Policy Corporate Governance Information Security – Management Review Procedure
Information Security – Management Review Procedure
- Future Students
- JCU Global Experience
- International Students
- Student experience
- Open Day
- How to apply
- Pathways to university
- Living on Campus
- Courses
- Publications
- Mature students
- Scholarships
- Entry options
- JCU Families
- JCU Heroes Programs
- Aboriginal and Torres Strait Islander in Marine Science
- Elite Athletes
- Defence
- Capability.Co
- AI@JCU
- AALL
- Current Students
- Student Ambassador Program
- New students
- JCU Orientation
- LearnJCU
- Placements
- EDQS
- Unicare Centre and Unicampus Kids
- Graduation
- Off-Campus Students
- JCU Job Ready
- Safety and Wellbeing
- JCU Prizes
- Professional Experience Placement
- Employability Edge
- Art of Academic Writing
- Art of Academic Editing
- Careers and Employability
- Health, Wellbeing and Belonging
- Career Ready Plan
- Careers at JCU
- Partners and Community
- School Outreach and Widening Participation
- Alumni
- International partnerships
- About JCU
- Reputation and Experience
- Chancellery
- Governance
- Celebrating 50 Years
- Academy
- Indigenous Engagement
- Education Division
- Graduate Research School
- Research Division
- Research and Innovation Services
- CASE
- College of Business, Law and Governance
- College of Healthcare Sciences
- College of Medicine and Dentistry
- College of Science and Engineering
- MPE
- Anthropological Laboratory for Tropical Audiovisual Research (ALTAR)
- Rural Remote and Tropical Health Systems
- Agriculture Technology and Adoption Centre (AgTAC)
- Advanced Analytical Centre
- AMHHEC
- Aquaculture Solutions
- AMHRA
- JCU Digital Wellbeing Group
- ARCSTA
- Lions Marine Research Trust
- Australian Tropical Herbarium
- Australian Quantum & Classical Transport Physics Group
- Boating and Diving
- Clinical Psychedelic Research Lab
- Centre for Tropical Biosecurity
- Centre for Tropical Bioinformatics and Molecular Biology
- CITBA
- CMT
- Centre for Disaster Solutions
- CSTFA
- Cyclone Testing Station
- The Centre for Disaster Studies
- Daintree Rainforest Observatory
- Fletcherview
- JCU Eduquarium
- JCU Turtle Health Research
- MARFU
- Orpheus
- TESS
- JCU Ideas Lab
- CADSI
- CNL
- TARL
- eResearch
- Indigenous Education and Research Centre
- Past Course and Subject Handbooks
- Estate
- Work Health and Safety
- Staff
- Discover Nature at JCU
- Cyber Security Hub
- Association of Australian University Secretaries
- Services Division
- Environmental Research Complex [ERC]
- Foundation for Australian Literary Studies
- Gender Equity at JCU
- Give to JCU
- Indigenous Legal Needs Project
- Inherent Requirements
- IsoTropics Lab
- IT Services
- JCU Webinars
- JCU Events
- JCU Motorsports
- JCU Sport
- Library
- Mabo Decision: 30 years on
- Marine Geophysics Laboratory
- Office of the Vice Chancellor and President
- Outstanding Alumni
- Policy
- PAHL
- Queensland Research Centre for Peripheral Vascular Disease
- Rapid Assessment Unit
- RDIM
- Researcher Development Portal
- Roderick Centre for Australian Literature and Creative Writing
- Contextual Science for Tropical Coastal Ecosystems
- State of the Tropics
- Strategic Procurement
- Student profiles
- SWIRLnet
- TREAD
- TropEco for Staff and Students
- TUDLab
- VAVS Home
- WHOCC for Vector-borne & NTDs
- Media
- Copyright and Terms of Use
- Australian Institute of Tropical Health & Medicine
- JCU Respect
- Pay review
- Research
Print FriendlyIntent
This Procedure has been established to provide a structured process for conducting management review of James Cook University’s (JCU; the University) Information Security Management System (ISMS) in alignment with ISO 27001 requirements. This process ensures the ongoing relevance, effectiveness, and alignment of the ISMS with the University’s strategic objectives and priorities.
Scope
This Procedure applies to all Authorised Users of the University’s information management systems regardless of location, whether during or after business hours or whether on JCU-owned or privately owned devices.
Definitions
Refer to the Digital Policy Glossary for a comprehensive list of definitions, terms and explanations relating to information security at JCU.
Introduction
Conducting periodic management reviews is a key component of the ISO 27001: Information security, cyber security and privacy protection – Information security management systems – Requirements.
Through systematic evaluation and analysis, the management review facilitates informed decision-making, risk management, and continual enhancement of information security practices. Comprehensive documentation and recordkeeping promote transparency and accountability, further demonstrating JCU’s commitment to maintaining a robust ISMS.
Procedure
| Action | When | Responsible Officer |
1. Conduct an annual review of JCU’s ISMS including:
| End June | Information Security - Governance, Risk and Compliance (GRC) Manager |
2. Analyse findings and deliver a comprehensive report to the Chief Information Security Officer (CISO), outlining systemic issues and recommendations aimed at sustaining and improving the effectiveness of the ISMS. 2.1 The report format, reporting period, and relevant metrics will be determined in consultation with the CISO and may include:
| End July | Information Security - Governance, Risk and Compliance (GRC) Manager |
3. Present findings to the Chief Digital Officer (CDO) ensuring decisions and actions are documented, monitored and escalated to senior management as necessary. 3.1 Include related strategies into planning processes to enhance JCU’s cybersecurity posture. | End August | CISO |
4. Present findings, recommendations and action plans to senior management including the University Executive and governance committees as relevant. 4.1 Ensure feedback is incorporated and appropriate approval is obtained for major ISMS decisions and resource allocations in alignment with the University’s delegations and sub-delegations. | End September | CDO |
Related Policy Instruments
Information Security Management Framework
Queensland Government Information Security Policy (IS 18:2018)
ISO/IEC 27001 Information security, cybersecurity, and privacy protection – Information security management systems – Requirements
ISO/IEC 27002 Information security, cybersecurity, and privacy protection – Information security controls
Schedules/Appendices
Nil
Administration
NOTE: Printed copies of this procedure are uncontrolled, and currency can only be assured at the time of printing.
Approval Details
Policy Domain | Corporate Governance |
Policy Sub-domain | Risk, Assurance, Regulatory and Compliance |
Policy Custodian | Vice Chancellor |
Approval Authority | Council |
Date for next Major Review | 09/05/2030 |
Revision History
Version | Approval date | Implementation date | Details | Author |
25-1 | 09/05/2025 | 13/05/2025 | Procedure established. | Information Security - Governance, Risk and Compliance Manager |
Keywords | ISO 27001, cyber security, ISMS, risk management, continuous improvement, Information Security Management System compliance |
Contact person | Information Security - Governance, Risk and Compliance Manager |