Introduction
In this article I lay bare ISO 27001 Clause 9.3 Management Review. A beginner’s guide, exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification.
We show you exactly what changed in the ISO 27001:2022 update.
I am Stuart Barker the ISO 27001 Ninja and this is ISO 27001 Clause 9.3
Table of contents
- Introduction
- What is ISO 27001 Clause 9.3 Management Review?
- What are the ISO 27001:2022 Changes to Clause 9.3?
- ISO27001 Clause 9.3 Definition
- How to conduct an ISO 27001 Management Review
- How to comply with ISO 27001 Clause 9.3
- ISO 27001 Clause 9.3 Implementation Guide
- How do you demonstrate compliance to ISO 27001 clause 9.3?
- ISO 27001 Clause 9.3 Template
- ISO 27001 Clause 9.3 FAQ
- Reference
What is ISO 27001 Clause 9.3 Management Review?
ISO 27001 Clause 9.3 Management Review requires an organisation to conduct a Management Review Meeting at regular intervals and follow a structure, defined agenda.
The ISO 27001 standard for ISO 27001 certification wants you to have management oversight that meets regularly and covers the core components of the standard. It is one of the ISO 27001 controls.
The ISO 27001 standard requires an organisation to implement information security from the top down with leadership commitment. It is part of the process of continual improvement and one of the checks and balances. ISO 27001 is not a one and done. It is expected that it is in place and operating before the certification audit and after.
What are the ISO 27001:2022 Changes to Clause 9.3?
There is nothing significant that has changed to the ISO 27001 Clause 9.3 Management Review in the 2022 update. The change is wording and clarification change with a change to the layout of how the requirements are presented. Rather than one clause they have split out elements into 3 sub clauses for enhanced clarity.
ISO27001:2022 Clause 9.3 Management Review
This clause has now had the wording removed and wording shifted to three new separate sub clauses.
ISO27001:2022 Clause 9.3.1 General – New clause
Top management shall review the organization’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
ISO27001:2022 Clause 9.3.2 Management Review Inputs – New clause
The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) changes in needs and expectations of interested parties that are relevant to the information security management system;
d) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan;
g) opportunities for continual improvement.
ISO27001:2022 Clause 9.3.3 Management Review Results – New clause
The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.
ISO27001 Clause 9.3 Definition
We include the 2013 version of the clause here.
The ISO 27001:2013 standard defined clause 9.3 as follows:
Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
The management review shall include consideration of:
a) the status of actions from previous management reviews
ISO 27001:2013 Clause 9.3 Management Review
b) changes in external and internal issues that are relevant to the information security management system
c) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results; and
4) fulfilment of information security objectives
d) feedback from interested parties
e) results of risk assessment and status of risk treatment plan; and
f ) opportunities for continual improvement.
The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
The organisation shall retain documented information as evidence of the results of management reviews.
How to conduct an ISO 27001 Management Review
We have provide a detailed guide on How to conduct an ISO 27001 Management Review Meeting
How to comply with ISO 27001 Clause 9.3
How to comply with ISO 27001 Clause 9.3 Management Review
- Decide who will attend the ISO 27001 Management Review Meeting
Decide who will attend the ISO 27001 management review team meetings. It should include the information security manager, a member of the senior leadership team and members from each department in the organisation. This should then be documented in your roles and responsibilities documentation. Make sure that the members are added to the competency matrix.
- Create your meeting agenda and book your meetings
Create your ISO 27001 Management Review Meeting agenda based on the requirements of the standard, including all mandatory topics.
- Schedule your ISO 27001 Management Review Meetings for the year
Forward plan and schedule your meetings for the year.
- Conduct your meetings keeping minutes
Conduct your ISO 27001 Management Review Meetings and be sure to minute and keep copies of minutes. Follow the detailed guide on How to conduct an ISO 27001 Management Review Meeting.
ISO 27001 Clause 9.3 Implementation Guide
There are many ways to conduct management reviews.
Follow the culture of your organisation on how you conduct meetings. They can be remote, they can be in person. It is best to follow the best practice of your organisation.
Good practice also includes allocate roles within the meeting to keep the meeting on track. This is not a requirement of the standard but good practice.
Consider allocating the role of a time keeper to keep you on time, a minute taker responsible for the minutes and meeting chair to guide and chair the meeting.
How do you demonstrate compliance to ISO 27001 clause 9.3?
You demonstrate compliance to ISO 27001 Clause 9.3 Management Review by having a management review meeting scheduled and in the calendar.
In addition you will have past meetings minutes available for review. Those meeting minutes will have have followed the structure and requirements of the ISO 27001 standard.
ISO 27001 Clause 9.3 Template
ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 9.3
ISO 27001 Clause 9.3 FAQ
ISO 27001 Clause 9.3 Management Review requires an organisation to hold a regular management review meeting that follows the structure and requirements of the ISO 27001 standard.
ISO 27001 Clause 9.3 Management Review compliance is evidenced by having Management Review Meetings scheduled through out the year and evidence that meetings have occurred with meeting minutes available.
You can download ISO 27001 Clause 9.3 Management Review here: https://hightable.io/product/iso-27001-templates-toolkit/
An example of ISO 27001 Clause 9.3 Management Review can be found here: https://hightable.io/product/iso-27001-templates-toolkit/
You perform ISO 27001 management reviews monthly. If you cannot then at least once every 3 months.
The information security manager ensures that the meeting takes place. The meeting is attended by the information security manager, senior leadership representative and representatives from each department in the organisation.
Management reviews are reported to the senior leadership team.
If you do not do ISO 27001 management reviews and minute them then you will not achieve ISO 27001 certification. In addition your management system will not operate as intended and will not be effective.
ISO 27001:2022 Certification Requirements
What’s new, ISO 27001 templates, examples and walkthrough for each ISO 27001:2022 Annex A Clause.
- ISO 27001:2022 Clause 4.1 Understanding The Organisation And Its Context
- ISO 27001:2022 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
- ISO 27001:2022 Clause 4.3 Determining The Scope Of The Information Security Management System
- ISO 27001:2022 Clause 4.4 Information Security Management System (ISMS)
- ISO 27001:2022 Clause 5.1 Leadership And Commitment
- ISO 27001:2022 Clause 5.2 Information Security Policy
- ISO 27001:2022 Clause 5.3 Organisational Roles, Responsibilities And Authorities
- ISO 27001:2022 Clause 6 Planning
- ISO 27001:2022 Clause 6.1.1 Planning General
- ISO 27001:2022 Clause 6.1.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 6.1.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 6.2 Information Security Objectives And Planning To Achieve Them
- ISO 27001:2022 Clause 7.1 Resources
- ISO 27001:2022 Clause 7.2 Competence
- ISO 27001:2022 Clause 7.3 Awareness
- ISO 27001:2022 Clause 7.4 Communication
- ISO 27001:2022 Clause 7.5.1 Documented Information
- ISO 27001:2022 Clause 7.5.2 Creating And Updating Documented Information
- ISO 27001:2022 Clause 7.5.3 Control Of Documented Information
- ISO 27001:2022 Clause 8.1 Operational Planning And Control
- ISO 27001:2022 Clause 8.2 Information Security Risk Assessment
- ISO 27001:2022 Clause 8.3 Information Security Risk Treatment
- ISO 27001:2022 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
- ISO 27001:2022 Clause 9.2 Internal Audit
- ISO 27001:2022 Clause 9.3 Management Reviews
- ISO 27001:2022 Clause 10.1 Continual Improvement
- ISO 27001:2022 Clause 10.2 Non Conformity and Corrective Action