The Crucial Role of Management Review in Cybersecurity Governance | Interview with Carlos Cruz
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, guest is Carlos Cruz, and he is the founder of a consulting company called Metanoia based in Portugal, and he's also the main ISO 9,001 and ISO 14,001 expert in Advisera.
Dejan Kosutic:He's in a consulting business for thirty five years, so very, very long time already, and has performed, you know, over a 100 consulting jobs and amongst other things, he has lots of experience with management reviews because obviously he helped these companies perform management reviews as well. In this podcast, you'll learn what are the best practices to perform a management review, not only for 9,001, but also for ISO 27,001, but also for other cybersecurity frameworks. Another thing is we actually this is our first year anniversary of our podcast, and actually the first guest on this podcast was exactly Carlos. So welcome back to the Carlos, to this first year anniversary of of this Security Safehold Podcast.
Carlos Cruz:Thank you for having me, Dejan. Second, thank you for having me. Yeah. It's a pleasure to be here. Pleasure to talk to you.
Dejan Kosutic:And, actually, we already have a had a couple of very good episodes around internal audit document management and this management review will also be, I believe, very, very useful for our listeners. So when it comes to a management review, you know, my personal kind of feeling is that most companies do not really understand the purpose of management review. What do you think? What is your feeling?
Carlos Cruz:I think too. I think that many companies see management review as a kind of just a kind of taking a big picture of the past. Okay? Making a report and that's it. And they present the report and that's it.
Carlos Cruz:It's like a gigantic photo, Okay, because a lot of topics regarding the inputs for the management review, a gigantic photo of what was last year of the organisation. And I think, yeah, I think that the standard doesn't help, Okay, because the standard invites that kind of behaviour. But I think that a good management review should answer to that first topic. What are the conclusions regarding if the system is suitable, adequate and effective? And after that, looking into the future.
Carlos Cruz:So where do we want to go in the next twelve months? Resources do we need? What kind of improvement do we need to do? What kind of risks and opportunities for, okay, during the next year? So I think I need that look into the future.
Carlos Cruz:When when I do the the webinars with Advisera, or the the management review, I like to use a metaphor. I like to use the image of Roman god. So Janus, the the the the name the month of January comes from Janus. And the Janus was and god with two heads. One old face looks into the past, and the old the young face looks into the future because Janald was the god of gate transitions, bridges.
Carlos Cruz:It's actually the bridge between the past, then the present or the context, what is happening today and then looking to the future. And that part of looking into the future, I think sometimes I don't see that part in management reviews.
Dejan Kosutic:Yeah, I agree with you. I mean, this I would say is one problem. I see I also see another problem that companies see this only as a kind of compliance task that they have to take that they have done it and they really don't use it in some useful way. It's also, I would say, another problem. Yeah.
Dejan Kosutic:Okay. Now let's take a look at this as you described it. So looking at into the past, so what exactly should company look for in the past when doing a good management review and what should they look towards the
Carlos Cruz:future? The standard, okay, either twenty seven thousand and one or 9001, they are very prescriptive. They list several topics like the management review inputs. So I like to use those inputs to take the picture of what was our behaviour, the behaviour of the management system, the performance of the management system. So that's one topic.
Carlos Cruz:And then, then based on that, we have issues with our management system in terms of, okay, so if most of our objectives are not achieved, we cannot say that the system was effective, okay? Or if there is a particular area of the management system that needs improvement. So for example, if systematically people don't do corrective actions in a reasonable time. So, okay, perhaps we need to do something in terms of training perhaps or some kind of resources or whatever needs to be studied. So using the input to that to take that picture of the organization's performance or the management system performance.
Carlos Cruz:It's a kind of using the raw data from the management system, then doing the analysis, okay, so through trend analysis, so graphics, some tools that we can use, are try to transform that raw data into insights. Yeah. Into insight, into meaningful, into meaning. So, so that top management can make decisions about the future of the organization. The future was, as I thought, so it's about need for improvement, need for changes, need for resources.
Carlos Cruz:Do we need to review our objectives? Do we need to review our policy? Not forgetting, so a formal conclusion about the suitability, adequacy and effectiveness of the management system. Okay.
