ISO 27001 Clause 9.3 Management Review – Ultimate Certification Guide

Home / ISO 27001 Clauses / ISO 27001 Clause 9.3 Management Review – Ultimate Certification Guide

ISO 27001 Management Review

In this ultimate guide to ISO 27001 Clause 9.3 Management Review you will learn

  • What is ISO 27001 Clause 9.3 
  • How to implement ISO 27001 Clause 9.3

I am Stuart Barker, the ISO 27001 Ninja and author of the Ultimate ISO 27001 Toolkit.

With over 30 years industry experience I will show you what’s new, give you ISO 27001 templates, show you examples, do a walkthrough and show you how to implement it for ISO 27001 certification.

Watch the Tutorial

Watch How to implement ISO 27001 Clause 9.3 Management Review | Step-by-Step Guide

What is ISO 27001 Clause 9.3?

ISO 27001 Clause 9.3 Management Review requires an organisation to conduct a Management Review Meeting at regular intervals and follow a structure, defined agenda.

The ISO 27001 standard for ISO 27001 certification wants you to have management oversight that meets regularly and covers the core components of the standard. It is one of the ISO 27001 controls.

The ISO 27001 standard requires an organisation to implement information security from the top down with leadership commitment. It is part of the process of continual improvement and one of the checks and balances. ISO 27001 is not a one and done. It is expected that it is in place and operating before the certification audit and after.

DO IT YOURSELF ISO27001

Stop Spanking £10,000’s on Consultants and Platforms

ISO 27001 Toolkit Business Edition

ISO 27001 Clause 9.3 Purpose

The purpose of clause 9.3 is to ensure that you have management oversight of the information security management system and that you have documentary evidence to support it.

ISO 27001 Clause 9.3 Definition

ISO 27001:2022 Clause 9.3 Management Review

This clause has now had the wording removed and wording shifted to three new separate sub clauses.

ISO 27001:2022 Clause 9.3.1 General – New clause

Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

ISO 27001:2022 Clause 9.3.2 Management Review Inputs – New clause

The management review shall include consideration of:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the information security management system;

c) changes in needs and expectations of interested parties that are relevant to the information security management system;

d) feedback on the information security performance, including trends in:

1) nonconformities and corrective actions;

2) monitoring and measurement results;

3) audit results;

4) fulfilment of information security objectives

e) feedback from interested parties;

f) results of risk assessment and status of risk treatment plan;

g) opportunities for continual improvement.

ISO 27001:2022 Clause 9.3.3 Management Review Results – New clause

The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

Documented information shall be available as evidence of the results of management reviews.

ISO27001:2022 Changes to ISO 27001 Clause 9.3

There is nothing significant that has changed to the ISO 27001 Clause 9.3 Management Review in the 2022 update. The change is wording and clarification change with a change to the layout of how the requirements are presented. Rather than one clause they have split out elements into 3 sub clauses for enhanced clarity.

ISO 27001 Clause 9.3 Template

ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 9.3

ISO 27001 Management Review Team Meeting Agenda Template

How to conduct an ISO 27001 Management Review

We have provide a detailed guide on How to conduct an ISO 27001 Management Review Meeting

ISO 27001 Clause 9.3 Implementation Guide

There are many ways to conduct management reviews.

Follow the culture of your organisation on how you conduct meetings. They can be remote, they can be in person. It is best to follow the best practice of your organisation.

Good practice also includes allocate roles within the meeting to keep the meeting on track. This is not a requirement of the standard but good practice.

Consider allocating the role of a time keeper to keep you on time, a minute taker responsible for the minutes and meeting chair to guide and chair the meeting.

Stuart - High Table - ISO27001 Ninja - 3

How to comply with ISO 27001 Clause 9.3

Time needed: 2 hours

How to comply with ISO 27001 Clause 9.3 Management Review

  1. Decide who will attend the ISO 27001 Management Review Meeting

    Decide who will attend the ISO 27001 management review team meetings. It should include the information security manager, a member of the senior leadership team and members from each department in the organisation. This should then be documented in your roles and responsibilities documentation. Make sure that the members are added to the competency matrix.

  2. Create your meeting agenda and book your meetings

    Create your ISO 27001 Management Review Meeting agenda based on the requirements of the standard, including all mandatory topics.

  3. Schedule your ISO 27001 Management Review Meetings for the year

    Forward plan and schedule your meetings for the year.

  4. Conduct your meetings keeping minutes

    Conduct your ISO 27001 Management Review Meetings and be sure to minute and keep copies of minutes. Follow the detailed guide on How to conduct an ISO 27001 Management Review Meeting.

What the auditor will check

The auditor is going to check a number of areas for compliance with Clause 9.3. Lets go through them

That roles are defined and assigned

The auditor will look for evidence that you have defined the roles for the management review team. They will want to see representation for the in scope areas. For best practice they will be looking for one representative of each in scope department, at least one member of senior leadership, deputies for everyone.

That management meetings have happened and are planned

They will be looking to see that management reviews have taken place and that future management reviews are planned in. It is likely to be the case that they will look for calendar entries and also, most important of all, they are looking for minutes and documentation of those management reviews.

Top 4 Mistakes People Make

In my experience, the top 4 mistakes people make for ISO 27001 clause 9.3 are:

  • Not having minutes or documentation of management reviews happening
  • People, including deputies, not attending management review meetings
  • No planning ahead to evidence that reviews will happen in the future
  • Not following the structured, defined agenda with no evidence that the provided agenda items were covered.

ISO 27001 Clause 9.3 FAQ

What is ISO 27001 Clause 9.3 Management Review?

ISO 27001 Clause 9.3 Management Review requires an organisation to hold a regular management review meeting that follows the structure and requirements of the ISO 27001 standard.

How do I evidence I meet the requirement of ISO 27001 Clause 9.3 Management Review?

ISO 27001 Clause 9.3 Management Review compliance is evidenced by having Management Review Meetings scheduled through out the year and evidence that meetings have occurred with meeting minutes available.

Where can I download ISO 27001 Clause 9.3 Management Review templates?

You can download ISO 27001 Clause 9.3 Management Review in the ISO 27001 Toolkit.

ISO 27001 Clause 9.3 Management Review example?

An example of ISO 27001 Clause 9.3 Management Review can be found in the ISO 27001 Toolkit.

How often do you perform ISO 27001 Management Review?

You perform ISO 27001 management reviews monthly. If you cannot then at least once every 3 months.

Who performs ISO 27001 management review?

The information security manager ensures that the meeting takes place. The meeting is attended by the information security manager, senior leadership representative and representatives from each department in the organisation.

Who are ISO 27001 management reviews reported to?

Management reviews are reported to the senior leadership team.

What happens if the we don’t do ISO 27001 management reviews?

If you do not do ISO 27001 management reviews and minute them then you will not achieve ISO 27001 certification. In addition your management system will not operate as intended and will not be effective.

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing