Management Review

A management review is top management's periodic evaluation of the ISMS's performance and suitability. It is a mandatory requirement in ISO 27001 (Clause 9.3) and ensures that information security is anchored at the highest level of the organisation.

Back to Dictionary

What is a management review?

The management review is the forum in which the organisation's top management takes ownership of information security by reviewing the ISMS's overall performance. It is not a technical IT review but a strategic management evaluation, typically held at least once a year.

The meeting gives management the opportunity to assess whether the ISMS is still fit for purpose, whether resources are sufficient, and whether strategic adjustments are needed.

Input to the management review

ISO 27001 Clause 9.3.2 specifies what must be presented to management:

Status of actions from previous management reviews
Changes in internal and external issues relevant to the ISMS
Feedback from interested parties, including customers and authorities
Results of risk assessment and status of the risk treatment plan
Performance indicators and measurement results
Results of internal and external audits
Security incidents and nonconformities
Opportunities for continual improvement

Output and decisions

The management review must result in concrete decisions and actions relating to:

Opportunities for continual improvement
Any need for changes to the ISMS
Resource requirements (budget, personnel, technology)

Not a formality meeting: The management review must result in real decisions. An external auditor will verify that decisions have actually been taken and documented, and that they have been followed up subsequently.

Documentation

Results from the management review must be documented and retained. This is typically in the form of minutes containing the data presented, discussions and decisions. This is documented information that the certification auditor will review.

Frequently Asked Questions about Management Review

What is a management review in ISO 27001?

A management review is top management's periodic evaluation of the ISMS's performance, suitability and effectiveness. It is a mandatory requirement under ISO 27001 Clause 9.3 and ensures that information security decisions are taken at the highest level.

How often must a management review be conducted?

ISO 27001 does not prescribe a specific frequency, but the standard requires reviews at 'planned intervals'. Most organisations conduct at least one management review per year. More frequent reviews may be appropriate during periods of significant change.

What must be included as input to the management review?

Clause 9.3.2 lists required inputs including status of previous actions, changes in internal and external issues, interested party feedback, risk assessment results, audit results, security incidents, performance indicators and opportunities for improvement.

Who should participate in the management review?

Top management must participate, as the review is their responsibility under ISO 27001. In practice, the information security manager or CISO typically presents the material, and relevant department heads may attend depending on the agenda.

What should the management review produce as output?

The review must produce decisions on opportunities for continual improvement, any changes needed to the ISMS, and resource requirements. These decisions must be documented and followed up.