How to conduct your ISO 27001 Management Review

What is the purpose of the ISO 27001:2013 Management Review?

The value of the information security management system (ISMS) Management Review is often under-estimated.

Some may look at it as a tick-box requirement that needs to take place purely to meet ISO 27001 requirement 9.3. However, to really ‘live and breathe’ good information security practices, its role is invaluable.

The purpose of the Management Review is to ensure the ISMS and its objectives continue to remain suitable, adequate and effective given the organisation’s purpose, issues, and risks. These will previously have been addressed within 4.1 The Organisation and its Context, 4.2 The Requirements of Interested Parties, and 6.1.Risk Management.

The results of the management review will enable senior management to make well informed, strategic decisions that will have a material effect on information security and the way the organisation manages it.

What should be included in the Management Review?

The management review must follow a standard format that looks at the expectations of ISO 27001:2103.

It may also be that the organisation wishes to include other compliance regimes in the review, such as Cyber Essentials, ISO 9001, and other good practices, to facilitate effective reviews and informed decision making.

The ISO 27001 management review should include consideration of:

a) the status of actions from previous management reviews;

b) changes in external and internal issues that are relevant to the information security management system;

c) feedback on the information security performance, including trends in:

1. nonconformities and corrective actions;
2. monitoring and measurement results;
3. audit results; and
4. fulfillment of information security objectives.

d) feedback from interested parties;

e) results of risk_assessment”>risk assessment and status of risk treatment plan; and

f)  opportunities for continual improvement.

You might also want to add an additional point g) Agree on Audit Focus for Coming Period. This is optional if you are an agile organisation and not able to fully specify the whole audit programme and plan too far in advance. But bear in mind that some external auditors want more clarity over the whole programme over the certification cycle!

The outputs of the management review should include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

Who should attend the management review?

Considering the above, it is clear to see that, given due consideration, the ISO 27001 management review is an indispensable tool for ensuring the ISMS continues to be effective in one of its key objectives, that of mitigating information security risks.

For the ISMS to be effective in an organisation, it needs senior management commitment and, as such, it makes sense for the members of an ISMS “Board’ to have authority in matters pertaining to information security.

Typically an ISMS Board might include the Chief Information Security Officer (CISO), Senior Information Risk Owner (SIRO), Chief Technical Officer and maybe even the CEO.

The outputs of the management review will include decisions related to continual improvement opportunities and any needs for changes to the information security management system.

Management review frequency

There is a minimum requirement to conduct a management review once a year, and more frequently if there are any material changes that could affect information security and the ISMS.

However, the frequency will be defined by the management’s requirement to monitor the success of the ISMS. There is also a danger that, the greater the interval, the greater the work that will be involved in reviewing the previous period. It also increases the risk of failure in the ISMS not being identified promptly.

For that reason, we’d recommend monthly, bi-monthly, or even quarterly if your ISMS is quite stable. Certainly, management reviews must take place at planned intervals to ensure the ISMS remains ‘suitable, adequate and effective’.

For those seeking ISO 27001 certification of their ISMS, it’s also important to note there is a requirement to evidence, during the Stage 1 desktop audit, that the regular reviews are taking place.

At ISMS.online we suggest weekly management reviews pre Stage 1 audit as this will keep your implementation project on track, build the habit, and within one month you will have built up enough evidence, using the easy Management Review programme in the platform, to satisfy the auditor.

How to manage communications and actions

Typically a management review will involve circulating, by email in advance, the meeting invitations, the agenda, the evidence and reports for review, or to support the review, and the previous items that required action.

During the review, notes can be taken of the findings for subsequent writing up and distribution.

Areas identified for corrective actions and improvements will also need to be documented and tasked to the individuals who will be responsible for completing these actions.

At each step, evidence must be retained to satisfy an external auditor that the review and processes are taking place and being effective.

That’s a lot of emails, a lot of planning and a lot of evidencing!

Imagine an online management review programme that made it simple to set up your ISMS Board team, simple to schedule reviews and follow a standard agenda, simple to link to previous reviews, and all the information needed, and simple to assign and track corrective actions and improvements?

You’re imagining ISMS.online that makes managing your complete ISMS simple.

Bring everything together in one secure, online environment where you can collaborate with colleagues, capture the required evidence just once and easily navigate to it before, during and after the review.

You don’t even need all board members to be together in one place…conduct it online and save travel time and expense!

Include our Virtual Coach Programme for expert guidance and pragmatic advice in each of the required activities