Management Review has not been effectively implemented.
The management review of year 2013 has been conducted on 19 Sep 13. The agenda that have been reviewed that are related to Information Security was only abour Review of Risk Assessment and indirectly about review of Incident Log. The incident log was not directly about security incident.
The management review did not cover many items as required by ISO27001 standard such as:
a) results of ISMS audits and reviews;
b) feedback from interested parties;
c) techniques, products or procedures, which could be used in the organization to improve the ISMS performance and effectiveness;
d) status of preventive and corrective actions;
e) vulnerabilities or threats not adequately addressed in the previous risk assessment;
f) results from effectiveness measurements;