that have been achieved may either be upgraded to a higher

performance level or be closed out to free resources for improvement in another
area.
 When objectives are not achieved on time, the review investigates and
determines causes for failing to achieve the objectives.
 Depending on the nature of the objective and causes for failure to achieve it,
Senior Management may decide to drop the objective, reduce its scope or level,

Page 5 of 7
 Greyhound

reassign responsibilities and/or allocate additional resources, or extend the due

date for achieving the objective.
 Any decisions regarding ISMS objectives are recorded in the minutes of the
review.
 New objectives are established where it is necessary to improve performance in
order to fulfill the quality policy or other organizational goals or aspirations.
 New objectives are documented in the minutes of the review.

Senior Solution Manager reviews the information security policies to ensure its continuing
relevance. The information security policy is changed when the goals expressed in the policy
have been achieved, or when changes within or outside the organization render the policy
inadequate or inappropriate.

3.2.2. Additional management review

Senior Solution Manager conducts an additional management review in the following situations:

 Major non-conformities in operating and maintaining the ISMS

 Sudden disturbance on markets (changes in legal and regulatory requirements, unexpected
action of competition, etc.)
 changes in legal and regulatory requirements
 changes in activities, processes, products, and equipment
 Significant complaints from clients and third parties
 Information security incidents

3.3. Review Output

Output from the management review process includes decisions and actions related to:

 Improvement of the effectiveness of the ISMS and its processes

 Improvement of product related to customer requirements
 Any need for change in the ISMS
 Resource needs
 Requests for corrective action
 Records of the results and actions from the evaluation of the suppliers
 Actions taken to promote supplier process monitoring
 The Information Security Management System Policies
 The Information Security Management System Objectives

SDM documents the following in the Management Review Minutes:

 Action items are highlighted to ensure that they are easily identifiable
 Action items include the assignment of responsibility
 Action items include timeframe and allocation of resources for implementation

Upon complete review of all inputs and generation of the outputs, management will determine the
continued suitability, adequacy and effectiveness of the information security management system.

Page 6 of 7
Greyhound

4. Managing records kept on the basis of this document

Storage
Record name Retention Responsibility
Location
time

Management Review Minutes 2 years IT office SDM

5. Appendices
 Appendix 1 – Management Review Minutes

Page 7 of 7