Management Review Meeting (MRM)
Information Security Management System
ISO/IEC 27001:2022 Clause 9.3 Compliance – SquareX
Purpose
This document defines the standards and records for the Management Review Meeting (MRM) conducted by SquareX Holdings, Inc. under ISO/IEC 27001:2022 Clause 9.3. The purpose is to evaluate the effectiveness of the ISMS, ensure alignment with organizational objectives, and drive continual improvement.
✳️ Scope
This MRM covers all processes and operations under SquareX’s ISMS scope, including:
Browser Detection & Response (BDR) – malicious extension detection, identity attack prevention, malware sandboxing, content disarm & reconstruction.
Enterprise Browser – isolation, BYOD security, contractor/remote access.
Browser DLP – GenAI leakage protection, file/clipboard controls.
Secure Access – internal apps, SSH/RDP access, unmanaged device control.
Applicability
This meeting applies to all ISMS stakeholders: management, CISO, ISMS Lead, IT Manager, Security Operations, and Product Owners.
Meeting Details
Meeting Date: 2025-08-15
Meeting Time: 10:00 AM – 11:30 AM EST
Location: Hybrid (Boardroom + Virtual)
Chair: Venkat Pothamsetty, Consultant
Attendees: Jeswin Mathai (CISO), ISMS Lead, IT Manager, Product Security Lead
Prepared by: ISMS Lead
Approved by: Venkat Pothamsetty, Consultant CISO
Document Status: Final – Approved
Agenda
Review of previous action items
ISMS performance metrics (incidents, audits, BDR effectiveness)
Internal audit results
Nonconformities and corrective actions
Changes affecting the ISMS
Opportunities for improvement
Decisions and action items for next period
Next review scheduling
1. Review of Previous Actions
| Action Item | Responsible Party | Due Date | Status / Notes |
|---|---|---|---|
| Deploy MFA across Enterprise Browser logins | CISO | 2025-06-30 | Completed – enforced via SSO + MFA across all staff |
| Expand Extension Analysis dynamic checks | Product Security Lead | 2025-07-15 | Completed – behavioral sandbox now operational |
| Implement BYOD wipe capability | IT Manager | 2025-07-31 | Completed – remote wipe and posture validation active |
Summary: All actions completed on schedule. No open actions remain.
2. ISMS Performance Metrics (Feb–Jul 2025)
Security Incidents: 0
High-risk Extensions Blocked by BDR: 27 (100% contained, no data loss)
Minor Non-conformities: 1 (resolved – see Section 4)
MFA Compliance: 100%
Endpoint Encryption: 100% BitLocker/FileVault coverage
Training Completion: 98%
Assessment: Controls operating effectively. BDR prevented multiple extension-based attacks, confirming system suitability.
3. Internal Audit Results (July 2025)
Scope: Controls A.5, A.8, and A.13 applied to:
BDR logs
Enterprise Browser policies
Vendor integrations (Google Workspace)
Summary Findings:
Non-conformity: Lack of automated reporting on GenAI clipboard DLP logs.
Corrective Action: SIEM integration planned (completion by 2025-09-15).
Effectiveness: All other controls verified effective.
4. Nonconformities & Corrective Actions
NC-2025-01: Missing DLP log automation.
Corrective Action: Integrate DLP clipboard/file logs into SIEM for real-time alerts.
Status: In progress – on track for September completion.
5. Changes Affecting the ISMS
External:
Emerging threats – malicious GenAI plugins & extension polymorphism (monitored, partially mitigated).
No regulatory changes impacting SquareX clients.
Internal:
G Suite policy refinements (Takeout disabled, unapproved extension controls enforced).
Security team expanded by 2 engineers to support BDR operations.
Scope Review: Current ISMS scope remains valid; no updates required.
6. Opportunities for Improvement
Enhanced Security Awareness Training
Move from annual slides → interactive simulations.
KPI Dashboard Automation
Direct integration of BDR and DLP logs into real-time metrics.
Expanded Audit Scope
Include supplier risk management & incident response playbooks.
7. Decisions & Action Items
Decisions:
Approve SIEM integration for DLP logs.
Approve expansion of training to simulation-based modules.
Maintain semi-annual management review cadence.
Action Items:
| Action Item | Responsible Party | Due Date | Priority |
|---|---|---|---|
| Develop interactive training modules | ISMS Lead | 2025-11-30 | Medium |
| Define expanded audit scope (suppliers + IR) | CISO | 2026-01-15 | Medium |
8. Summary & Next Review
System Status: ISMS remains suitable, adequate, and effective.
Next Review Date: 2026-02-01
Focus Areas: Verify corrective action closure (DLP logs), review expanded audit scope, training effectiveness.
9. Documentation & Retention
MRM minutes, performance metrics, audit reports, corrective action tracker retained for 3 years.
Distribution to attendees within 3 business days.
10. ISO/IEC 27001:2022 Clause 9.3 Compliance
Inputs Covered:
Status of previous actions ✅
Changes to ISMS ✅
Feedback on ISMS performance ✅
Risk assessment results ✅
Internal audit results ✅
ISMS objectives progress ✅
Opportunities for improvement ✅
Outputs Produced:
Improvement decisions ✅
Resource allocation ✅
Scope confirmation ✅
Action assignments ✅
Certification Readiness: This MRM provides a clear audit trail of management oversight, continual improvement, and effective ISMS operation in line with Clause 9.3.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article