ISO 27001 Management Review: Clause 9.3

Home / ISO 27001 Clauses / ISO 27001 Management Review: Clause 9.3

ISO 27001 Management Review requires an organisation to conduct a Management Review Meeting at regular intervals and follow a structure, defined agenda. By doing this we can ensure we have an effective information security management system that is achieving it’s intended outcomes.

In ISO 27001 this is known as ISO27001:2022 Clause 9.3 Management Review. It is one of the mandatory ISO 27001 clauses.

The requirement is that the management review

Reviews the status of actions from previous management reviews
Records changes in external and internal issues that are relevant to the information security management system
Records changes in needs and expectations of interested parties that are relevant to the information security management system
Reviews the information security performance
Ensures the fulfilment of information security objectives
Takes account of feedback from interested parties
Oversees the results of risk assessment and status of risk treatment plan
Reviews opportunities for continual improvement

Key Takeaways

The ISO 27001 standard requires an organisation to implement information security from the top down with leadership commitment and oversight.
It is part of the process of continual improvement and one of the checks and balances.
ISO 27001 is not a one and done and requires ongoing management.
It is called ISO27001:2022 Clause 9.3 Management Review

Key Takeaways
Implementation Guide
ISO 27001 Management Review Template
Implementation Checklist
Watch the Tutorial
What the auditor will check
Audit Checklist
Common Mistakes
FAQ
Related ISO 27001 Controls
Further Reading

ISO27001:2022 Clause 9.3 Management Review

The purpose of clause 9.3 is to ensure that you have management oversight of the information security management system and that you have documentary evidence to support it.

This clause has now had the wording removed and wording shifted to three new separate sub clauses.

ISO 27001:2022 Clause 9.3.1 General

Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.
ISO 27001:2022 Clause 9.3.1 General

ISO 27001:2022 Clause 9.3.2 Management Review Inputs

The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) changes in needs and expectations of interested parties that are relevant to the information security management system;
d) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan;
g) opportunities for continual improvement.
ISO 27001:2022 Clause 9.3.2 Management Review Inputs

ISO 27001:2022 Clause 9.3.3 Management Review Results – New clause

The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.
ISO 27001:2022 Clause 9.3.3 Management Review Results

ISO27001:2022 Changes to ISO 27001 Clause 9.3

There is nothing significant that has changed to the ISO 27001 Clause 9.3 Management Review in the 2022 update. The change is wording and clarification change with a change to the layout of how the requirements are presented. Rather than one clause they have split out elements into 3 sub clauses for enhanced clarity.

DO IT YOURSELF ISO27001

STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS

The Ultimate ISO 27001 Toolkit

Implementation Guide

There are many ways to conduct management reviews.

Follow the culture of your organisation on how you conduct meetings. They can be remote, they can be in person. It is best to follow the best practice of your organisation.

For detailed step by step guidance read – How to conduct an ISO 27001 Management Review Meeting

Time needed: 1 hour and 30 minutes

How to implement ISO 27001 Clause 9.3 Management Review

Decide who will attend the ISO 27001 Management Review Meeting
Decide who will attend the ISO 27001 management review team meetings. It should include the information security manager, a member of the senior leadership team and members from each department in the organisation. This should then be documented in your roles and responsibilities documentation. Make sure that the members are added to the competency matrix.
Create your meeting agenda and book your meetings
Create your ISO 27001 Management Review Meeting agenda based on the requirements of the standard, including all mandatory topics.
Schedule your ISO 27001 Management Review Meetings for the year
Forward plan and schedule your meetings for the year.
Conduct your meetings keeping minutes
Conduct your ISO 27001 Management Review Meetings and be sure to minute and keep copies of minutes.

ISO 27001 Management Review Template

The ISO 27001 Management Review Template is the mandatory ISO 27001 Management Review agenda and comes with a detailed step-by-step guide on how to do a management review.

ISO 27001 Management Review Team Meeting Agenda Template

Implementation Checklist

Management Review ISO 27001 Clause 9.3 Implementation Checklist

1. Plan the Review

Decide when and how often to hold management reviews. Set a regular schedule.

Challenge

Finding time for reviews can be tough. Reviews can become routine and lose their value.

Solution

Schedule reviews well in advance. Make them a priority. Keep them focused and efficient.

2. Define the Agenda

Make a clear list of topics to cover in each review. Focus on key issues.

Challenge

Agendas can become too long and unfocused. Important topics may be missed.

Solution

Keep agendas concise and relevant. Prioritise key performance indicators and risks. Get input from different teams.

3. Gather Information

Collect data and reports to inform the review. Have the facts ready.

Challenge

Gathering data can be time-consuming. Hard to make sense of large amounts of data.

Solution

Automate data collection where possible. Use clear charts and graphs. Focus on key metrics and trends.

4. Conduct the Review

Hold the management review meeting. Discuss the key issues and make decisions.

Challenge

Reviews can become dominated by a few people. Decisions may be delayed or not followed up.

Solution

Encourage everyone to participate. Keep discussions focused and productive. Document decisions clearly.

