Compliance with required laws, regulations, standards, and contractual obligations can be as challenging as dealing with an ever-changing threat environment and new forms of cyber-attacks.
The organization shall document the information security requirements and the organisation's operating model for meeting them.
It is important to note that a large part of the requirements (e.g. laws, standards) are evolving entities. It is recommended to define a review interval for the documentation to describe the frequency at which changes in the requirements should at least be checked.
Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.
The management review shall address and comment on at least the following:
Documented information on the execution and results of reviews must be maintained.