What is covered under ISO 27001 Clause 9.3?
It is the responsibility of senior management to conduct the management review for ISO 27001. These reviews should be pre-planned and be often enough to ensure that the information security management system (ISMS) continues to be effective and achieves the aims of the business. ISO itself says the reviews should take place at planned intervals, which generally means at least once per annum and within an external audit surveillance period. However, with the pace of change in information security threats, and a lot to cover in management reviews, our recommendation is to do them far more frequently, as described below and ensure the ISMS is operating well in practice, not just ticking a box for ISO compliance.
What is the purpose of the ISO 27001:2022 Management Review?
The value of the information security management system (ISMS) Management Review is often underestimated. Some may look at it as a tick-box requirement that needs to take place purely to meet ISO 27001 requirement 9.3. However, to really 'live and breathe' good information security practices, its role is invaluable.
The purpose of the Management Review is to ensure the ISMS and its objectives continue to remain suitable, adequate and effective given the organisation's purpose, issues, and risks around the information assets. These will previously have been addressed within 4.1 the organisation and its context, 4.2 the requirements of interested parties, 4.3 scope of the ISMS, and 6.1 for the risk management work.
The work leading up to and around the management review will enable senior management to make well informed, strategic decisions that will have a material effect on information security and the way the organisation manages it.
What is the purpose of the ISO 27001:2022 Management Review?
The value of the information security management system (ISMS) Management Review is often underestimated. Some may look at it as a tick-box requirement that needs to take place purely to meet ISO 27001 requirement 9.3. However, to really 'live and breathe' good information security practices, its role is invaluable.
The purpose of the Management Review is to ensure the ISMS and its objectives continue to remain suitable, adequate and effective given the organisation's purpose, issues, and risks around the information assets. These will previously have been addressed within 4.1 the organisation and its context, 4.2 the requirements of interested parties, 4.3 The scope of the ISMS, and 6.1 for the risk management work.
The work leading up to and around the management review will enable senior management to make well informed, strategic decisions that will have a material effect on information security and the way the organisation manages it.
What should be included in the ISO 27001 Management Review?
The management review must at a minimum follow a standard format that looks at the requirements of 9.3 for ISO 27001:2022. These are outlined below. In addition it may also be that the organisation wishes to include other compliance regimes in the review, such as Cyber Essentials, ISO 9001, and other good practices, to facilitate effective reviews and informed decision making. It can even tie the 9.3 information security aspects for 9.3 onto broader senior management meetings or formal Board meetings. Either way it needs to document the results and actions from the reviews.
For organisations that are in the implementation phase of their ISMS, we also recommend they conduct management reviews weekly as part of a good practice building habit, and include implementation lessons, next period goals and issues alongside those elements of the formal management agenda that can be covered off. External auditors really like to see the organisation embrace the spirit of the management review and like to see effectiveness from planning and implementation work, which also fits into the requirements for clause 7.5 and clause 8 for operation.
The formal ISO 27001 management review 9.3 agenda should include consideration of:
- The status of actions from previous management reviews
- Changes in external and internal issues that are relevant to the information security management system
- Feedback on the information security performance, including trends in:
- nonconformities and corrective actions;
- monitoring and measurement results;
- audit results; and
- fulfillment of information security objectives.
- Feedback from interested parties
- Results of risk assessment and status of risk treatment plan; and
- Opportunities for continual improvement.
You might also want to add an additional point:
- Agree on Audit Focus for Coming Period. This is optional if you are an agile organisation and not able to fully specify the whole audit programme and plan too far in advance. However, bear in mind that some external auditors want more clarity over the whole programme for the certification cycle!
The outputs of the management review should include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Who should attend the ISO 27001 management review?
Considering the above, it is clear to see that, given due consideration, the ISO 27001 management review is an indispensable tool for ensuring the ISMS continues to be effective in helping the organisation achieve its intended outcomes from the information security management investments.
For the ISMS to be effective in an organisation, it needs senior management commitment and, as such, it makes sense for the members of an ISMS "Board' to have authority in matters pertaining to information security. Typically an ISMS Board might include the Chief Information Security Officer (CISO), and other senior management along with the representatives managing the ISMS in practice. Roles around information security do not need to be full time or exclusive, but do need clarity in roles, responsibilities and authorities as outlined in clause 5.3. Having an ISMS Board helps that process too.
The outputs of the management review will include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
What is the ideal management review frequency for ISO 27001 clause 9.3?
There is a minimum requirement to conduct a management review once a year, and more frequently if there are any material changes that could affect information security and the ISMS. However, the frequency will be defined by the management's requirement to monitor the success of the ISMS. There is also a danger that, the greater the interval, the greater the work that will be involved in reviewing the previous period. It also increases the risk of failure in the ISMS not being identified promptly.
For that reason, we'd recommend monthly, bi-monthly, or even quarterly if your ISMS is quite stable. Certainly, management reviews must take place at planned intervals to ensure the ISMS remains 'suitable, adequate and effective'.
For those seeking ISO 27001 certification of their ISMS, it's also important to note there is a requirement to evidence, during the Stage 1 desktop audit, that the regular reviews are taking place.
We suggest weekly management reviews pre Stage 1 audit as this will keep your implementation project on track, build the habit, and within one month you will have built up enough evidence, using the easy Management Review programme in the platform, to satisfy the auditor and get into the groove for future reviews.
How should you manage communications and actions following ISO 27001 management reviews?
Historically a management review might involve circulating by email in advance, the meeting invitations, the agenda, the evidence and reports for review, or to support the review, and the previous items that required action - multiple copies of During the review, notes are taken of the findings for subsequent writing up and distribution. Areas identified for corrective actions and improvements will also need to be documented and tasked to the individuals who will be responsible for completing these actions. At each step, evidence must be retained to satisfy an external auditor that the review and processes are taking place and being effective. That's a lot of emails, a lot of planning and a lot of evidencing!
Imagine an online management review programme that made it simple to set up your ISMS Board team, simple to schedule reviews and follow a standard agenda, simple to link to previous reviews, see all the information needed, and simple to assign and track tasks, corrective actions and improvements?
Bring everything together in one secure, online environment where you can collaborate with colleagues, capture the required evidence just once and easily navigate to it before, during and after the review. You'll also want to see all the ISMS insight and activity in one place and the clusters, reports and insight workspace is easy to see