Dejan Kosutic:Okay. And why is it that then the senior management has to do the management review? Why isn't it, let's say for ISO 27,001, why doesn't the security officer do the management review and rather it needs to be the senior management?
Carlos Cruz:So I believe with twenty seven thousand and one is the same clause, clause 5.1 about management commitment. So we are evaluating the performance of the management system we determine objectives for the future, and those objectives are to achieve or to improve performance or achieve new objectives, we'll need resources. Okay? We'll need to make the statements regarding, should we go this way or should we go that way? And without top management present, I would say that it's almost a waste of time, at least for some topics, because if they are not there, at some moment, the person that, you know, that now no one uses check, but the person that finds the check needs to sign the cheque.
Carlos Cruz:And when they're going to sign the cheque, they say, What is this? What is this about? Okay? And when you have surveillance audits, okay, or certification audit, but surveillance audits, if the certification auditors realize that no one from the management, the top management team
Dejan Kosutic:could attend the management to do, that's not a good sign. Okay? That's really not a good sign. Yeah. Okay.
Dejan Kosutic:But I mean, is this reason of, okay, providing resources why the senior management needs to be there. There is a compliance obligation from any of these ISO standards. They don't require the senior management. Is there anything else that is actually crucial for senior management actually to do the management review?
Carlos Cruz:Also, if they are not there, so this is this time of the year, okay, this time of the year is the time when companies normally do a kind of season's dinner. Okay? The CEO or the the owner of the company speaks about, Next year will be like this, like this, like that. Quality will be or information security will be very important, very important. And people are a listener, okay.
Carlos Cruz:But people are more they don't they really don't care about what the senior the top management says. What's really important is top management agenda. Okay? They can say a lot of things, but what is really important is what are they doing? What kind of meeting they are attending?
Carlos Cruz:What kind of challenges they are interested? In. These are what people realise, okay, oh, if they attend this, this is important. If they are asking questions about this, this is important. So if top management doesn't care about the management system in terms of the I believe I would say that is the most important moment of the management system, okay, throughout the year.
Carlos Cruz:The message is this is not relevant. This is just marketing. This is just propaganda. This is not really, really important.
Dejan Kosutic:I agree with all that you're saying. From my point of view, I think management preview is also an occasion when companies or senior management actually has to connect this particular activity, I mean, let's say cybersecurity with their company strategy. Right? Because cybersecurity doesn't exist for itself. I mean, it serves actually the company, the business size of the company.
Dejan Kosutic:And actually management review is basically a place or a time when actually the senior management has to see if this cybersecurity really did contribute to the business size of the company, and if yes, how to improve it, if not, what to change. Right? So I see management review as a crucial actually place and time actually. That's a good point.
Carlos Cruz:Yeah. That's a good point. A twist in ISO 9,001. So I mentioned suitability, adequacy and effectiveness. ISO 9,001 mentions that and mentions a fourth one that we like, like me this way, normal get is also the alignment with the strategic direction of the organization.
Carlos Cruz:Yeah. Good point. Good point.
Dejan Kosutic:Okay. Is this management review actually a meeting or how do normally senior management needs to perform management review? Is this only through a meeting or are there some other ways to do it?
Carlos Cruz:Like the I like to say that management review is not just a meeting. Okay? Management review is a process. Okay? At some moment, I would say that most of the companies have a meeting.
Carlos Cruz:Okay? But. That's my experience. Okay, but I understand that some companies may have or a minority of companies may have another kind of approach that could to do the management review. Okay, but that's not my experience.
Carlos Cruz:Okay, my experience is, so I like to see the management review as a process. So at some moment, someone will prepare the information for the management review. After, this is what I'm going to say is how I like to work with companies. Okay, so in some moment, we'll have a preparation of the information for the management review. Then a second moment is to study that information.
Carlos Cruz:So participants, people that will attend the management review should study that management review report. Let's call it like that. And then we have the meeting. And the meeting is a place for discussion, decisions, conclusions, not for presentations, okay? Because if you see the people that attend that management review, normally, okay, high level of the organisation, They are very expensive and just having a meeting just to present.
