Management Review (Clause 9.3)

Clause 9.3 requires top management to review the ISMS at planned intervals to ensure its continuing suitability, adequacy, and effectiveness.

Understanding Management Review

What is Management Review?

Management review is a formal, documented meeting where top management evaluates the overall performance, effectiveness, and strategic alignment of the ISMS.

This is NOT:

• A technical deep-dive into security controls
• An IT meeting
• A routine operational meeting
• A reporting session without decisions

This IS:

• A strategic evaluation by top management
• A decision-making forum for ISMS direction
• An opportunity to allocate resources
• A demonstration of leadership commitment
• A requirement for ISO 27001 certification

Why Management Review Matters

For ISO 27001 Certification:

• Mandatory requirement (Clause 9.3)
• Auditors will review management review records
• Demonstrates top management engagement
• Shows ISMS is not just an IT initiative

For Your Organization:

• Ensures ISMS aligns with business objectives
• Provides management visibility into security posture
• Drives resource allocation decisions
• Identifies strategic improvements
• Demonstrates due diligence to stakeholders

For Continual Improvement:

• Identifies opportunities for enhancement
• Adjusts ISMS to changing context
• Addresses emerging risks
• Optimizes resource utilization

Clause 9.3 Requirements

9.3.1 General

Top management shall review the ISMS at planned intervals.

"Planned intervals" means:

• Defined schedule (typically annually, minimum)
• Frequency appropriate to organizational needs
• More frequent reviews if needed (e.g., after major changes, incidents)
• Documented schedule

"Top management" means:

• Those with authority to make strategic decisions
• Typically CEO, Board, Executive Team
• Cannot be delegated to middle management
• Must include decision-makers with resource authority

9.3.2 Management Review Inputs

The review must consider:

a) Status of actions from previous management reviews

• What was decided last time?
• Have those actions been completed?
• What was the effectiveness of those actions?
• Any outstanding items?

b) Changes in external and internal issues relevant to ISMS

• Changes in business context (from Clause 4.1)
• New regulations or legal requirements
• Market changes
• Organizational changes (mergers, restructuring, growth)
• Technology changes

c) Feedback on information security performance

Nonconformities and corrective actions:

• How many nonconformities occurred?
• Were corrective actions effective?
• Any recurring issues?

Monitoring and measurement results:

• KPI performance
• Metric trends
• Security dashboard results

Audit results:

• Internal audit findings
• External/certification audit findings
• Audit program completion status

Fulfillment of information security objectives:

• Progress toward objectives
• Objectives achieved or missed
• Obstacles encountered

d) Feedback from interested parties

• Customer complaints or concerns
• Supplier issues
• Regulatory feedback
• Employee feedback
• Business partner input
• Stakeholder requirements

e) Results of risk assessment and status of risk treatment plan

• New risks identified
• Changes to existing risks
• Risk treatment progress
• Residual risk acceptability
• Risk appetite alignment

f) Opportunities for continual improvement

• Process improvements identified
• Technology advancements
• Best practices from industry
• Lessons learned from incidents
• Audit recommendations
• Employee suggestions

9.3.3 Management Review Outputs

The outputs must include decisions related to:

a) Opportunities for continual improvement

• Specific improvements to pursue
• Process enhancements
• Control optimizations
• Efficiency gains

b) Any need for changes to the ISMS

• Scope changes
• Policy updates
• Procedure changes
• Organizational changes
• Control changes

The review must produce documented evidence and decisions, not just discussion.

9.3.4 Documented Information

The organization shall retain documented information as evidence of management reviews.

