In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.
Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.
Top management shall review the organization's information security management system at planned intervals to ensure that it remains appropriate, relevant and effective.
The management review shall address and comment on at least the following:
Documented information on the execution and results of reviews must be maintained.