Review of the information security policy

Control
The information security policy should be reviewed at planned intervals or if significant changes
occur to ensure its continuing suitability, adequacy, and effectiveness.

Implementation guidance
The information security policy should have an owner who has approved management responsibility
for the development, review, and evaluation of the security policy. The review should include
assessing opportunities for improvement of the organization’s information security policy and
approach to managing information security in response to changes to the organizational environment,
business circumstances, legal conditions, or technical environment.

The review of the information security policy should take account of the results of management
reviews. There should be defined management review procedures, including a schedule or period of
the review.
The input to the management review should include information on:
a) feedback from interested parties;
b) results of independent reviews;
c) status of preventive and corrective actions;
d) results of previous management reviews;
e) process performance and information security policy compliance;
f) changes that could affect the organization’s approach to managing information security,
including changes to the organizational environment, business circumstances, resource
availability, contractual, regulatory, and legal conditions, or to the technical environment;
g) trends related to threats and vulnerabilities;
h) reported information security incidents ;
i) recommendations provided by relevant authorities.
The output from the management review should include any decisions and actions related to:
a) improvement of the organization’s approach to managing information security and its
processes;
b) improvement of control objectives and controls;
c) improvement in the allocation of resources and/or responsibilities.
A record of the management review should be maintained.
Management approval for the revised policy should be obtained.