Carlos Cruz:Okay. Okay. People are just watching slides or something like, no, it's not a good way, not a good practice. So the meeting is for the the meeting is for doing the what is- we are good at when we are in a team working. So making decisions, discussing topics, different perspectives, making decisions, conclusions.
Carlos Cruz:Yeah, that. Then we have this follow-up, okay? Where we have the meeting minutes, someone writes the meeting minutes, and then we have the action plans. And then we have the follow-up to check if the actions are really implemented.
Dejan Kosutic:Makes sense. Who actually typically prepares all of these materials?
Carlos Cruz:Normally, in quality and environment, is a quality manager. Okay. That collects information, not necessarily that he is the one that collects the raw data, but someone is responsible for monitoring some kind of information. Okay, that person provides the data, but is the one that, let's say, is responsible for preparing what I like to call a management review report. Okay?
Carlos Cruz:And this management review, there are two things that this person prepares for the management review meeting. Prepares the agenda, the agenda of the meeting and the management review meeting. Oh, sorry. And the management review report. Okay.
Carlos Cruz:And why is this important? I don't know if I'm going to jump right away, but I like to stress to organizations to to see that when we have clause 9.3.2 about the management review inputs, the standard ISO 27,001, ISO 9,001, 14,001, all standards, they use the word there. The word is consider or consideration. Okay? And it's like this.
Carlos Cruz:We don't have we don't we we cannot have a lot of time from top management to that management review meeting. They don't have time. Okay? So if we intend to have a meeting or three hours or four hours or one morning, they will say, no. No.
Carlos Cruz:We thought. No, never. Never. So what we do is, what I like to advise companies to do is that management review report includes all the topics in the standard, all inputs that the standard mentions. Everything is there.
Carlos Cruz:But then in the meeting, just throw in the agenda the topics there are only those topics that need a decision. So if we have a topic is corrective actions and everything is okay, so we put in the report how many corrective actions, if they are closed, not closed, if they were effective, so and so and so. And everything is going smoothly. No problem. So in the agenda, we don't need to use any time for that because there's no need for a decision.
Carlos Cruz:And so the meeting is for those topics that need a decision. Okay? That's how I like to do it. Okay?
Dejan Kosutic:Mhmm. Yeah. And in twenty seven thousand and one in cybersecurity, it's you're a security officer that that prepares these materials. And okay. And and from the senior management, who should typically participate?
Dejan Kosutic:Is it the whole senior management team or only some person people from senior management?
Carlos Cruz:It's Normally it's not the whole management team, okay? But at least one member of the top management team. So normally it's the person that signs the policy. Okay? So there's one member of the management team, the top management team that has the responsibility for the management system and so that person is, okay, it's the person that expect that we attends the management review.
Dejan Kosutic:Yeah. Yeah. Actually, my preference is that the whole senior management participates in this. The reason is actually, if we make a connection between cybersecurity and the company strategy, then this concerns not only the, let's say, chief technology officer or chief information officer, it also considers the CEO, the CFO, chief financial officer, I don't know, operations officer. So basically all of these people are then here to discuss the strategy of the company, which is then underpinned through cybersecurity.
Carlos Cruz:Yeah. That's a good point. When we can do it, yeah, better. Yeah. It's the better.
Carlos Cruz:Yeah. Yeah. If the senior management wants to do, as you point out very well.
Dejan Kosutic:So how do you actually stimulate senior management to actually see the value of this management review and to participate willingly and to see some benefit out there.
Carlos Cruz:So with that kind of preparation that I mentioned about just focusing on the decisions and avoiding presentations. So we we it's a kind of a message that it's not to be they are not there just to listen. Okay? They are there to decide. Okay?
Carlos Cruz:And they are there. So and it's much more alive, the meeting, because it's for not there's not we avoid the maximum of presentations. It's just decisions. Okay, we have this issue. So, we have this issue.
Carlos Cruz:We need to arrive at the decisions regarding this. So, it's more alive. And then, I had that experience when I was a young chemical engineer, quality manager at a chemical company, I was in a very good company in terms of, I could say, whatever. I was a Danish free company to speak about. And I remember I was always making my reports, my monthly reports saying that we had problems with quality, problems with quality.