Required documentation:

• Management review meeting agenda
• All inputs considered (reports, metrics, audit summaries)
• Meeting minutes or report
• Decisions made
• Actions assigned with owners and due dates
• Evidence of top management participation

Planning Management Reviews

Frequency

Minimum: Annually

Consider More Frequent Reviews When:

• Preparing for initial certification
• After major security incidents
• Following significant organizational changes
• During rapid growth or transformation
• When implementing major changes to ISMS
• In highly dynamic/regulated industries

Example Schedule:

• Small organization: Annual comprehensive review
• Medium organization: Semi-annual reviews
• Large organization: Quarterly reviews or annual with interim updates

Timing

Best Practices:

• Schedule well in advance (6-12 months ahead)
• Align with business planning cycles
• After internal audit completion
• Before certification audit (for preparation)
• End of fiscal year or calendar year
• When all required inputs are available

Who Should Attend

Required:

• Top management (CEO, COO, or equivalent)
• Those with authority to make resource decisions
• ISMS Owner / Information Security Manager

Recommended:

• CTO/CIO
• CFO (for budget discussions)
• Heads of key business units
• Risk Manager
• Compliance/Legal representative
• HR representative
• Internal Audit representative

Optional (for specific agenda items):

• IT Security Team (for technical inputs)
• Process owners (to present specific topics)
• External consultants (if applicable)

Conducting an Effective Management Review

Preparation (2-4 Weeks Before)

Information Security Manager:

1. Gather All Required Inputs:

   • Status of previous management review actions
   • Context changes (internal/external issues, stakeholder requirements)
   • Performance data (KPIs, metrics, monitoring results)
   • Audit results (internal and external)
   • Nonconformities and corrective actions
   • Risk assessment results and treatment status
   • Objectives achievement status
   • Stakeholder feedback
   • Improvement opportunities

2. Prepare Management Review Pack:

   • Executive summary (1-2 pages)
   • Detailed input reports
   • Dashboards and visualizations
   • Trend analysis
   • Recommendations
   • Proposed decisions

3. Pre-Meeting Activities:

   • Distribute materials 1-2 weeks before meeting
   • Allow top management time to review
   • Request questions or additional information needed
   • Schedule adequate meeting time (minimum 2-3 hours)

During the Meeting

Agenda Structure (2-3 hours):

1. Opening (10 min)

• Review purpose and objectives of management review
• Confirm agenda
• Review Clause 9.3 requirements to ensure coverage

2. Review of Previous Actions (15 min)

• Status of actions from last review
• Effectiveness of completed actions
• Discussion of any delayed actions

3. ISMS Performance Review (45 min)

• Security metrics and KPIs dashboard
• Objectives achievement status
• Audit findings summary (internal and external)
• Nonconformities and corrective actions
• Monitoring results and trends

4. Changes and Context (20 min)

• External and internal issue changes
• Business context changes
• Regulatory/legal changes
• Stakeholder requirement changes

5. Risk Review (30 min)

• New and changed risks
• Risk treatment progress
• Residual risk status
• Risk appetite alignment

6. Improvement Opportunities (20 min)

• Identified improvement opportunities
• Recommendations from audits
• Industry best practices
• Technology opportunities
• Process optimization ideas

7. Decisions and Actions (30 min)

• Discuss required decisions
• Allocate resources for improvements
• Approve ISMS changes
• Assign actions with owners and deadlines
• Set objectives for next period

8. Closing (10 min)

• Summarize key decisions
• Confirm action assignments
• Schedule next management review
• Closing remarks from top management

Key Discussion Topics

Focus on Strategic Questions:

• Is our ISMS still suitable for our organization's purpose and context?
• Is our IMS adequate to meet our risks and objectives?
• Is our ISMS effective in protecting information assets?
• Do we have the right resources allocated?
• Are we achieving our information security objectives?
• What are our biggest information security risks?
• What improvements should we prioritize?
• How does our security posture compare to industry peers?
• Are we prepared for upcoming regulatory changes?
• What strategic security investments should we make?

