How to conduct an ISO 27001 Management Review Meeting

Home / ISO 27001 Tutorials / How to conduct an ISO 27001 Management Review Meeting

The ISO 27001 Management Review is a key part of the information security management system that demonstrates leadership buy in and also follows a structured and defined agenda.

In this ultimate guide to ISO 27001 Management Review Meeting you will learn

  • What is an ISO 27001 Management Review Meeting
  • How to conduct an ISO 27001 Management Review Meeting
  • What the ISO 27001 Management Review Meeting Agenda is
  • Get an ISO 27001 Management Review Meeting Template

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

What is an ISO 27001 Management Review Meeting?

ISO 27001 has the concept of leadership buy in built in. It sees information security as being driven from the top down. As part of the management oversight the standard requires a meeting to be conducted on a regular basis that follows a structured and defined agenda. The agenda covers the ongoing operational requirements of the information security standard.

ISO 27001 Management Review Attendees

Who should attend the ISO 27001 Management Review? The attendees of the management review should be:

  • The information security manager
  • A member of the senior leadership team
  • A representative from each department in the business
  • Adhoc resource specific to that meeting as required

When considering the people that attend consider the following roles that are responsible for:

  • Information Security
  • Leadership
  • HR
  • Change Management
  • Operational Management
  • Supplier Management
  • Software Development (if applicable)
  • Information Technology
  • Business Continuity and Disaster Recovery

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

ISO 27001 Management Review Meeting Agenda

The standard sets out specific requirements for what must be covered in the meeting. You can add to this list but as a minimum you should have an agenda that covers:

  • the status of actions from previous management reviews;
  • changes in external and internal issues that are relevant to the information security management system;
  • feedback on the information security performance, including trends in:
  • nonconformities and corrective actions;
  • monitoring and measurement results;
  • audit results; and
  • fulfilment of information security objectives;”
  • feedback from interested parties;
  • results of risk assessment and status of risk treatment plan; and
  • opportunities for continual improvement.

The outputs of the management review should include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

ISO 27001 Management Review Meeting Agenda Template

The management review meeting agenda template has all of the agenda items required by ISO 27001 Clause 9.3

It has been prewritten to save you time and can be used straight away.

ISO27001 Management Review Team Meeting Agenda-Black

ISO 27001 Clause 9.3 Management Review

Let us take a look at what the ISO 27001 requirement is for a management review before we step through the process of How to conduct a Management Review Team Meeting.

The ISO 27001 standard wants us to conduct regular, planned reviews of our information security management system to make sure that everything is working as it should.

It is a fundamental part of the management system and as such it actually ticks a few of the ISO 27001 boxes. In particular it is address in ISO 27001 Clause 9.3 Management review and is one of the ISO 27001 mandatory documents.

The output and result of the meeting is a record of decisions made and changes needed. It is a requirement to keep copies of the meetings as evidence.

It does have a structure agenda as per the Management Review Team Agenda Template. In brief it covers tracking of objectives, monitoring results, risk management, continual improvement, audit results and feedback.

Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

The management review shall include consideration of:

a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results; and
4) fulfilment of information security objectives;”
d) feedback from interested parties;
e) results of risk assessment and status of risk treatment plan; and
f ) opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organisation shall retain documented information as evidence of the results of management reviews.

ISO27001:2022 Clause 9.3 Management Review

How to implement ISO 27001 Clause 9.3 Management Reviews

ISO 27001 Management Reviews are a requirement of ISO 27001 Clause 9.3 Management Reviews. This tutorial video shows you exactly how to implement ISO 27001 Clause 9.3.

How to conduct an ISO 27001 Management Review Meeting

Decide on Management Review Team Attendees

The Management Review Team attendees are documented in the roles and responsibilities document.

As a guide you ideally want as a minimum

  • one representative from each in scope area
  • one senior leadership representative

The management review team has oversight of the Information Security Management System, Risk Management and Continual Improvement. The exact responsibilities are documented in the Roles and Responsibilities document.

For now, decide on who will attend.

Decide How Often to have a Management Review Meeting

It is recommended that you have a management review meeting every month. This allows you to effectively manage, especially in the first year of an implementation. It is suggested that no less than every 3 months being at least 4 meetings a year.

Book Your Meeting (s)

It is good practice to set your meetings at the beginning of the year.

Be sure to book your meeting several weeks in advance to ensure availability.

Meetings can be conducted remotely over web collaboration tools such as Zoom, or Teams or meetings can be booked face to face in a meeting room.

If you book a meeting room, make sure that the room has a display screen that can be seen by all attendees.

Meeting Duration

Book a 1-hour meeting slot. On average a Management Review Meeting will take around 45 minutes. In time as you establish your information security management system and operating rhythm this time will reduce. If you over run additional meetings can be booked.

Prepare for the Management Review Meeting

Create a sub folder in your document storage for the meeting.

Collate the latest copies of the required documents for the Management Review Meeting and place them in the sub folder.