Carlos Cruz:But when the general manager went to the warehouse, he saw everything. We we sold everything. Okay? Because the product could we could sell the product at top grade. We could sell the product at low grade, even off grade.
Carlos Cruz:Even the product that fell into the floor, we could clean the floor and that product could be used to make carpets for buses. This was in the end of the 80s, beginning of the 90s. So when the top management or the general manager was going to the warehouse, no product was there and he said, Oh, Carlos is always exaggerating, so he's very young. And one day I translated that into instead of mentioning off grades and so and so, I translated that into numbers, okay, into money. Okay?
Carlos Cruz:So I said, we we sell 100, tons of the product. If all the product was top grade, okay, what was the average, price of the year for top grade? Let's say, okay. 10. Okay.
Carlos Cruz:100 times ten, one thousand. What were our sales? K. For example, 820. Where are the other 180?
Carlos Cruz:Okay. Because of low quality problems. And I remember. I remember. That gentleman is already dead, but I remember he he he ran the the numbers and said to me, Carlos, you never told me this to me.
Carlos Cruz:And I said and I my eyes were I'm always paying this to you, but not this language, not with this language. And it is let me say, using the language of quality is the is the quality manager responsibility to make this translation. In the information security world will be the same. So translate this into a language that management can understand. Okay?
Carlos Cruz:To numbers. Can relate. Finance lost customers, lost business, something that they can relate. Just yeah. Just being nice.
Dejan Kosutic:No. No. It's it's a it's a very good point. And from your opinion, how often should this management review be performed? I mean, it should be at least once a year, but it's probably not often enough.
Dejan Kosutic:Right? So what is kind of the optimal cadence of doing the management reviews?
Carlos Cruz:Many companies do it once per year, and I don't think that's reasonable, okay? That's not good governance. That's wishful thinking, okay? So what I recommend organisations is to have one, let's say, extraordinary management review where we, for example, decide is our policy, okay, still valid, still updated is what will be our management system objectives for the future, and then have quarterly meetings just for follow-up. And when we do that, okay, when we do that, particularly with big companies, okay, when we have big companies, it's very, it's a fantastic workload to do everything in just one meeting.
Carlos Cruz:Person responsible for doing that is, it's too much work, okay? Yeah. And so, when we have more than one management review per year, we can spread the topics throughout the year. Of course, some topics be, we can speak about, or we can speak about some topics in all meetings because they are very important, but other topics we can only see only once per year, for example, about management system internal audits, okay? We see that in one meeting, so and okay, don't need to check all the meetings, but I like to do that because the management review is, we use the information from the past, We are looking into the rearview mirror.
Carlos Cruz:And just only once per year.
Dejan Kosutic:Doesn't sound right.
Carlos Cruz:That doesn't sound right. Yeah.
Dejan Kosutic:Actually for ISO 27,001, I recommend companies to do this once a month. Right. It's it's kind of especially because cybersecurity is really a fast moving. Yeah. Yeah.
Dejan Kosutic:Yeah. Yeah. Yeah. And yeah, once Yeah. A month is, is I would say much more appropriate.
Dejan Kosutic:And do you, do you think that this management review should be, let's say kind of a separate meeting just for that purpose? Or could it be, let's say, one of the topics at regular meetings of the senior management? Yeah.
Carlos Cruz:Whenever possible, I would like to include the management review in the normal way that the organisation is works. Okay. Some companies say to me that yes, we will include that in our normal management review. Okay, it's not necessarily about the standard, but we will have a separate minutes because they have issues regarding confidentiality and okay, we don't want auditors to see some things and so okay. Okay.
Carlos Cruz:But the good practice should be is part of the way the organization is managed. Yeah. Yeah.
Dejan Kosutic:Yeah. Yeah. Well, I fully agree with you. I mean, the more you can actually make it as part of their regular normal activities, the the more they will see this as something valuable and and the more actually it will you know, the the management system will really be kind of integrated into everything that the company is doing. Yeah.
Dejan Kosutic:So I fully agree with you. And, yeah, you mentioned that in the beginning of our discussion today that there is this, let's say, looking into the past apart, but there is also this looking into the future. So what exactly is this part of looking into the future when it comes to management review?
