Clause 9.3 of ISO 27001:2022 explains how to carry out a management review, which is an important step in ensuring that the Information Security Management System (ISMS) is working properly, and in the continuous improvement of the security program.

Management meeting -Photo by Campaign Creators on Unsplash

Management review is essential to ensure that the ISMS remains aligned with the company’s strategic objectives, that it responds appropriately to current threats, and that it helps to proactively reinforce the company’s security posture.

This meeting is the time for operational teams to report back to management. Remember that in Clause 5, management must offer support and leadership, define objectives (Clause 6.2) and, above all, provide the necessary resources (Clause 7).

Objective of the Management Review

Specifically, clause 9.3 requires management to carry out at “planned intervals” a review of the ISMS to assess its relevance, adequacy and effectiveness.

A planned interval means that meetings are scheduled, predictable, and that we know when they will take place. I suggest, for example, every four or six months, to give the team and management time to review audit results, discuss recent safety incidents, and plan any necessary corrective actions.

Having several meetings a year enables teams to better monitor the status of the ISMS and the actions to be taken.

Elements of a Management Review:

Here are the elements introduced by clause 9.3.2 of the standard. They are the points that management must take into consideration for a successful management review, and I present them to you with a few practical examples:

  1. Follow-up on previous actions: Review the progress of actions decided at previous meetings to see if there are any impacts on the safety program. For example, this may include a check on planned corrective actions and their impact on risks.
  2. Internal and external changes: Consider changes in the organization, such as new processes, technologies, or regulatory requirements, that could have an impact on the ISMS. For example, the introduction of a new technology may require a reassessment of the associated risks.
  3. Changes in Stakeholder Needs and Expectations: Identify and examine changes in stakeholders’ information security needs and expectations. This can be done, for example, through surveys, direct interviews or polls to ensure that expectations are well understood. This ensures that the ISMS is always in line with the expectations of the organization and its partners. For example, a new confidentiality requirement from a major customer may require security policies to be adapted.
  4. ISMS Performance Evaluation: Management should examine the results of internal audits, security incidents, and the achievement of defined objectives. For example, this may include analyzing key performance indicators (KPIs) related to the reduction of security incidents over the last period.
  5. Stakeholder feedback: Incorporate feedback from users, customers, suppliers and other stakeholders to assess the effectiveness of the ISMS. For example, customer satisfaction surveys can be used to measure the effectiveness of the security measures implemented.
  6. Risk Assessment and Risk Treatment Plan results: Review the results of the risk assessment and the status of the risk treatment plan to ensure that identified risks are being properly managed. For example, management can check whether any emerging risks have been identified, and whether appropriate action has been taken.
  7. Non-conformities and corrective actions: Examine the discrepancies identified during audits and see whether corrective actions have been implemented. For example, a non-conformity concerning access management could require an update of authentication policies and a follow-up on their application.
  8. Opportunities for Improvement: Identify opportunities for improvement to ensure that the ISMS adapts to changes in the company and in the information security environment. For example, these opportunities can be tracked over time using a continuous improvement log. For example, automating certain security tasks can be an opportunity to improve efficiency and reduce human error.

Items to keep in mind:

  • **Have a Calendar **: For example, organize quarterly reviews and a more in-depth annual review. Make sure each review has a clear agenda and defined objectives to maximize its effectiveness.
  • Ensure stakeholder participation: To ensure stakeholder engagement, invite them to prepare reports or discussion points in advance, and define clear roles for everyone during the review. Using collaborative tools can also facilitate their active participation.
  • Use Data: Base the review on concrete elements and measurable data, such as safety-related KPIs.
  • Prepare an action plan: An effective review should result in a clear action plan, with designated managers and deadlines for implementing improvements.
  • Communicate results: Share findings and action plans with stakeholders to ensure transparency and ongoing commitment to the improvement process.
  • Follow-up proactively: Regularly monitor the actions undertaken to assess their effectiveness and make any necessary adjustments between meetings.

Management Review Success Criteria

To ensure that the management review is effective, here are some questions an auditor might ask to validate that clause 9.3 is compliant:

  • Have you kept the minutes of the last meeting?
  • What decisions were taken at the last meeting?
  • Have corrective actions been successfully implemented and verified?
  • Have stakeholders been consulted and their needs taken into account?
  • When’s the next meeting?

Remember that the management review is an excellent opportunity to have a conversation between the operational teams and management.

Depending on the size of the organization, management doesn’t always have all the information or the opportunity to cover every topic. That’s why the standard forces organizations to talk to each other!

And, of course, it improves the safety program through a better understanding of the situation, and keeps the wheel of continuous improvement turning again and again.

I invite you to click on “Follow” to continue learning more about the field of information security.