5. Review ISMS Performance

Assess how well the ISMS is working. Are the controls effective?

Challenge

Hard to be objective about performance. People may be defensive about their work.

Solution

Use clear performance indicators. Focus on learning and improvement. Be honest about strengths and weaknesses.

6. Review Risk Treatment

Check if risk treatments are working. Are risks being managed effectively?

Challenge

Risk treatments can become outdated. New risks may emerge.

Solution

Regularly review risk assessments and treatment plans. Adapt to changes in the threat landscape.

7. Consider Internal and External Issues

Think about any changes and internal issues and external issues that might affect the ISMS.

Challenge

Hard to keep track of all the changes. External factors can be unpredictable.

Solution

Monitor industry trends and regulatory changes. Conduct regular environmental scans.

8. Review Improvement Opportunities

Look for ways to improve the ISMS. Are there any gaps or weaknesses?

Challenge

People may resist change. Hard to prioritise improvement activities.

Solution

Encourage a culture of continual improvement. Focus on areas with the biggest potential impact.

9. Document the Review

Keep clear records of the management review meeting, including decisions and actions.

Challenge

Documenting everything can be time-consuming. Hard to keep records organised.

Solution

Use a simple meeting minutes template. Store records centrally. Keep documentation clear and concise.

10. Follow Up on Actions

Make sure that any agreed actions are taken and are effective.

Challenge

It’s easy to forget about follow-up. Actions may not be implemented properly.

Solution

Set deadlines for actions. Track progress and report on it. Verify that actions have achieved the desired results.

Watch the Tutorial

Watch How to implement ISO 27001 Clause 9.3 Management Review | Step-by-Step Guide

What the auditor will check

The auditor is going to check a number of areas for compliance with Clause 9.3. Lets go through them

1. That roles are defined and assigned

The auditor will look for evidence that you have defined the roles for the management review team. They will want to see representation for the in scope areas. For best practice they will be looking for one representative of each in scope department, at least one member of senior leadership, deputies for everyone.

2. That management meetings have happened and are planned

They will be looking to see that management reviews have taken place and that future management reviews are planned in. It is likely to be the case that they will look for calendar entries and also, most important of all, they are looking for minutes and documentation of those management reviews.

Audit Checklist

Management Review ISO 27001 Clause 9.3 Audit Checklist

1. Review Meeting Frequency

Verify that management reviews are conducted at planned intervals.

Audit Technique

Examine the documented schedule for management reviews and compare it against actual meeting dates. Check attendance records to confirm participation.

2. Check Agenda Completeness

Ensure the management review agenda covers all required inputs specified in the standard.

Audit Technique

Review past management review agendas and compare them against the requirements of ISO 27001 clause 9.3. Look for inclusion of topics like ISMS performance, risk treatment effectiveness, and interested party feedback.

3. Examine Input Information

Confirm that relevant and up-to-date information is used as input to the management review.

Audit Technique

Review the reports, data, and other information used in the management review. Check for accuracy, relevance, and timeliness. Examples include performance reports, audit findings, and risk assessments.

4. Verify Management Participation

Ensure that top management actively participates in the management review process.

Audit Technique

Review attendance records for management review meetings. Interview top management personnel to gauge their involvement and understanding of the ISMS.

5. Review Meeting Minutes

Check that meeting minutes are accurate, comprehensive, and record key decisions and actions.

Audit Technique

Examine minutes from past management review meetings. Verify that they clearly document discussions, decisions made, and assigned actions.

6. Assess ISMS Performance Review

Confirm that the management review includes a thorough assessment of the ISMS’s performance against its objectives.

Audit Technique

Review performance reports and metrics presented during the management review. Check for evidence of analysis and evaluation of ISMS effectiveness.

7. Evaluate Risk Treatment Review

Verify that the effectiveness of risk treatments is reviewed and discussed during the management review.

Audit Technique

Examine records of risk assessments, risk treatment plans, and any changes made to them as a result of the management review.

8. Check Consideration of Internal/External Issues

Ensure that internal and external issues relevant to the ISMS are considered during the review.

Audit Technique

Review meeting minutes and other documentation to confirm that Internal issues (e.g., organisational changes) and external issues (e.g., new legislation) are discussed and their potential impact on the ISMS is assessed.

9. Verify Action Follow-up

Confirm that actions arising from management reviews are tracked, implemented, and their effectiveness verified.

Audit Technique

Review action logs, implementation records, and any follow-up reviews conducted to assess the effectiveness of corrective actions.

10. Examine Record Keeping

Ensure that records of management reviews, including minutes, reports, and action plans, are maintained and readily accessible.

Audit Technique

Check the organisation’s document management system for the presence and accessibility of management review records. Verify that they are stored securely and for the required retention period.

Common Mistakes

In my experience, the top 4 mistakes people make for ISO 27001 Management Review are:

Not having minutes or documentation of management reviews happening
People, including deputies, not attending management review meetings
No planning ahead to evidence that reviews will happen in the future
Not following the structured, defined agenda with no evidence that the provided agenda items were covered.

