Organizations should have a process for conducting regular reviews of their information security approach and implementation. These reviews will be conducted by personnel with the necessary competence, but they should be outside the area being reviewed. The review results should be given to management and, if necessary, top management. If the reviews identify any inadequacies, management should initiate corrective actions.