Question management review (ISO9.3) a policy or a control

Goodmorning all, I’m quite a new user of Eramba and so far so happy.

I have a question related to policy and control as a solution for ‘problem 9.3 management review’
In our information security policy I mentioned that the management or board should review periodically the working of the ISMS.

So I used this infosec policy as a policy control.
Set the management review itself as an internal control (action)
And the output of the management review as control evidence in " Comments & Attachments"

I set an annual audit to this internal control to check if the management review was done and sufficient.

Is this the correct way to use Eramba?

Another question is the annual review of the infosec policy itself.
Should I also set an internal control for that, since I can set annual reviews in the policy tab as well.

And then set an internal control audit that checks if there is an sufficient infosec policy and if it’s reviewed annualy.

thanks and regards!

I do it similarly.
The policy as a document has a review date. If you set this to 1-2 per year, you are reviewing the policy. The review is the ‘control’ of reviewing the policy.
The internal control for checking that the ISMS (or any system) is working is the management review.
If you are referring to Compliance Management → Compliance Analysis for the ISMS system requirement, then in treatment of the requirement (9.3), you put your policy in “Policy” and management review control in “Internal Controls”

i think you are good with this, we do something similar

this , typically, the review of the policy is enough .. policies in eramba must be reviewed , up to you when by setting up a deadline, so that review is typically enough