Management Review

Section 9.3 is entirely dedicated to a management review, and without a doubt, having an entire chapter dedicated to one topic explains how important this is. So what is a management review?

Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

That's a bit of a mouthful, so let's break it down. A management review, is essentially a regularly occurring meeting, where all key stakeholders of the ISMS come together to discuss the overall ISMS, assess if things are going the way it should, and determine if there is any actions to be taken to improve the quality of the ISMS.

9.3 goes even further. They even provide you a template of what apperas to be an agenda. There's not really much more to it - follow the items, send out the meeting invites, and talk about the agenda items.

Ok - I know that sounds a bit simplistic. Let's break it down.

Sample Agenda

What does it mean?

Frequency of the meeting

ISO27001 states the meeting must occur at planned intervals, but that's a bit too vague. As a general piece of advice, we would recommend having at least a monthly meeting. There are some situations where organisations choose to have a quarterly meeting instead of a monthly. I'm not a huge fan of reducing the frequency of the management review meetings. As long as your organisation has other forums where security metrics and controls are tracked more frequently, you should be successful with less frequent management review meeting.

If in doubt, stick to a monthly meeting.

Record keeping

Lastly, 9.3 is also quite clear that documented information as evidence is to be retained. After every management review, you need to ensure that the meeting minutes are documented, and distributed to all participants, and of course that you retain a copy of the evidence. You will be asked to produce this during your annual recertification process. Revisit the section on Document Management if you need a refresher on the processes.