Carlos Cruz:So it's about let's look into the definition of management system. Okay? The definition of management system, and let me tell something like this. For me, it's so beautiful.
Carlos Cruz:Okay. But it's really beautiful. It's not just Baba talking me. No, it's it. Management system is a system to establish a policy.
Carlos Cruz:That means to establish a direction, a strategy. Okay. Translate that into objectives, because if we don't do that, it's just blah, blah, blah. Okay. Well intended, but just blah, blah, blah.
Carlos Cruz:And then work, you see, work to achieve those objectives. So a management system is like something that is pulling girls into the future. Okay? So where do we want to be in twelve months time regarding our management system, our quality, our environment, our information security, health and safety, whatever. So it's not reacting to what is happening.
Carlos Cruz:Okay. But, okay, sometimes we need to react because the context changes very You mentioned for information security, the context changes sometimes very drastically. But mostly we want to be driving the bus, not a passenger in the seat of the bus. Okay? So want to drive the bus and driving the bus is driving us into the future.
Carlos Cruz:That's how looking to the future. Where do we want to be in the future? So Okay. That's
Dejan Kosutic:Are you saying that the during the management review, the senior managers should, let's say, set new strategic objectives, not only strategic objectives, but also objectives for the management system. Is this one of the key tasks?
Carlos Cruz:They should review the current objectives, okay? And check if they need to be updated, if they need to be reviewed, okay? I said before that many companies use the management review just to take a picture of the past. And I said that in part, I believe that in part that's an issue because of the way the standard, the standard does in is somehow invites to have that that feeling or that that way of of doing things. Even about the objectives I mentioned, I'm looking into, I'm imagining the or remembering the wording of the ISO nine thousand and one nine point three clause.
Carlos Cruz:And the topic about the objective is very foggy. Okay. But for me, yeah, we need it's the right moment to think about the future of the management system.
Carlos Cruz:So should we don't need to improve everything, but okay, what are the priorities for improvement? And those priorities for improvement translate are translated into objectives for the the management system.
Dejan Kosutic:And in order for senior management to drive for the company forward in these management reviews, is it enough for them to set these objectives or review these objectives? Or is there anything else needed beyond these objectives?
Carlos Cruz:So to establish these objectives, okay, They need to be grounded. Okay? And and we they need to be grounded, not just illusions. Okay? They're just thinking about dreams.
Carlos Cruz:Okay? Just dreams. No. So they need to do they need to understand the context of the organisation. Okay.
Carlos Cruz:So and when we set objectives, Okay, so getting objectives, it requires that we should change something in our system. Okay. Because it's, if we do the same thing, most likely we'll get the same results. Okay. Or even due to well, I left that.
Carlos Cruz:Thank k. Due due to entropy. Okay? Things will get worse. But so if we set the new objective, that means that we need to make something different.
Carlos Cruz:And so that mean that means that some kind of investment in resources, training people, investing in hardware, investing in in know how, something. So top management then should provide the resources for that. Okay? And then somehow, so monitor also if the actions, the plans are implemented and if they Mhmm. And if if they are effective.
Carlos Cruz:Okay?
Dejan Kosutic:Good. Good. And how do you actually know if if management review was really effective?
Carlos Cruz:How do I know if management review was effective? So when I'm auditing an organization, so I read that management review report, I read what were the conclusions.
Carlos Cruz:And I look into the current performance of the organization and see if they match. Okay, so for example, in my last audit, okay, in my last audit, the organization had a very bad performance, okay, very bad performance. In the report, they were sorry, in the management review minutes, they were not preoccupied with that. Okay? Then when I was interviewing the top manager, I understood why.
Carlos Cruz:Okay. Because, so because, they had a lot of projects, the way they calculate the indicators regarding sales and so that they it's only when the project is finished that they count the they include the value of the sales in the sales indicator. So they realize, okay, so what I wrote an opportunity for improvement that they should document this kind of, should document the reading about indicators. Okay. So that's how I do it.
