ISO 27001 Clause 9.3 Management Review

To follow ISO 27001 Clause 9.3, a company’s top leaders must review the Information Security Management System (ISMS). The goal is to make sure the ISMS is still right, good enough, and working well. This review should happen at planned times, like once a year.

What Is a Management Review?

A management review is a meeting where top leaders check the ISMS. They look at its performance and see where it can be better. This is a way to prove a company is serious about keeping data safe.

What is ISO 27001 Clause 9.3 Management Review?

The latest version of the ISO 27001 standard is ISO/IEC 27001:2022 (published in October 2022).

In the ISO/IEC 27001:2022 Standard the control is titled “Management Review”.

What is the ISO 27001 Clause 9.3 control objective?

The formal definition and control objective in the standard is:

ISO 27001:2022 Clause 9.3.1 General

Top management shall review the organisation’s information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness.

ISO 27001:2022 Clause 9.3.2 Management Review Inputs

The management review shall include consideration of:
a) the status of actions from previous management reviews;
b) changes in external and internal issues that are relevant to the information security management system;
c) changes in needs and expectations of interested parties that are relevant to the information security management system;
d) feedback on the information security performance, including trends in:
1) nonconformities and corrective actions;
2) monitoring and measurement results;
3) audit results;
4) fulfilment of information security objectives
e) feedback from interested parties;
f) results of risk assessment and status of risk treatment plan;
g) opportunities for continual improvement.

ISO 27001:2022 Clause 9.3.3 Management Review Results – New clause

The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system.
Documented information shall be available as evidence of the results of management reviews.

What is the purpose of ISO 27001 Clause 9.3?

The purpose of ISO 27001 Clause 9.3 is “To ensure that you have management oversight of the information security management system and that you have documentary evidence to support it.“

Is ISO 27001 Clause 9.3 Mandatory?

ISO 27001 Clause 9.3 (Management Review in the 2022 standard) is a mandatory clause in the main body of the standard.

What Should a Management Review Include?

The management review should include:

• Status of past actions: Check on tasks from the last review.
• Changes: Look at new issues or changes in the company that might affect the ISMS.
• Feedback: Discuss how the ISMS is working, including results from audits and feedback from people who are involved.
• Risks: Look at risk assessments and how risks are being handled.
• Chances to Improve: Find ways to make the ISMS better.

Key Parts of the Rule

To follow this rule, you should have clear plans and policies. Here are some important steps:

• Plan it: Decide when and how often to have the review.
• Gather Info: Get all the needed information ready before the meeting.
• Review: Have the meeting and talk about what you found.
• Make a Plan: Decide on new actions to improve the ISMS.
• Write It Down: Keep clear notes of the meeting, including decisions and actions.

What an Auditor Will Check

An auditor will want to see proof that you are following these rules. They will:

• Look for evidence that management reviews have happened
• Look for evidence that future management reviews are planned
• Minutes of the management reviews

Frequently Asked Questions

You can learn more about management reviews and ISO 27001 by watching this video: ISO 27001 Management Review Explained