CISSP考试指南笔记：6.5 管理评审

A management review is a formal meeting of senior organizational leaders to determine whether the management systems are effectively accomplishing their goals.

While management reviews have been around for a very long time, the modern use of the term is perhaps best grounded in quality standards such as the ISO 9000 series. These standards define a Plan-Do-Check-Act loop.

The Plan phase mostly maps to the material in Chapter 1. This phase is the foundation of everything else we do in an ISMS, because it determines our goals and drives our policies.

The Do phase of the loop is covered in a variety of places, but is the focal point of Chapter 7.

The Check phase is the main topic of most of this chapter.

Lastly, the Act phase is what we formally do in the management review.

The management review, unsurprisingly, looks at the big picture in order to help set the strategy moving forward.

When communicating with senior executives, it is important to speak the language of the business and to do so in a succinct manner.

Before the Management Review

The management review should happen periodically. The more immature the management system and/or the organization, the more frequent these reviews should take place.

The frequency of the meetings should also be synchronized with the length of time required to implement the decisions of the preceding review.