Carlos Cruz:So I look into what they wrote in the report, what they wrote in the minutes and I look into current performance. And I see if they say, for example, this one is typical. They say that the management system is effective. And I see that most of the indicate the objectives are not achieved. Okay?
Carlos Cruz:Say, oh, come on. You cannot say that your management system is effective. Okay? You cannot say that. Also, we also so if they if if I this is tricky because it's their management review, not mine.
Carlos Cruz:Okay? I'm I'm an outsider. I'm an auditor, but I'm an outsider. And it's for them to shed priorities. Okay?
Carlos Cruz:But I see something that I think it's important. They didn't care. They didn't take any measures regarding that. Okay? Then I look now when I'm checking the performance, if it's all in my opinion.
Carlos Cruz:As I try to be a good auditor, I cannot say nothing. But if I link that into customer's loss, customer's complaint, customer's not so unsatisfied with that, now I can make the connection. Okay? Because it's not my opinion, it's customer's opinion. Okay?
Carlos Cruz:And saying that, yeah. Okay. And
Dejan Kosutic:Yeah. So basically the, the, I would say success of a management system is a kind of a reflection of the, the thoroughness of of the management review.
Carlos Cruz:Yeah. Yeah. Yeah. And sometimes we realize that people pretend, okay, that the system is fine when they know it isn't. Okay?
Carlos Cruz:And tell I tell them, Okay, when you in a management review say that the system is not Okay, that's not a nonconformity that the certification auditors or whatever will write about that. No, that's a good sign when we realize that our system has some weakness and we think that in our minutes and then we work to solve, to improve. What more can an auditor expect? They say, Woah, nice. Fantastic.
Carlos Cruz:They are being honest with themselves and they are doing something to improve. Okay? Yeah, definitely.
Dejan Kosutic:Looking at this from another angle, so why management reviews go wrong? I mean, when they go wrong, why do they go wrong?
Carlos Cruz:There's one of the first management reviews that I attended. So I help an organization to implement their management system. I like to work with them. It was 1996 or 1997. So one of the first jobs that I did.
Carlos Cruz:We had a fantastic, fantastic. They invite me, they were already certified and they invite me to participate in their management review. I still remember the feeling of, wow, what a meeting. Fantastic meeting. Really, really great meeting.
Carlos Cruz:And then one year later, they invite me again and it was a nightmare because there was no follow-up. So very good decisions made in that meeting. And then there was no no one implemented, no one was responsible or the person responsible had no resources to implement. So one of the things that I think that makes management reviews derail is the after. Okay, so that follow-up.
Carlos Cruz:Okay, providing the resources and the follow-up of the management review. Okay. So if after when a management review ends, if if there is if there isn't anyone with something to do, the oh, we have a problem. Okay? So Yeah.
Dejan Kosutic:Yeah. So this follow-up is almost as important as as as the decisions that are made in the management review. Mhmm. If not even more important.
Carlos Cruz:Or or if not even more important. Yeah. Yeah. When we are implementing those decisions, are also kind of discovering reality. Okay.
Carlos Cruz:And sometimes we find things that are things, opportunities. Okay. And it's a growing opportunity for the management system.
Dejan Kosutic:Yeah. Yeah, mean, exactly because of this implementation. I mean, implementation never goes perfectly, right? Almost impossible to do everything exactly as you planned for. So because of this, I would say facing the reality, this is why I think that the management review should be more often, not once a year.
Dejan Kosutic:It should be, let's say once a month because then actually the management can be updated on how these decisions were going on in the reality now. So it's kind of tied to one thing to another.
Carlos Cruz:Yeah. Jeff, the recommendations when doing very or more frequent, so once per month management reviews should be to be careful to really stand back. Okay? And try to see the big picture because it's much more easy to just follow the flow. Okay?
Carlos Cruz:Just follow the numbers and don't and not standing back and looking into the big picture. Okay?
Dejan Kosutic:Okay. Let's now switch gears a little bit and and try to view this from the consultant point of view. So what basically is a typical role of a consultant when it comes to management review in a company?
