What does Clause 9.3 involve?
ISO itself says the reviews should take place at planned intervals, which generally means at least once per annum and within an external audit surveillance period. However, with the pace of change in information security threats, and a lot to cover in management reviews, our recommendation is to do them far more frequently, as described below and ensure the ISMS is operating well in practice, not just ticking a box for ISO compliance.
The value of the information security management system (ISMS) Management Review is often underestimated. Some may look at it as a tick-box requirement that needs to take place purely to meet ISO 27001 requirement 9.3. However, to really ‘live and breathe’ good information security practices, its role is invaluable.
The purpose of the Management Review is to ensure the ISMS and its objectives continue to remain suitable, adequate and effective given the organisation’s purpose, issues, and risks around the information assets. These will previously have been addressed within 4.1 the organisation and its context, 4.2 the requirements of interested parties, 4.3 scope of the ISMS, and 6.1 for the risk management work.
The work leading up to and around the management review will enable senior management to make well informed, strategic decisions that will have a material effect on information security and the way the organisation manages it.
What should be included in the ISO 27001 Management Review?
The management review must at a minimum follow a standard format that looks at the requirements of 9.3 for ISO 27001:2103. These are outlined below. In addition it may also be that the organisation wishes to include other compliance regimes in the review, such as Cyber Essentials, ISO 9001, and other good practices, to facilitate effective reviews and informed decision making. It can even tie the 9.3 information security aspects for 9.3 onto broader senior management meetings or formal Board meetings. Either way it needs to document the results and actions from the reviews.
For organisations that are in the implementation phase of their ISMS, we also recommend they conduct management reviews weekly as part of a good practice building habit, and include implementation lessons, next period goals and issues alongside those elements of the formal management agenda that can be covered off. External auditors really like to see the organisation embrace the spirit of the management review and like to see effectiveness from planning and implementation work, which also fits into the requirements for clause 7.5 and clause 8 for operation.
The formal ISO 27001 management review 9.3 agenda should include consideration of:
- The status of actions from previous management reviews
- Changes in external and internal issues that are relevant to the information security management system
- Feedback on the information security performance, including trends in:
- nonconformities and corrective actions;
- monitoring and measurement results;
- audit results; and
- fulfillment of information security objectives.
- Feedback from interested parties
- Results of risk assessment and status of risk treatment plan; and
- Opportunities for continual improvement.
You might also want to add an additional point:
- Agree on Audit Focus for Coming Period. This is optional if you are an agile organisation and not able to fully specify the whole audit programme and plan too far in advance. However, bear in mind that some external auditors want more clarity over the whole programme for the certification cycle!
The outputs of the management review should include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Who should attend the ISO 27001 Management Review?
Considering the above, it is clear to see that, given due consideration, the ISO 27001 management review is an indispensable tool for ensuring the ISMS continues to be effective in helping the organisation achieve its intended outcomes from the information security management investments.
For the ISMS to be effective in an organisation, it needs senior management commitment and, as such, it makes sense for the members of an ISMS “Board’ to have authority in matters pertaining to information security. Typically an ISMS Board might include the Chief Information Security Officer (CISO), and other senior management along with the representatives managing the ISMS in practice. Roles around information security do not need to be full time or exclusive, but do need clarity in roles, responsibilities and authorities as outlined in clause 5.3. Having an ISMS Board helps that process too.
The outputs of the management review will include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
What is the ideal Management Review frequency?
There is a minimum requirement to conduct a management review once a year, and more frequently if there are any material changes that could affect information security and the ISMS. However, the frequency will be defined by the management’s requirement to monitor the success of the ISMS. There is also a danger that, the greater the interval, the greater the work that will be involved in reviewing the previous period. It also increases the risk of failure in the ISMS not being identified promptly.
For that reason, we’d recommend monthly, bi-monthly, or even quarterly if your ISMS is quite stable. Certainly, management reviews must take place at planned intervals to ensure the ISMS remains ‘suitable, adequate and effective’.
For those seeking ISO 27001 certification of their ISMS, it’s also important to note there is a requirement to evidence, during the Stage 1 desktop audit, that the regular reviews are taking place.
We suggest weekly management reviews pre Stage 1 audit as this will keep your implementation project on track, build the habit, and within one month you will have built up enough evidence, using the easy Management Review programme in the platform, to satisfy the auditor and get into the groove for future reviews.
Management Reviews using ISMS.online
ISMS.online makes managing your complete ISMS simple, including the management reviews for information security.
ISMS.online brings everything together in one secure, online environment where you can collaborate with colleagues, capture the required evidence just once and easily navigate to it before, during and after the review.
Book a demoCompliance doesn’t have to be complicated.
We've done the hard work for you, giving you an 81% Headstart from the moment you log on.
All you have to do is fill in the blanks.