Quiz Entry - updated: 2026.06.04
What belongs to the KVP phase of an ISMS, and why does the cycle end with a report to management?
Kontrolle, Sanktionen, KVP, Audit, and Bericht an GL — closing the loop back to the management that started it.
- Kontrolle — ongoing checking that measures are implemented and effective
- Sanktionen — defined consequences for violations; rules without consequences are recommendations
- KVP — continuous improvement of measures and documents based on findings
- Audit — independent verification (internal audit, possibly external/certification audit)
- Bericht an GL — regular reporting to executive management
Why the report matters: the GL issued the mandate and owns the residual risk — so it must regularly learn whether its risk position is what it believes. This is also an ISO 27001 hard requirement ("management review", clause 9.3). The loop GL → ISMS → GL is what makes security a management system rather than an IT hobby.