Carlos Cruz:Mhmm. So provides okay. Helps the organization develop the templates, okay, or the topics, then provide some what I think good practices regarding the preparation and the development of management review. And normally, okay, while before the implementation of the management system, so also attends the management review and supports the person that is responsible for leading the management review. Okay, we say that top management should lead the management review, but sometimes, okay, they need the help of the person responsible for the management system.
Carlos Cruz:And okay, so we as consultants provide that support preparing the information, providing some tools. Like, example, I like to use the difficult process control for looking into the indicators. So so for individual values, I like to I like to invite people. I stress a lot. Okay.
Carlos Cruz:Tables are very important because they're data, but tables are annexes. Okay? So in the in the report for the management review, use graphs. Okay? Use that show the trends much more easily.
Carlos Cruz:And so this kind of of things. So things like when preparing the agenda, one of the things that I learned some years ago in management magazine to use questions instead of just topics. Okay, so we may say, for example, in quality, we have one topic is customer satisfaction. And we can put in the agenda, customer satisfaction. And people that read the agenda say customer satisfaction.
Carlos Cruz:What does they want us to speak about customer satisfaction? But another thing is when we put there something, why is customer satisfaction of these particular kind of customers going down? So now we are focusing the attention of people for a particular thing. So people can more prepare too, Okay? Mhmm.
Carlos Cruz:And instead of coming into the meeting saying, let's wait. Let's wait. What they have to say? Or what do do they want about Kathmandhali's action? So yeah.
Dejan Kosutic:It's a very good point to to yeah. To to kind of get to the the interest up upfront and and the focus.
Carlos Cruz:For example, the most important topics should be the first topics in the in the agenda. Okay? Because we have the time and so, yeah. This week, I No, sorry. Last week, I had an experience in a meeting, not in a company, but in a public organization.
Carlos Cruz:The first part of the meeting, so people are fresh, their minds are fresh. And the first part of the meeting is for discussing trivial things that are not in the agenda. So it's like how they call before the agenda time. And they can then they can waste there about one hour, Joao. Come on.
Carlos Cruz:One hour with this. And this is the most the people are fresh. People with and their minds are in full Mhmm. Or full prepared for and no. So one does or another thing that so the most relevant topics first. So that's another thing. Mhmm. And Yep. And I'm yeah.
Carlos Cruz:And the topic of don't present. Don't present data in the meeting. Okay? The meeting is for the decision. So we prepare the report and people receive the report.
Carlos Cruz:If they have questions, yes, okay, they can phone, they can ask for a meeting, we can but no presentations. And that makes the meeting much more efficient, much more efficient.
Dejan Kosutic:Yeah. That's it's a very good tip. Yeah. And should consultants actually prepare these materials for the management review and should consultants participate in the management review?
Carlos Cruz:I like to prepare the people, so the management system responsible, I like to prepare that person to do this job. Okay? And and when I was a young consultant, I liked to do that. I know I wanted to do everything. Okay?
Carlos Cruz:But now I don't think that's the best approach. Okay? Because people people don't learn, okay, so much. So now I like to help them prepare thee.
Dejan Kosutic:Help them learn how to do it. Right?
Carlos Cruz:Yeah. Help them learn how to do it. I can show them one example of how, so presenting a case study, how can be done, and then they help them do it. And also, the other part of the question was yeah. So I like to participate when I'm a consultant working in implementation of the management system.
Carlos Cruz:I like to participate. And normally, I I I think that all organizations that I helped implement their management system invite me or expect that I attend the the management review. Some even not all years, but from time to time, they invite me to attend their management reviews.
Dejan Kosutic:But why? What is then the role of the consultant if there is already a manager in charge of the management system, if there is already a senior manager?
Carlos Cruz:They want an outside view to see not about their decisions, but about the way the topics are discussed, what kind of topics are being discussed, if something is missing in the discussion because, okay, they have, I can see the report, okay, and I see that I may see an important topic is not being considered. Or for example, that sometimes they are wasting a lot of time in something because at some point people start instead of going for a decision, people start defending themselves. And I can say Sometimes it's easy, sometimes it's not so easy, but I can say, oh, come on. I think we can go for a decision, okay?
Carlos Cruz:We are not here just to, We are not here to blame people. The problem is, I remember that phrase from damning, Don't blame the person, blame the system. So it's the system, not the person. So can we move? Can we move to do a final decision?
