How I Built a Security & Compliance Reporting Process

How I Built a Security & Compliance Reporting Process

[UPDATED 2023-MAY-31: Just did our closing meeting ISO 27001 Audit and the auditor accepted this process for this requirement, so it looks like we will be continuing this next year.]

To get around of the ISMS Executive Meeting once a year and cover effectiveness of internal controls. I thought why don't Security & Compliance just make a report that covers the effectiveness & performance of internal controls and we document corrective actions and areas of opportunity and just have executive leadership go over that report at the end of every quarter and just signs of on the report.

ISO Criteria that needs to be cover for Meeting

Meeting notes should be related to the assessment of the effectiveness and performance of internal controls within the environment including, but not limited to, the following:

  • The status of actions from previous management reviews
  • Changes in external and internal issues that are relevant to the information security management system
  • Feedback on the information security performance (e.g. nonconformities/corrective actions, monitoring/measurement results, audit results.)
  • Opportunities for improvement

This report was label as "Restricted", but I redacted all restricted information.