ISO 27001 management review: a practical guide

As part of their ISO 27001 compliance, organisations must conduct management reviews to address any emerging information security trends and to ensure that their ISMS (information security management system) works as intended.

Unfortunately, there’s a mistaken belief that the review is only necessary as part of the certification audit. That couldn’t be further from the truth, as we explain in this blog.

The purpose of the ISO 27001 management review

Management reviews give senior staff the opportunity to evaluate the effectiveness of their organisation’s ISMS and make any changes that could boost its ability to protect sensitive information.

The criteria for an effective ISMS will have been addressed as part of your work conforming with Clause 4 of ISO 27001, which covers the organisation and its context, the requirements of interested parties, the scope of the ISMS and risk management.

The management review also gives you the opportunity to inform senior staff of any changes or revisions that have been made to the day-to-day workings of the ISMS.

What the management review should cover

Clause 9.3 of ISO 27001 outlines what your management review should cover.

Your first order of business is to revisit any ongoing actions that you decided upon in previous management reviews.

For example, you might have requested statistical analysis related to certain practices, or decided to adjust a process. Now is the time to check them and get further comment.

Next, you should discuss any external or internal issues that are relevant to the ISMS.

‘Internal and external issues’ is a phrase introduced in Clause 4.1 of ISO 27001, and refers to things that could affect your sensitive information.

Internal issues include things related to information assets, people, products and systems, whereas external issues might include political problems, economic fluctuations and new technologies.

The third item on your agenda is the overall performance of your ISMS. You should focus on:

  • Areas of the ISMS that aren’t working as intended;
  • Actions you’ve taken to address previously identified weaknesses;
  • The ongoing monitoring of your ISMS’s performance;
  • Audit results and the fulfilment of information security objectives;
  • Feedback from interested parties;
  • Results of your risk assessment and the status of the risk treatment plan; and
  • Opportunities for continual improvement.

Who should attend the management review?

As the name suggests, senior management should play a key role. This might take the form of an ‘ISMS board’ – i.e. a group of senior staff that is tasked with overseeing information security issues.

The ISMS board generally includes the CISO and other executives, along with department heads who oversee the handling of large volumes of sensitive information.

How often should management reviews be conducted?

You are required to conduct a management review at least once a year, and more frequently if there are any material changes that could affect your ISMS.

However, we suggest holding meetings more regularly than this, because you’ll have a lot to cover and will find that information security issues evolve quickly.

How frequently you hold meetings is up to you – but we think quarterly or monthly get-togethers are more suitable.

Getting the most out of the management review

Here are some tips to help you get started:

  1. Keep attendees to a minimum

You don’t need to fill the room to get as many opinions as possible. You’re better off with a small group of people whose insight you value.

Attendees can consult with colleagues outside of the meeting if they need further advice or information – and you can invite people as needed– but this isn’t the time for an organisation-wide discussion.

  1. Keep management reviews and management meetings separate

Senior staff probably already meet up on a regular basis to address the day-to-day operations of the organisation, but don’t fall into the trap of thinking you can slide your management reviews into these meetings.

If you do, you’ll find that issues are conflated or that information security concerns are pushed aside in favour of more urgent business matters.

  1. Keep minutes

ISO 27001 requires you to document the content and results of your management reviews, so someone will need to keep minutes.

This isn’t simply to prove that you’ve been holding meetings. It helps remind you of any topics that came up and the decisions you made regarding them.

  1. Provide a summary

Attendees often find it helpful to have a brief round-up of what was discussed in addition to the minutes, which can be hard to navigate if you’re looking for a summary of a specific issue.

Summaries are best produced soon after the meeting has finished, so the person producing it still has all the information fresh in their mind. They can then circulate the write-up in an email.

Learn more about risk management

Discover what risk management entails with our Certified ISO 27005 ISMS Risk Management Training Course.

In three days, you’ll gain the skills and knowledge needed to implement and maintain a risk management programme based on the best practices outlined in ISO 27005 and other risk management techniques.

Find out more