Governance framework and management reporting

Answer: ISO 27001 doesn't require having a "Governance framework" as a single document, what it does require are a couple of documents that help you manage your ISMS - Information security policy, Procedure for document control, Procedure for corrective actions, Procedure for internal audit, etc. - all of those documents you'll find in your toolkit. Regarding governance it is very important that you set general and security specific ISMS objectives, and document them. General objectives are documented either through the Information security policy or as a separate document - we do not have a template for such a separate document since it is not really needed; specific ISMS objectives are usually documented through Statement of Applicabil ity - you'll notice a column in our template for that purpose.

This article will also help you: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Regarding Management reporting, it is necessary (1) that you measure the achievement of all the objectives, (2) that those results are regularly reported to the management, (3) that you set clear responsibilities for this reporting, and (4) that during the Management review your top management reaches decisions based on these reports.

We do not have a special template for defining how the reporting is done because companies usually already have a reporting system in place - some have Balanced Scorecard, some have some other system of reporting towards the management - in my view it is important that information security reporting is included in this existing system. For management review you'll find the Management review minutes in the toolkit.

See also this article: How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/