FAQ

What is ISO 27001 Clause 9.3 Management Review?

ISO 27001 Clause 9.3 Management Review requires an organisation to hold a regular management review meeting that follows the structure and requirements of the ISO 27001 standard.

How do I evidence I meet the requirement of ISO 27001 Clause 9.3 Management Review?

ISO 27001 Clause 9.3 Management Review compliance is evidenced by having Management Review Meetings scheduled through out the year and evidence that meetings have occurred with meeting minutes available.

Where can I download ISO 27001 Clause 9.3 Management Review templates?

You can download ISO 27001 Clause 9.3 Management Review in the ISO 27001 Toolkit.

ISO 27001 Clause 9.3 Management Review example?

An example of ISO 27001 Clause 9.3 Management Review can be found in the ISO 27001 Toolkit.

How often do you perform ISO 27001 Management Review?

You perform ISO 27001 management reviews monthly. If you cannot then at least once every 3 months.

Who performs ISO 27001 management review?

The information security manager ensures that the meeting takes place. The meeting is attended by the information security manager, senior leadership representative and representatives from each department in the organisation.

Who are ISO 27001 management reviews reported to?

Management reviews are reported to the senior leadership team.

What happens if the we don’t do ISO 27001 management reviews?

If you do not do ISO 27001 management reviews and minute them then you will not achieve ISO 27001 certification. In addition your management system will not operate as intended and will not be effective.

ISO 27001 Understanding The Organisation And Its Context: Clause 4.1

ISO 27001 Understanding The Needs And Expectations of Interested Parties: Clause 4.2

ISO 27001 Continual Improvement: Clause 10.1

ISO 27001 Management Responsibilities: Annex A 5.4

About the author

I am Stuart Barker the ISO 27001 Ninja.

You can connect with me on Linked In, stalk me, check me out and join my network.

I am an information security practitioner of over 30 years. I hold a Software Engineering degree and started my career in software development. In 2010 I started my first cyber security consulting business that I sold in 2018. I worked for over a decade for GE, leading a data governance team across Europe and since then have gone on to deliver hundreds of client engagements and audits.

I regularly mentor and train professionals on information security and run a successful ISO 27001 YouTube channel where I show people how they can do it themselves. I am passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In my personal life I am active and a hobbyist kickboxer.

My specialisms are ISO 27001 and SOC 2 and my niche is start up and early stage business.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wp_woocommerce_session_*	2 days	WooCommerce sets this cookie to make a unique code for each customer so that it knows where to find the cart data in the database for each one.
yith_wcmcs_currency	7 days	Required for currency conversion.
__stripe_mid	1 year	Stripe sets this cookie to process payments.
__stripe_sid	1 hour	Stripe sets this cookie to process payments.

Cookie	Duration	Description
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
sbjs_current	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_current_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_first_add	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_migrations	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_session	1 hour	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.
sbjs_udata	session	Sourcebuster sets this cookie to identify the source of a visit and stores user action information in cookies. This analytical and behavioural cookie is used to enhance the visitor experience on the website.

Cookie	Duration	Description
PREF	8 months	PREF cookie is set by Youtube to store user preferences like language, format of search results and other customizations for YouTube Videos embedded in different sites.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
m	1 year 1 month 4 days	No description available.
_monsterinsights_uj	1 year	Description is currently not available.

ISO 27001 Management Review: Clause 9.3

Key Takeaways

Table of contents

ISO27001:2022 Clause 9.3 Management Review

ISO 27001:2022 Clause 9.3.1 General

ISO 27001:2022 Clause 9.3.2 Management Review Inputs

ISO 27001:2022 Clause 9.3.3 Management Review Results – New clause

ISO27001:2022 Changes to ISO 27001 Clause 9.3

Implementation Guide

ISO 27001 Management Review Template

Implementation Checklist

1. Plan the Review

Challenge

Solution

2. Define the Agenda

Challenge

Solution

3. Gather Information

Challenge

Solution

4. Conduct the Review

Challenge

Solution

5. Review ISMS Performance

Challenge

Solution

6. Review Risk Treatment

Challenge

Solution

7. Consider Internal and External Issues

Challenge

Solution

8. Review Improvement Opportunities

Challenge

Solution

9. Document the Review

Challenge

Solution

10. Follow Up on Actions

Challenge

Solution

Watch the Tutorial

What the auditor will check

1. That roles are defined and assigned

2. That management meetings have happened and are planned

Audit Checklist

1. Review Meeting Frequency

Audit Technique

2. Check Agenda Completeness

Audit Technique

3. Examine Input Information

Audit Technique

4. Verify Management Participation

Audit Technique

5. Review Meeting Minutes

Audit Technique

6. Assess ISMS Performance Review

Audit Technique

7. Evaluate Risk Treatment Review

Audit Technique

8. Check Consideration of Internal/External Issues

Audit Technique

9. Verify Action Follow-up

Audit Technique

10. Examine Record Keeping

Audit Technique

Common Mistakes

FAQ

Related ISO 27001 Controls

Further Reading

About the author