Note – Opexo is now part of ISMS.online
Addressing risks and conducting management reviews
Risk management is a major part of ISO standards achievement and you have to be very specific in this area. Our Risk methodology policy is 100% complete and can be adopted quickly from within clause 6.1 of the core requirements. As it is a document based policy you can also find it quickly off the documents tab in the policy and controls area. Please read it to optimise your approach to this area.
The accompanying Risk tool described in the methodology can be accessed from clause 6.1 too and directly from your homepage using the favourite that was already added for you. We recommend you add risks as you are building your system and evaluate them as you go. If you are resource constrained, fewer better described risks with clear treatment are better than having hundreds of poorly described and unmanaged risks.
The aim in this work is to demonstrate you are on top of the risk and are treating or terminating risks, or have policies, controls and work in place to ‘tolerate’ the residual risk. Actually adding risks, evaluating them and categorising is very simple as the fields are all there for you to adopt. For example you must have owners, show what the risk relates to, and have review dates etc. Opexo has all that.
Once you have evaluated the risk and mapped it, there are two broad approaches for showing your risk treatment:
- Using the specific risk treatment environment to capture tasks, notes, upload specific documents to show work going on. This is great for where you are transferring or terminating risks, and don’t need any ongoing policies or controls per se – or
- Using the Linked Work feature where you associate Risks with Policies, Controls, Assets, Audits and other work on the platform. Click Add Linked Work and search for the area you want to link to. This feature also avoids you duplicating effort of writing up the risk treatment if it’s obvious by what you have linked it too!
Tip: For ISO 27001, all annex A controls used should have a related risk. By linking them together you can effectively demonstrate this to the auditor and see the two way effect i.e. your risk will show what policies are in place to treat and tolerate the risk, and when in a policies area, the linked risk will remind you why you have the policy too!
Risk management is easy to forget for busy executives who are not full-time focused on this area. As such opexo includes automated alerts and reminders of risks coming up for review and includes visually attractive maps and tables for you to quickly focus on the threat and opportunity.
If you are looking to achieve an independent ISO certification, showing leadership are involved is essential for success. 9.3 in the core requirements lays out the standard agenda required by ISO for your management reviews. opexo comes with a pre-built area for showing your management meetings are taking place and follow the prescribed 9.3 agenda (Tip – this is a frequent failure topic for organisations so we have made it really easy to follow!)
You’ll find the management review board area connected in 9.3 of your policies and controls project as well as easily accessed off the main menu ‘all work’ listing. ISO states you need to do regular management reviews. This could be at least once a year, but we recommend you do it much more regularly, little and often to build the habit and make better decisions more frequently as your organisation evolves.
If you are implementing your first management system we recommend you do short reviews weekly and summarise your progress, highlights/lowlights, lessons and learning, in addition to as much of the standard agenda in 9.3 as your implementation allows i.e. if you have not done risk work at that stage you’ll not have any risks to consider! As your management system matures you might want to move to monthly, bi-monthly, quarterly depending on the pace and change in your organisation/sector.
The Management Review Board project structure is similar to the policies and controls project area where each activity reflects the actions, records and work done around a management review. Tips on keeping management reviews simple and pragmatic include:
- Document the (pithy) minutes of the meeting using the notes section (unless you have big documents to upload and share)
- Make sure you closely mirror the agenda for 9.3 (a copy of the agenda is in the tools tab of the management board project too)
- Assign actions out as tasks and track progress – or simply link to key areas of the platform to show it is in control e.g. link to the corrective actions tracker will show you the status of those at every meeting – so no need to separately duplicate effort. It’s the same with all the other areas – avoid writing for the sake of it and show you are in control with links to the relevant parts of the platform
- Reach decisions and make progress outside of face to face meetings using discussions – you’ll be pleased to avoid wasting time in meetings when you can get work progressed in discussions
- Complete (and mark as completed) the last management review as the first action in the next management review. That way you show you are reviewing past reviews and actions
Working in this way lets you clearly demonstrate your good governance of the management system. Auditors will love it and you’ll run a better organisation as a result too.
Next Steps – Living and Breathing your Management System
This brief set of guides has been written to get you started with your management system; making progress in your policies and controls, addressing risks and ideally conducting those early management reviews, at least one of them. This is the minimum you’ll need to make progress beyond a stage 1 audit. Ideally you’ll also have started to live and breath the system and demonstrate it working in practice.
You won’t pass a stage 2 audit without your whole management system working in practice. So beyond being 100% in your policies and controls you’ll want to make sure that all your staff, systems, processes, products and locations in scope are demonstrating they are following the policies and controls relevant to them. That means you’ll be able to prove it by having done your internal audits in line with 9.2 (captured simply but effectively within your internal audit work area) and being ready for the external auditor to ask them questions or see their behaviour mirrors your policies (it’s another reason why you must make sure that the policies reflect your real life needs!)
As you bring your management system to life you should be adopting the following areas in opexo too (or using alternative systems), demonstrating you live and breathe the ongoing management:
- Showing nonconformities, corrective actions and improvements are being done
- Staff engagement and communication is going on and people are complying (using groups if on opexo, or other systems if not)
- Good HR controls where appropriate for recruitment & screening, change of role and exit (especially for ISO 27001)
- Objectives measurement is happening (if not using opexo simple KPIs then have your objectives measured and linked as part of your management reviews)
- Supply chain management is working (if not using opexo’s accounts feature to capture contracts and contacts then make sure you have them controlled elsewhere if you are relying on suppliers for part of your organisation work)
- As part of identifying your issues in 4.1 you’ll get to consider your information assets – capture and document those in the information asset track and you’ll also comply with A8.1.1
- You’ll need to have considered every Annex A control and if you have considered it applicable then make sure you’ve considered the risks around it – otherwise why have a policy or control if you dont have a risk? An auditor will drill into that……
- Information security business continuity plan/s are in place
- Information security incidents, events and weaknesses are being managed
- Projects that involve personal data and other information assets are following the approaches outlined for GDPR and A6.1.5
- Your Statement of Applicability is accurate and reflective of the controls in place
All of these areas are much much simpler with opexo!
Congratulations! Now is the time for opexo to make life even easier for you. Set review dates when you approve policies or manage risks and opexo will remind you when it’s time to look at those areas again. Remember, all ISO standards want to see continual improvement, add ideas to improve your business or the management system to the Incidents, Nonconformities, Actions & Improvements and keep on documenting your management reviews in the Management Review board.
Finally, let us know about your successes and challenges too, we are happy to help where we can and are always keen to keep improving ourselves; after all, we have ISO standards to retain as well!