Making Effective Decisions

Good Management Review Decisions:

• ✅ "Approve £50,000 for implementation of SIEM solution to improve incident detection capability"
• ✅ "Expand ISMS scope to include cloud operations by Q2 2025"
• ✅ "Increase security awareness training from annual to quarterly"
• ✅ "Hire additional security analyst to address workload concerns"
• ✅ "Update Information Security Policy to address remote work risks"

Avoid Vague Statements:

• ❌ "We should improve security awareness"
• ❌ "IT should look at better monitoring tools"
• ❌ "We need to do something about cloud security"

Decision Criteria:

• Specific and actionable
• Assigned to a named individual
• Has a deadline
• Has allocated resources
• Addresses identified need
• Measurable outcome

Documenting Management Review

Minimum Documentation

Management Review Report/Minutes Must Include:

1. Meeting Details:

   • Date and location
   • Attendees (proving top management participation)
   • Duration

2. All Required Inputs Considered:

   • Previous actions status
   • Context changes
   • Performance feedback
   • Interested party feedback
   • Risk assessment and treatment status
   • Improvement opportunities

3. Decisions Made:

   • Continual improvement decisions
   • ISMS changes approved
   • Resource allocations
   • Policy/procedure updates approved

4. Actions Assigned:

   • Specific action
   • Responsible person
   • Due date
   • Success criteria

5. Approval:

   • Signature or approval by top management
   • Date of approval

Best Practice Documentation

Create a Management Review Pack:

Part 1: Input Report (Prepared before meeting)

• Executive summary
• All required inputs with data and analysis
• Recommendations

Part 2: Meeting Minutes (During/after meeting)

• Attendees
• Discussion summary by topic
• Decisions made
• Actions assigned
• Next steps

Part 3: Action Tracker (Ongoing)

• Track completion of management review actions
• Update status regularly
• Report status at next management review

Common Management Review Challenges

Challenge: "Top management doesn't have time"

Solutions:

• Schedule far in advance and protect the time
• Prepare concise materials (executive summary first)
• Focus on strategic topics, not technical details
• Demonstrate value and business impact
• Make it a Board/Executive Committee agenda item

Challenge: "It becomes a rubber-stamp exercise"

Solutions:

• Present real issues requiring decisions
• Bring substantive topics for discussion
• Ask for management input, not just approval
• Highlight areas needing resource allocation
• Present strategic choices, not just reports

Challenge: "Too much information, not enough insight"

Solutions:

• Start with executive summary
• Use visualizations and dashboards
• Highlight trends, not just raw data
• Focus on exceptions and areas needing attention
• Provide clear recommendations

Challenge: "No decisions are made"

Solutions:

• Come prepared with specific proposed decisions
• Frame issues as choices to be made
• Show business impact of decisions
• Make decision-making easy with clear options
• Require formal decision documentation

Challenge: "Actions from previous reviews never get completed"

Solutions:

• Assign actions to specific individuals (not departments)
• Set realistic deadlines
• Track and report progress between reviews
• Escalate delayed actions
• Include action completion in performance objectives

Integration with Other Processes

Management Review Links To:

Inputs From:

• Internal audit results (Clause 9.2)
• Monitoring and measurement results (Clause 9.1)
• Risk assessment (Clause 6.1.2)
• Incident reports (Clause 8.2)
• Objectives progress tracking (Clause 6.2)
• Context analysis (Clause 4.1, 4.2)

Outputs To:

• Continual improvement (Clause 10.1)
• Corrective actions (Clause 10.2)
• Planning (Clause 6)
• Resource allocation (Clause 7.1)
• ISMS changes across all clauses

Evidence for Auditors

Certification Auditors Will Check:

• Evidence that top management conducted the review
• All required inputs were considered
• Decisions were made (not just information received)
• Review occurred at planned intervals
• Documentation is complete
• Actions from previous reviews were addressed

Common Audit Findings:

• Review didn't include top management
• Not all required inputs were considered
• No evidence of decisions made
• Reviews not at planned intervals
• Inadequate documentation
• Previous actions not tracked or completed

Key Takeaways:

1. Management review is a top management responsibility - cannot be delegated
2. Must consider all 6 required inputs - documented evidence required
3. Must produce decisions and actions - not just information sharing
4. Should be strategic, not tactical - focus on suitability, adequacy, effectiveness
5. Documentation is critical - prove it happened and what was decided
6. Actions must be tracked to completion - status reported at next review

Next Lesson: We'll provide a Management Review template to help structure and document your reviews effectively.