Carlos Cruz:So that's that's something that I can do. Yeah. Okay. It's very good.
Dejan Kosutic:Now, most of these ISO standards like 27,001, 9,001, 14,001, more or less they have very, very similar requirements for management review, you know, in terms of, you know, inputs and outputs, all kinds of things. So do you think that is it actually a good practice to let's say the company has three standards altogether, let's say these three. Should it do actually the management review for all of those standards in one meeting or should they actually have separate meetings for each management system?
Carlos Cruz:No. I think that a mature a sign of a mature management system is to to have this integrated, okay, integrated management review. Okay? Mhmm. So many topics are common.
Carlos Cruz:Okay? Many topics are common. And so they can be presented, so like, for example, internal audits, can be presented at the same time. And then there are some specific topics of each standard. Okay, they have a specific time, a different time for them.
Carlos Cruz:But I think that a sign of a mature management system is to have that integrated. Okay, so I understand that. So you have an ISO 9,001 and ISO 14,001 management system already implemented and now you are implementing ISO 27,001. So I understand and I think it's useful perhaps, okay? I think it's useful to have the first management review just focused on ISO 27,001 topics, okay?
Carlos Cruz:But then as soon as we are certified, okay, now let's let's move to an integrated management review. Yeah?
Dejan Kosutic:Yeah. Yeah. Makes sense. Yeah. Especially with the majority the thing.
Dejan Kosutic:Yeah. Okay. Very good.
Carlos Cruz:Yeah. Also we may have different people participating in the meeting at different times, so we don't need to have all the people at the same time in So the this part of the meeting, okay, it's the same meeting. Some topics are common, but this is for the specific or something about environmental management system or health and safety. Okay. So we don't need health and safety people in the other topics.
Carlos Cruz:Okay. During that time, they are there. So, okay. They can join the meeting and leave the meeting when they are no longer needed for a decision. Okay?
Dejan Kosutic:Yeah. Okay, great. Makes sense. Okay, so let's wrap up the discussion and what would you say are kind of top things that companies should keep in mind when doing this management review?
Carlos Cruz:Keep in mind, don't focus in the past. Okay? So use the path as a kind of a lever to go into the future. Okay? Don't present raw data in the management review.
Carlos Cruz:Okay? So they they say they used to say, don't drown top management team raw data. No, that's the topic. So the standard is measuring, monitoring and then analysis, evaluation. Analysis is translating that raw data into meaning, into insights, presenting that.
Carlos Cruz:So yeah, that transformation of raw data into insights is critical, I believe. Having the right minds, okay, having the right minds to arrive at the right decisions, okay, in the management review and also include there someone from top management, okay? What more? Use the management review for decisions, not for presentations. Don't forget at the end that conclusion about if the system is suitable, adequate and effective.
Dejan Kosutic:I, as an auditor, when I don't see that,
Carlos Cruz:it's for me, it's a nonconformity. So be careful with that And then and please include in the outputs. Okay? Those decisions about what needs to be improved, what needs to be changed, What are the new objectives if we need to change objectives or if we need to change the policy? Any relevant risks and opportunities that we need to consider for the future.
Carlos Cruz:So I like to see that. I like to it's yeah, it's looking into the future. Yeah. It's looking to the future. Mhmm.
Dejan Kosutic:Okay. Great. Thanks. These were really great insights, I learned a lot today again from you. So thanks again, Carlos.
Carlos Cruz:Thank you very much for inviting me to this podcast. Okay.
Dejan Kosutic:Thanks again. And, yeah, I hope that we will have another discussion maybe in a in a on a second anniversary or maybe a third anniversary of Secure & Simple podcast. Thanks again, Carlos, and thank you everyone for listening or watching this podcast, and see you again in two weeks time in our new episode of Secure and and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance compliance for a living, on Advisera website you can check out various tools that can help your business.
Dejan Kosutic:For example, Conformio software enables you to streamline and scale ISO 27,000 and implementation for your clients. White label documentation toolkits for NIS2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information.
Dejan Kosutic:If you like this podcast please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
