Conducting management review team meetings: a guide for Information Security Managers
Table of contents
- ISO 27001 Clause 9.3 Management Review
- How to conduct a Management Review Meeting
- Management Review Meeting Agenda Template
- Management Review Meeting FAQ
ISO 27001 Clause 9.3 Management Review
Let us take a look at what the ISO 27001 requirement is for a management review before we step through the process of How to conduct a Management Review Team Meeting
The ISO 27001 standard wants us to conduct regular, planned reviews of our information security management system to make sure that everything is working as it should. It is a fundamental part of the management system and as such it actually ticks a few of the ISO 27001 boxes. In particular it is address in ISO 27001 Clause 9.3 Management review and is one of the ISO 27001 mandatory documents.
The output and result of the meeting is a record of decisions made and changes needed. It is a requirement to keep copies of the meetings as evidence. It does have a structure agenda as per the Management Review Team Agenda Template. In brief it covers tracking of objectives, monitoring results, risk management, continual improvement, audit results and feedback.
How to conduct a Management Review Meeting
It is recommended that you have a management review meeting every month. This allows you to effectively manage, especially in the first year of an implementation. It is suggested that no less than every 3 months being at least 4 meetings a year.
It is good practice to set your meetings at the beginning of the year.
Be sure to book your meeting several weeks in advance to ensure availability.
Meetings can be conducted remotely over web collaboration tools such as Zoom, or Teams or meetings can be booked face to face in a meeting room.
If you book a meeting room, make sure that the room has a display screen that can be seen by all attendees.
Book a 1-hour meeting slot. On average a Management Review Meeting will take around 45 minutes. In time as you establish your information security management system and operating rhythm this time will reduce. If you over run additional meetings can be booked.
Create a sub folder in your document storage for the meeting.
Collate the latest copies of the required documents for the Management Review Meeting and place them in the sub folder.
Ahead of the meeting, suggest 5 working days in advance, share links to the latest version of the documents with the invitees.
Note: confidential documents that should not be shared via email.
Consider your audience and the format they want to see the documents. You may require print outs, although this is discouraged. If required prepare them in advance.
Ensure that all of the documents are up to date and that all previous actions are updated.
Ensure people know if they are due to report back what is expected and in what format.
Use the agenda template ‘Management Review Team Agenda – Template’
Complete the agenda and update the relevant sections.
The Management Review Team are documented in the document Roles and Responsibilities. If not already sent, send the invite to the management review team and any guest attendees.
If the Management Review Team has changed update the document Roles and Responsibilities, remembering to update the version control.
The meeting requires a chairperson for the meeting. Decide on who will chair the meeting. The default is The Information Security Manager.
The meeting requires minuting. Decide on who will minute the meeting. The default is The Information Security Manager.
Work through the defined and structured agenda.
Agree / confirm the date of the next Management Review Meeting.
Within 5 working days send out links to the meeting minutes to all attendees.
Update appropriate management documentation based on the outcomes from the meeting. Documents to consider are
- Action Log
- Incident and Corrective Action Log
- Risk Register
Management Review Meeting Agenda Template
The management review meeting agenda template has all of the agenda items required by ISO 27001 Clause 9.3
Management Review Meeting FAQ
Yes. Management Review Meetings are Mandatory
ISO 27001 Clause 9.3 is Management review
A management review meeting should be held at least once every 3 months but ideally once every month.
A management review meeting is a mandatory requirement of the ISO 27001 standard. The meeting has a structured agenda, dictated by the standard, and must cover key topics. It provides management oversight and demonstrates leadership commitment and leadership buy in. It can act as an oversight body to provide sign off on documents and decisions in relation to the management system.
A management review meeting agenda template can be downloaded here: https://hightable.io/product/iso-27001-management-review-template/
The management review meeting is attended by the management review team. The management review team is an oversight structure made up of representatives from the business and at least one member of senior leadership. It has set responsibilities as recorded in the Assigned Roles and Responsibilities document. Additional attendees include subject matter experts required for particular agenda items on that particular agenda as required.
Yes. Minutes are taken and recorded of the meeting. Those meeting minutes are required to be retained as evidence the meetings took place by the standard.