Ahead of the meeting, suggest 5 working days in advance, share links to the latest version of the documents with the invitees.

Note: confidential documents that should not be shared via email.

Consider your audience and the format they want to see the documents. You may require print outs, although this is discouraged. If required prepare them in advance.

Ensure that all of the documents are up to date and that all previous actions are updated.

Ensure people know if they are due to report back what is expected and in what format.

Create your agenda

Use the agenda template ‘Management Review Team Agenda – Template
Complete the agenda and update the relevant sections.

Send the Invite to the Management Review Team

The Management Review Team are documented in the document Roles and Responsibilities. If not already sent, send the invite to the management review team and any guest attendees.

If the Management Review Team has changed update the document Roles and Responsibilities, remembering to update the version control.

Run The Meeting

The meeting requires a chairperson for the meeting. Decide on who will chair the meeting. The default is The Information Security Manager.

The meeting requires minuting. Decide on who will minute the meeting. The default is The Information Security Manager.

Work through the defined and structured agenda.

Agree / confirm the date of the next Management Review Meeting. 

Send out the minutes

Within 5 working days send out links to the meeting minutes to all attendees.

Update Documents

Update appropriate management documentation based on the outcomes from the meeting. Documents to consider are

  • Action Log
  • Incident and Corrective Action Log
  • Risk Register

ISO 27001 Management Review Meeting FAQ

What is an ISO 27001 Management Review?

An ISO 27001 Management Review is a review by the organisations top management at planned intervals to ensure that the information security management system is operating effectively, meeting its objectives and is still suitable and adequate.

What is the purpose of the ISO 27001 Management Review?

The purpose of ISO 27001 management review is to ensure that you have management oversight of the information security management system and that you have documentary evidence to support it.

Which clause of ISO 27001:2022 requires management reviews?

ISO 27001:2022 Clause 9.3 Management Reviews.

Where can I find more information on ISO 27001:2022 Clause 9.3 Management Reviews?

A detailed implementation guide is here: ISO 27001 Clause 9.3 Management Review – Ultimate Certification Guide

What format is the ISO 27001 Management Review in?

The most common format for and ISO 27001 Management Review is a meeting. These meetings can be in person or remote.

Who attends the ISO 27001 Management Review?

The ISO 27001 Management Review is attended by top level management. In practical terms this means that you have at least one representative team and one representative from each area of the organisation.
The management review meeting is attended by the management review team. The management review team is an oversight structure made up of representatives from the business and at least one member of senior leadership. It has set responsibilities as recorded in the Assigned Roles and Responsibilities document. Additional attendees include subject matter experts required for particular agenda items on that particular agenda as required.

Should attendees have deputies?

Yes, attendees of the ISO 27001 Management Review should have appointed deputies.

Why should deputies be appointed?

Deputies ensure continuity and full representation of each are of the organisation at all review.

Should the board and / or shareholders be represented at the ISO 27001 Management Review?

Ideally yes. You are looking to include representation of all your key stakeholders. In practical terms this mean that someone with delegated authority is assigned to represent their interests.

Is the ISO 27001 Management Review meeting minuted?

Yes. Minutes are taken of every ISO 27001 Management Review meeting. These minutes are shared with attendees and kept as a record of the management review.

Does an ISO 27001 Management Review follow a structured agenda?

Yes. The ISO 27001 standard clearly sets out the agenda for what must be covered in the management review.

Where can I get an ISO 27001 Management Review agenda?

An ISO 27001 management review meeting agenda template can be downloaded from the High Table ISO 27001 Template Store.

What is the ISO 27001 Management Review agenda?

The management review agenda must include include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) changes in needs and expectations of interested parties that are relevant to the information security management system;
d) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan;
g) opportunities for continual improvement.

Is there an expectation on the results and outcomes from the Management Review?

Yes. The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. Documented information shall be available as evidence of the results of management reviews.

How do you conduct an ISO 27001 Management Review Meeting?

The guide to exactly how to conduct and ISO 27001 Management Review Meeting is in – How to conduct an ISO 27001 Management Review Meeting

How long is a management review meeting?

ISO 27001 Management Review Meetings should be booked for 1 hour. They can last between 15 minutes and 1 hour depending on how frequently you hold them.

What is the point in a Management Review Meeting?

A management review meeting is a mandatory requirement of the ISO 27001 standard. The meeting has a structured agenda, dictated by the standard, and must cover key topics. It provides management oversight and demonstrates leadership commitment and leadership buy in. It can act as an oversight body to provide sign off on documents and decisions in relation to the management system.

How often should you do an ISO 27001 Management Review?

A management review meeting should be held at least once every 3 months but ideally once every month.

Is an ISO 27001 Management Review mandatory?

Yes. Management Review Meetings are Mandatory

What is ISO 27001 Clause 9.3?

ISO 27001 Clause 9.3 is Management review

Did ISO 27001 Management Reviews change in the 2022 update?

The wording in the standard changed but the requirement remains the same.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing